diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index 1614ad90a8..494f54d35d 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,1107 +1,1115 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-26:12.freebsd-update"
+date = "2026-05-01"
+
+[[notices]]
+name = "FreeBSD-EN-26:11.dhclient"
+date = "2026-05-01"
+
[[notices]]
name = "FreeBSD-EN-26:10.amd64"
date = "2026-04-29"
[[notices]]
name = "FreeBSD-EN-26:09.tzdata"
date = "2026-04-29"
[[notices]]
name = "FreeBSD-EN-26:08.pf"
date = "2026-04-29"
[[notices]]
name = "FreeBSD-EN-26:07.pkgbase"
date = "2026-04-21"
[[notices]]
name = "FreeBSD-EN-26:06.timerfd"
date = "2026-04-21"
[[notices]]
name = "FreeBSD-EN-26:05.vm"
date = "2026-04-21"
[[notices]]
name = "FreeBSD-EN-26:04.arm64"
date = "2026-02-10"
[[notices]]
name = "FreeBSD-EN-26:03.vm"
date = "2026-01-27"
[[notices]]
name = "FreeBSD-EN-26:02.arm64"
date = "2026-01-27"
[[notices]]
name = "FreeBSD-EN-26:01.devinfo"
date = "2026-01-27"
[[notices]]
name = "FreeBSD-EN-25:20.vmm"
date = "2025-12-16"
[[notices]]
name = "FreeBSD-EN-25:19.zfs"
date = "2025-12-16"
[[notices]]
name = "FreeBSD-EN-25:18.freebsd-update"
date = "2025-09-30"
[[notices]]
name = "FreeBSD-EN-25:17.bnxt"
date = "2025-09-16"
[[notices]]
name = "FreeBSD-EN-25:16.vfs"
date = "2025-09-16"
[[notices]]
name = "FreeBSD-EN-25:15.arm64"
date = "2025-09-16"
[[notices]]
name = "FreeBSD-EN-25:14.route"
date = "2025-08-08"
[[notices]]
name = "FreeBSD-EN-25:13.wlan_tkip"
date = "2025-08-08"
[[notices]]
name = "FreeBSD-EN-25:12.efi"
date = "2025-08-08"
[[notices]]
name = "FreeBSD-EN-25:11.ena"
date = "2025-07-02"
[[notices]]
name = "FreeBSD-EN-25:10.zfs"
date = "2025-07-02"
[[notices]]
name = "FreeBSD-EN-25:09.libc"
date = "2025-07-02"
[[notices]]
name = "FreeBSD-EN-25:08.caroot"
date = "2025-04-10"
[[notices]]
name = "FreeBSD-EN-25:07.openssl"
date = "2025-04-10"
[[notices]]
name = "FreeBSD-EN-25:06.daemon"
date = "2025-04-10"
[[notices]]
name = "FreeBSD-EN-25:05.expat"
date = "2025-04-10"
[[notices]]
name = "FreeBSD-EN-25:04.tzdata"
date = "2025-04-10"
[[notices]]
name = "FreeBSD-EN-25:03.tzdata"
date = "2025-01-29"
[[notices]]
name = "FreeBSD-EN-25:02.audit"
date = "2025-01-29"
[[notices]]
name = "FreeBSD-EN-25:01.rpc"
date = "2025-01-29"
[[notices]]
name = "FreeBSD-EN-24:17.pam_xdg"
date = "2024-10-29"
[[notices]]
name = "FreeBSD-EN-24:16.pf"
date = "2024-09-19"
[[notices]]
name = "FreeBSD-EN-24:15.calendar"
date = "2024-09-04"
[[notices]]
name = "FreeBSD-EN-24:14.ifconfig"
date = "2024-08-07"
[[notices]]
name = "FreeBSD-EN-24:13.libc++"
date = "2024-06-19"
[[notices]]
name = "FreeBSD-EN-24:12.killpg"
date = "2024-06-19"
[[notices]]
name = "FreeBSD-EN-24:11.ldns"
date = "2024-06-19"
[[notices]]
name = "FreeBSD-EN-24:10.zfs"
date = "2024-06-19"
[[notices]]
name = "FreeBSD-EN-24:09.zfs"
date = "2024-04-24"
[[notices]]
name = "FreeBSD-EN-24:08.kerberos"
date = "2024-03-28"
[[notices]]
name = "FreeBSD-EN-24:07.clang"
date = "2024-03-28"
[[notices]]
name = "FreeBSD-EN-24:06.wireguard"
date = "2024-03-28"
[[notices]]
name = "FreeBSD-EN-24:05.tty"
date = "2024-03-28"
[[notices]]
name = "FreeBSD-EN-24:04.ip"
date = "2024-02-14"
[[notices]]
name = "FreeBSD-EN-24:03.kqueue"
date = "2024-02-14"
[[notices]]
name = "FreeBSD-EN-24:02.libutil"
date = "2024-02-14"
[[notices]]
name = "FreeBSD-EN-24:01.tzdata"
date = "2024-02-14"
[[notices]]
name = "FreeBSD-EN-23:22.vfs"
date = "2023-12-05"
[[notices]]
name = "FreeBSD-EN-23:21.tty"
date = "2023-12-05"
[[notices]]
name = "FreeBSD-EN-23:20.vm"
date = "2023-12-05"
[[notices]]
name = "FreeBSD-EN-23:19.pkgbase"
date = "2023-12-05"
[[notices]]
name = "FreeBSD-EN-23:18.openzfs"
date = "2023-12-05"
[[notices]]
name = "FreeBSD-EN-23:17.ossl"
date = "2023-12-05"
[[notices]]
name = "FreeBSD-EN-23:16.openzfs"
date = "2023-12-01"
[[notices]]
name = "FreeBSD-EN-23:15.sanitizer"
date = "2023-12-01"
[[notices]]
name = "FreeBSD-EN-23:14.regcomp"
date = "2023-11-08"
[[notices]]
name = "FreeBSD-EN-23:13.freebsd-update"
date = "2023-11-08"
[[notices]]
name = "FreeBSD-EN-23:12.freebsd-update"
date = "2023-10-03"
[[notices]]
name = "FreeBSD-EN-23:11.caroot"
date = "2023-09-06"
[[notices]]
name = "FreeBSD-EN-23:10.pci"
date = "2023-09-06"
[[notices]]
name = "FreeBSD-EN-23:09.freebsd-update"
date = "2023-09-06"
[[notices]]
name = "FreeBSD-EN-23:08.vnet"
date = "2023-08-01"
[[notices]]
name = "FreeBSD-EN-23:07.mpr"
date = "2023-06-21"
[[notices]]
name = "FreeBSD-EN-23:06.loader"
date = "2023-06-21"
[[notices]]
name = "FreeBSD-EN-23:05.tzdata"
date = "2023-06-21"
[[notices]]
name = "FreeBSD-EN-23:04.ixgbe"
date = "2023-02-08"
[[notices]]
name = "FreeBSD-EN-23:03.ena"
date = "2023-02-08"
[[notices]]
name = "FreeBSD-EN-23:02.sdhci"
date = "2023-02-08"
[[notices]]
name = "FreeBSD-EN-23:01.tzdata"
date = "2023-02-08"
[[notices]]
name = "FreeBSD-EN-22:28.heimdal"
date = "2022-11-29"
[[notices]]
name = "FreeBSD-EN-22:27.loader"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:26.cam"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:25.tcp"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:24.zfs"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:23.vm"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:22.tzdata"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:21.zfs"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:20.tzdata"
date = "2022-08-30"
[[notices]]
name = "FreeBSD-EN-22:19.pam_exec"
date = "2022-08-09"
[[notices]]
name = "FreeBSD-EN-22:18.wifi"
date = "2022-08-09"
[[notices]]
name = "FreeBSD-EN-22:17.cam"
date = "2022-08-09"
[[notices]]
name = "FreeBSD-EN-22:16.kqueue"
date = "2022-08-09"
[[notices]]
name = "FreeBSD-EN-22:15.pf"
date = "2022-04-06"
[[notices]]
name = "FreeBSD-EN-22:14.tzdata"
date = "2022-03-22"
[[notices]]
name = "FreeBSD-EN-22:13.zfs"
date = "2022-03-21"
[[notices]]
name = "FreeBSD-EN-22:12.zfs"
date = "2022-03-15"
[[notices]]
name = "FreeBSD-EN-22:11.zfs"
date = "2022-03-15"
[[notices]]
name = "FreeBSD-EN-22:10.zfs"
date = "2022-03-15"
[[notices]]
name = "FreeBSD-EN-22:09.freebsd-update"
date = "2022-03-15"
[[notices]]
name = "FreeBSD-EN-22:08.i386"
date = "2022-02-01"
[[notices]]
name = "FreeBSD-EN-22:07.la57"
date = "2022-02-01"
[[notices]]
name = "FreeBSD-EN-22:06.libalias"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-22:05.tail"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-22:04.pcid"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-22:03.hyperv"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-22:02.xsave"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-22:01.fsck_ffs"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-21:29.tzdata"
date = "2021-11-03"
[[notices]]
name = "FreeBSD-EN-21:28.vmci"
date = "2021-11-03"
[[notices]]
name = "FreeBSD-EN-21:27.caroot"
date = "2021-11-03"
[[notices]]
name = "FreeBSD-EN-21:26.libevent"
date = "2021-11-03"
[[notices]]
name = "FreeBSD-EN-21:25.bhyve"
date = "2021-08-24"
[[notices]]
name = "FreeBSD-EN-21:24.libcrypto"
date = "2021-08-24"
[[notices]]
name = "FreeBSD-EN-21:23.virtio_blk"
date = "2021-08-24"
[[notices]]
name = "FreeBSD-EN-21:22.linux_futex"
date = "2021-06-29"
[[notices]]
name = "FreeBSD-EN-21:21.ipfw"
date = "2021-06-29"
[[notices]]
name = "FreeBSD-EN-21:20.vlan"
date = "2021-06-29"
[[notices]]
name = "FreeBSD-EN-21:19.libcasper"
date = "2021-06-29"
[[notices]]
name = "FreeBSD-EN-21:18.libc++"
date = "2021-06-29"
[[notices]]
name = "FreeBSD-EN-21:17.libradius"
date = "2021-06-01"
[[notices]]
name = "FreeBSD-EN-21:16.bc"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:15.virtio"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:14.pms"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:13.mpt"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:12.divert"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:11.aesni"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:10.lldb"
date = "2021-04-06"
[[notices]]
name = "FreeBSD-EN-21:09.pf"
date = "2021-04-06"
[[notices]]
name = "FreeBSD-EN-21:08.freebsd-update"
date = "2021-02-24"
[[notices]]
name = "FreeBSD-EN-21:07.caroot"
date = "2021-02-24"
[[notices]]
name = "FreeBSD-EN-21:06.microcode"
date = "2021-02-24"
[[notices]]
name = "FreeBSD-EN-21:05.libatomic"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:04.zfs"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:03.vnet"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:02.extattr"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:01.tzdata"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-20:22.callout"
date = "2020-12-01"
[[notices]]
name = "FreeBSD-EN-20:21.ipfw"
date = "2020-12-01"
[[notices]]
name = "FreeBSD-EN-20:20.tzdata"
date = "2020-12-01"
[[notices]]
name = "FreeBSD-EN-20:19.audit"
date = "2020-12-01"
[[notices]]
name = "FreeBSD-EN-20:18.getfsstat"
date = "2020-09-02"
[[notices]]
name = "FreeBSD-EN-20:17.linuxthread"
date = "2020-09-02"
[[notices]]
name = "FreeBSD-EN-20:16.vmx"
date = "2020-08-05"
[[notices]]
name = "FreeBSD-EN-20:15.mps"
date = "2020-07-08"
[[notices]]
name = "FreeBSD-EN-20:14.linuxkpi"
date = "2020-07-08"
[[notices]]
name = "FreeBSD-EN-20:13.bhyve"
date = "2020-07-08"
[[notices]]
name = "FreeBSD-EN-20:12.iflib"
date = "2020-06-09"
[[notices]]
name = "FreeBSD-EN-20:11.ena"
date = "2020-06-09"
[[notices]]
name = "FreeBSD-EN-20:10.build"
date = "2020-05-12"
[[notices]]
name = "FreeBSD-EN-20:09.igb"
date = "2020-05-12"
[[notices]]
name = "FreeBSD-EN-20:08.tzdata"
date = "2020-05-12"
[[notices]]
name = "FreeBSD-EN-20:07.quotad"
date = "2020-04-21"
[[notices]]
name = "FreeBSD-EN-20:06.ipv6"
date = "2020-03-19"
[[notices]]
name = "FreeBSD-EN-20:05.mlx5en"
date = "2020-03-19"
[[notices]]
name = "FreeBSD-EN-20:04.pfctl"
date = "2020-03-19"
[[notices]]
name = "FreeBSD-EN-20:03.sshd"
date = "2020-03-19"
[[notices]]
name = "FreeBSD-EN-20:02.nmount"
date = "2020-01-28"
[[notices]]
name = "FreeBSD-EN-20:01.ssp"
date = "2020-01-28"
[[notices]]
name = "FreeBSD-EN-19:19.loader"
date = "2019-11-12"
[[notices]]
name = "FreeBSD-EN-19:18.tzdata"
date = "2019-10-23"
[[notices]]
name = "FreeBSD-EN-19:17.ipfw"
date = "2019-08-20"
[[notices]]
name = "FreeBSD-EN-19:16.bhyve"
date = "2019-08-20"
[[notices]]
name = "FreeBSD-EN-19:15.libunwind"
date = "2019-08-06"
[[notices]]
name = "FreeBSD-EN-19:14.epoch"
date = "2019-08-06"
[[notices]]
name = "FreeBSD-EN-19:13.mds"
date = "2019-07-24"
[[notices]]
name = "FreeBSD-EN-19:12.tzdata"
date = "2019-07-02"
[[notices]]
name = "FreeBSD-EN-19:11.net"
date = "2019-06-19"
[[notices]]
name = "FreeBSD-EN-19:10.scp"
date = "2019-05-14"
[[notices]]
name = "FreeBSD-EN-19:09.xinstall"
date = "2019-05-14"
[[notices]]
name = "FreeBSD-EN-19:08.tzdata"
date = "2019-05-14"
[[notices]]
name = "FreeBSD-EN-19:07.lle"
date = "2019-02-05"
[[notices]]
name = "FreeBSD-EN-19:06.dtrace"
date = "2019-02-05"
[[notices]]
name = "FreeBSD-EN-19:05.kqueue"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-19:04.tzdata"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-19:03.sqlite"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-19:02.tcp"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-19:01.cc_cubic"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-18:18.zfs"
date = "2018-12-19"
[[notices]]
name = "FreeBSD-EN-18:17.vm"
date = "2018-12-19"
[[notices]]
name = "FreeBSD-EN-18:16.ptrace"
date = "2018-12-19"
[[notices]]
name = "FreeBSD-EN-18:15.loader"
date = "2018-11-27"
[[notices]]
name = "FreeBSD-EN-18:14.tzdata"
date = "2018-11-27"
[[notices]]
name = "FreeBSD-EN-18:13.icmp"
date = "2018-11-27"
[[notices]]
name = "FreeBSD-EN-18:12.mem"
date = "2018-09-27"
[[notices]]
name = "FreeBSD-EN-18:11.listen"
date = "2018-09-27"
[[notices]]
name = "FreeBSD-EN-18:10.syscall"
date = "2018-09-27"
[[notices]]
name = "FreeBSD-EN-18:09.ip"
date = "2018-09-27"
[[notices]]
name = "FreeBSD-EN-18:08.lazyfpu"
date = "2018-09-12"
[[notices]]
name = "FreeBSD-EN-18:07.pmap"
date = "2018-06-21"
[[notices]]
name = "FreeBSD-EN-18:06.tzdata"
date = "2018-05-08"
[[notices]]
name = "FreeBSD-EN-18:05.mem"
date = "2018-05-08"
[[notices]]
name = "FreeBSD-EN-18:04.mem"
date = "2018-04-04"
[[notices]]
name = "FreeBSD-EN-18:03.tzdata"
date = "2018-04-04"
[[notices]]
name = "FreeBSD-EN-18:02.file"
date = "2018-03-07"
[[notices]]
name = "FreeBSD-EN-18:01.tzdata"
date = "2018-03-07"
[[notices]]
name = "FreeBSD-EN-17:09.tzdata"
date = "2017-11-02"
[[notices]]
name = "FreeBSD-EN-17:08.pf"
date = "2017-08-10"
[[notices]]
name = "FreeBSD-EN-17:07.vnet"
date = "2017-08-10"
[[notices]]
name = "FreeBSD-EN-17:06.hyperv"
date = "2017-07-12"
[[notices]]
name = "FreeBSD-EN-17:05.xen"
date = "2017-04-12"
[[notices]]
name = "FreeBSD-EN-17:04.mandoc"
date = "2017-02-23"
[[notices]]
name = "FreeBSD-EN-17:03.hyperv"
date = "2017-02-23"
[[notices]]
name = "FreeBSD-EN-17:02.yp"
date = "2017-02-23"
[[notices]]
name = "FreeBSD-EN-17:01.pcie"
date = "2017-02-23"
[[notices]]
name = "FreeBSD-EN-16:21.localedef"
date = "2016-12-06"
[[notices]]
name = "FreeBSD-EN-16:20.tzdata"
date = "2016-12-06"
[[notices]]
name = "FreeBSD-EN-16:19.tzcode"
date = "2016-12-06"
[[notices]]
name = "FreeBSD-EN-16:18.loader"
date = "2016-10-25"
[[notices]]
name = "FreeBSD-EN-16:17.vm"
date = "2016-10-25"
[[notices]]
name = "FreeBSD-EN-16:16.hv_storvsc"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:15.vmbus"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:14.hv_storvsc"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:13.vmbus"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:12.hv_storvsc"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:11.vmbus"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:10.dhclient"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:09.freebsd-update"
date = "2016-07-25"
[[notices]]
name = "FreeBSD-EN-16:08.zfs"
date = "2016-05-04"
[[notices]]
name = "FreeBSD-EN-16:07.ipi"
date = "2016-05-04"
[[notices]]
name = "FreeBSD-EN-16:06.libc"
date = "2016-05-04"
[[notices]]
name = "FreeBSD-EN-16:05.hv_netvsc"
date = "2016-03-16"
[[notices]]
name = "FreeBSD-EN-16:04.hyperv"
date = "2016-03-16"
[[notices]]
name = "FreeBSD-EN-16:03.yplib"
date = "2016-01-14"
[[notices]]
name = "FreeBSD-EN-16:02.pf"
date = "2016-01-14"
[[notices]]
name = "FreeBSD-EN-16:01.filemon"
date = "2016-01-14"
[[notices]]
name = "FreeBSD-EN-15:20.vm"
date = "2015-11-04"
[[notices]]
name = "FreeBSD-EN-15:19.kqueue"
date = "2015-11-04"
[[notices]]
name = "FreeBSD-EN-15:18.pkg"
date = "2015-09-16"
[[notices]]
name = "FreeBSD-EN-15:17.libc"
date = "2015-09-16"
[[notices]]
name = "FreeBSD-EN-15:16.pw"
date = "2015-09-16"
[[notices]]
name = "FreeBSD-EN-15:15.pkg"
date = "2015-08-25"
[[notices]]
name = "FreeBSD-EN-15:14.ixgbe"
date = "2015-08-25"
[[notices]]
name = "FreeBSD-EN-15:13.vidcontrol"
date = "2015-08-18"
[[notices]]
name = "FreeBSD-EN-15:12.netstat"
date = "2015-08-18"
[[notices]]
name = "FreeBSD-EN-15:11.toolchain"
date = "2015-08-18"
[[notices]]
name = "FreeBSD-EN-15:10.iconv"
date = "2015-06-30"
[[notices]]
name = "FreeBSD-EN-15:09.xlocale"
date = "2015-06-30"
[[notices]]
name = "FreeBSD-EN-15:08.sendmail"
date = "2015-06-18"
[[notices]]
name = "FreeBSD-EN-15:07.zfs"
date = "2015-06-09"
[[notices]]
name = "FreeBSD-EN-15:06.file"
date = "2015-06-09"
[[notices]]
name = "FreeBSD-EN-15:05.ufs"
date = "2015-05-13"
[[notices]]
name = "FreeBSD-EN-15:04.freebsd-update"
date = "2015-05-13"
[[notices]]
name = "FreeBSD-EN-15:03.freebsd-update"
date = "2015-02-25"
[[notices]]
name = "FreeBSD-EN-15:02.openssl"
date = "2015-02-25"
[[notices]]
name = "FreeBSD-EN-15:01.vt"
date = "2015-02-25"
[[notices]]
name = "FreeBSD-EN-14:13.freebsd-update"
date = "2014-12-23"
[[notices]]
name = "FreeBSD-EN-14:12.zfs"
date = "2014-11-04"
[[notices]]
name = "FreeBSD-EN-14:11.crypt"
date = "2014-10-22"
[[notices]]
name = "FreeBSD-EN-14:10.tzdata"
date = "2014-10-22"
[[notices]]
name = "FreeBSD-EN-14:09.jail"
date = "2014-07-08"
[[notices]]
name = "FreeBSD-EN-14:08.heimdal"
date = "2014-06-24"
[[notices]]
name = "FreeBSD-EN-14:07.pmap"
date = "2014-06-24"
[[notices]]
name = "FreeBSD-EN-14:06.exec"
date = "2014-06-03"
[[notices]]
name = "FreeBSD-EN-14:05.ciss"
date = "2014-05-13"
[[notices]]
name = "FreeBSD-EN-14:04.kldxref"
date = "2014-05-13"
[[notices]]
name = "FreeBSD-EN-14:03.pkg"
date = "2014-05-13"
[[notices]]
name = "FreeBSD-EN-14:02.mmap"
date = "2014-01-14"
[[notices]]
name = "FreeBSD-EN-14:01.random"
date = "2014-01-14"
[[notices]]
name = "FreeBSD-EN-13:05.freebsd-update"
date = "2013-11-28"
[[notices]]
name = "FreeBSD-EN-13:04.freebsd-update"
date = "2013-10-26"
[[notices]]
name = "FreeBSD-EN-13:03.mfi"
date = "2013-08-22"
[[notices]]
name = "FreeBSD-EN-13:01.fxp"
date = "2013-06-28"
[[notices]]
name = "FreeBSD-EN-13:02.vtnet"
date = "2013-06-28"
[[notices]]
name = "FreeBSD-EN-12:02.ipv6refcount"
date = "2012-06-12"
[[notices]]
name = "FreeBSD-EN-12:01.freebsd-update"
date = "2012-01-04"
[[notices]]
name = "FreeBSD-EN-10:02.sched_ule"
date = "2010-02-27"
[[notices]]
name = "FreeBSD-EN-10:01.freebsd"
date = "2010-01-06"
[[notices]]
name = "FreeBSD-EN-09:05.null"
date = "2009-10-02"
[[notices]]
name = "FreeBSD-EN-09:04.fork"
date = "2009-06-24"
[[notices]]
name = "FreeBSD-EN-09:03.fxp"
date = "2009-06-24"
[[notices]]
name = "FreeBSD-EN-09:02.bce"
date = "2009-06-24"
[[notices]]
name = "FreeBSD-EN-09:01.kenv"
date = "2009-03-23"
[[notices]]
name = "FreeBSD-EN-08:02.tcp"
date = "2008-06-19"
[[notices]]
name = "FreeBSD-EN-08:01.libpthread"
date = "2008-04-17"
[[notices]]
name = "FreeBSD-EN-07:05.freebsd-update"
date = "2007-03-15"
[[notices]]
name = "FreeBSD-EN-07:04.zoneinfo"
date = "2007-02-28"
[[notices]]
name = "FreeBSD-EN-07:03.rc.d_jail"
date = "2007-02-28"
[[notices]]
name = "FreeBSD-EN-07:02.net"
date = "2007-02-28"
[[notices]]
name = "FreeBSD-EN-07:01.nfs"
date = "2007-02-14"
[[notices]]
name = "FreeBSD-EN-06:02.net"
date = "2006-08-28"
[[notices]]
name = "FreeBSD-EN-06:01.jail"
date = "2006-07-07"
[[notices]]
name = "FreeBSD-EN-05:04.nfs"
date = "2005-12-19"
[[notices]]
name = "FreeBSD-EN-05:03.ipi"
date = "2005-01-16"
[[notices]]
name = "FreeBSD-EN-05:02.sk"
date = "2005-01-06"
[[notices]]
name = "FreeBSD-EN-05:01.nfs"
date = "2005-01-05"
[[notices]]
name = "FreeBSD-EN-04:01.twe"
date = "2004-06-28"
diff --git a/website/static/security/advisories/FreeBSD-EN-26:11.dhclient.asc b/website/static/security/advisories/FreeBSD-EN-26:11.dhclient.asc
new file mode 100644
index 0000000000..153379010a
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-26:11.dhclient.asc
@@ -0,0 +1,156 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-26:11.dhclient Errata Notice
+ The FreeBSD Project
+
+Topic: dhclient(8) lease validation is too strict
+
+Category: core
+Module: dhclient
+Announced: 2026-05-01
+Affects: All supported versions of FreeBSD.
+Corrected: 2026-04-30 21:07:00 UTC (stable/15, 15.0-STABLE)
+ 2026-05-01 15:08:46 UTC (releng/15.0, 15.0-RELEASE-p8)
+ 2026-04-30 21:07:11 UTC (stable/14, 14.4-STABLE)
+ 2026-05-01 15:08:37 UTC (releng/14.4, 14.4-RELEASE-p4)
+ 2026-05-01 15:08:30 UTC (releng/14.3, 14.3-RELEASE-p13)
+ 2026-04-30 21:07:24 UTC (stable/13, 13.5-STABLE)
+ 2026-05-01 15:08:19 UTC (releng/13.5, 13.5-RELEASE-p14)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+Note: While FreeBSD 13.5 is end of life (EOL) as of May 1st, 2026, the
+Security Team has decided to patch this issue as it was identified and a fix
+was in-flight before the EOL date.
+
+I. Background
+
+dhclient(8) is the default IPv4 DHCP client used on FreeBSD. It is
+responsible for contacting DHCP servers on a network segment and for
+initialising and configuring network interfaces based on received
+information.
+
+When processing a DHCP offer, dhclient passes various parameters provided by
+the server to dhclient-script(8). DHCP options, as documented in
+dhcp-options(5), are passed via the environment.
+
+II. Problem Description
+
+The patch for FreeBSD-SA-26:15.dhclient introduced some validation of the
+boot file DHCP option to prevent unescaped values from being written to the
+stored lease file. This validation is overly strict and rejects Windows
+paths.
+
+III. Impact
+
+The overly strict validation may cause dhclient(8) to reject valid leases.
+
+IV. Workaround
+
+No workaround is available. Systems not running dhclient(8) are not
+affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system installed from base system packages:
+
+Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
+platforms, which were installed using base system packages, can be updated
+via the pkg(8) utility:
+
+# pkg upgrade -r FreeBSD-base
+
+2) To update your system installed from binary distribution sets:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, which were not installed using base
+system packages, can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-26:11/dhclient.patch
+# fetch https://security.FreeBSD.org/patches/EN-26:11/dhclient.patch.asc
+# gpg --verify dhclient.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+Restart the applicable daemons, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/15/ 252f603d1704 stable/15-n283453
+releng/15.0/ dc8762cfb6e2 releng/15.0-n281035
+stable/14/ 2f9478ad42c4 stable/14-n274094
+releng/14.4/ dfcb69cdb07e releng/14.4-n273699
+releng/14.3/ 5bad905eb37f releng/14.3-n271499
+stable/13/ b1ece85741db stable/13-n259871
+releng/13.5/ b362b6b6c8f2 releng/13.5-n259221
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmn0xiAbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvJnEQAJ8ZYWjGt7iYjMkOZiM1
+I7NLl7RygvIWU25ThAOXlA7zPA7LbS23+nca4QlNdvTVkpcfsCrmxhJYY4ymkZh7
+QuEVDEp20n02S7362S9kCpmp3NDXQvuCPNt8zRel4ek3u/b8/9KCASL1jN+1eSgR
+G8ZVWVheRzKgsaYJsDIyX0AjNk41gQk8ASYoWjeIk5F14kFk3ozlfJTrBL2XlOuL
+J28P47d5lEgU2x04xLSZF9xQrF1I13XZa8pMtogF3aveTXXVzHDJFZIcppu0uQYY
+tp9uvyQ6NnzNPBXWztVCJ+eRdxS4RLp3Dp3U9/3GrqVuCfG8BO7kE5OhcjO0EPVC
+lmvXBJLqQnsodEQA0BysAsMxlMcw+n6z0np2DFdFCkyLrPCx3Bm+D/WRLngRcp4s
++FBIgoF+ywUXVwLRkVJeCsQJTNzVhneq8rtcfE6LdJoIgW/oOUyNEJTBpgvhXmz6
+/pmW47cmNY+CFWCXAL/7fLZVX1dYvEpSn+Iqqs8Efr2OFfQqRXZunJXNXnKuMtfT
+p82Hl////cHObQSqlI95J5yJmdBzOxlpzHTwSLVTD5SfvAcN3PzN3hRhFFqG8lg5
+HV64Fu1xPqLX1mthTw1Sbng5mTUL+MJ5BN26M+UevYZBi02m5nMUyjWH+D4Bn3RS
+gajZ9Z16VPgdlPsNPihqsx7k
+=Ro3y
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-26:12.freebsd-update.asc b/website/static/security/advisories/FreeBSD-EN-26:12.freebsd-update.asc
new file mode 100644
index 0000000000..53fc1f3c48
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-26:12.freebsd-update.asc
@@ -0,0 +1,177 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-26:12.freebsd-update Errata Notice
+ The FreeBSD Project
+
+Topic: Source inconsistency between freebsd-update, EN/SAs, and git
+
+Category: core
+Module: freebsd-update
+Announced: 2026-05-01
+Affects: All supported versions of FreeBSD.
+Corrected: 2026-05-01 15:08:47 UTC (releng/15.0, 15.0-RELEASE-p8)
+ 2026-05-01 15:08:38 UTC (releng/14.4, 14.4-RELEASE-p4)
+ 2026-05-01 15:08:31 UTC (releng/14.3, 14.3-RELEASE-p13)
+ 2026-05-01 15:08:20 UTC (releng/13.5, 13.5-RELEASE-p14)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+Note: While FreeBSD 13.5 is end of life (EOL) as of May 1st, 2026, the
+Security Team has decided to patch this issue as it was identified and a fix
+was in-flight before the EOL date.
+
+I. Background
+
+The FreeBSD Security Team distributes patches for supported releases via the
+git version control system, as patches link through errata and advisories,
+and through the freebsd-update binary update system.
+
+Both freebsd-update and the errata/advisories do not directly use the
+authoritative git repo but instead rely on individual patch files.
+
+II. Problem Description
+
+Due to the manual nature of patch file development and management, there are
+instances where either a freebsd-update maintained machine or a patched
+source tree from errata/advisories have become out of sync with the
+authoritative git repository.
+
+Specifically, an earlier version of the patch associated with SA-26:11.amd64
+was distributed via freebsd-update. The source patch linked in the advisory
+did match the source in git.
+
+Additionally, patches distributed via freebsd-update and errata/advisories
+are occasionally missing test or non-material ancillary files to minimize
+patch size and improve compatibility across releases, causing an additional
+source of drift from the authoritative git respository.
+
+Pkgbase is unaffected as it directly builds from the authoritative git
+repository.
+
+III. Impact
+
+As a result of this drift, the FreeBSD Security Team has changed the
+freebsd-update build mechanism to retrieve source directly from the
+authoritative git respository. This has caused a binary update to rectify the
+SA-26:11.amd64 issue as well as alter a few additional files that have been
+updated in git but were not distributed via freebsd-update.
+
+IV. Workaround
+
+No workaround is available. Systems using pkgbase or building directly from
+source obtained from the authoritative git repository are unaffected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot the system.
+
+Perform one of the following:
+
+1) If your system is installed from base system packages:
+
+No update is needed as pkgbase is not affected by this issue.
+
+2) To update your system installed from binary distribution sets:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, which were not installed using base
+system packages, can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a system update"
+
+3) To update your system via a source code patch:
+
+The following patches are only intended to be used for source trees have been
+maintained with patches linked by previous EN/SAs.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 15.0]
+# fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-150.patch
+# fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-150.patch.asc
+# gpg --verify ensa-150.patch.asc
+
+[FreeBSD 14.4]
+# fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-144.patch
+# fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-144.patch.asc
+# gpg --verify ensa-144.patch.asc
+
+[FreeBSD 14.3]
+# fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-143.patch
+# fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-143.patch.asc
+# gpg --verify ensa-143.patch.asc
+
+[FreeBSD 13.5]
+# fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-135.patch
+# fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-135.patch.asc
+# gpg --verify ensa-135.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+Reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+releng/15.0/ 53054229dcb3 releng/15.0-n281036
+releng/14.4/ 49be56ed6fea releng/14.4-n273700
+releng/14.3/ 4f4b48e8a547 releng/14.3-n271500
+releng/13.5/ 2e6399fe39b3 releng/13.5-n259222
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmn0xicbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv//EP/jc0GG1wu9K9TdzGWn4m
+F74a1Gstl13HdTilFhNbF+iQtcuEui4QyBNgy2O7XG1kRsbCYQDN32BzbZl+VhmY
+kBzUO+jRANPQ3J8cReMeyE2sg2jTAqtioKrbMtXqCNB7peC2AekWLSXrWQA99+qO
+qQ/rWW6zCnYWhsiX4fPfVbxw8PS4jdBriOxeBU7gBAQ8lQmdHW5A1hnW2ZzKWWDF
+8m6MuyI4yiA+eDGzkHHn8WetWOgZrbbpFa5H7upYmpSX8jcIlivHqW0j+RMpWG9Z
+UPIcD26dmbw423BNXXxy9SSUWF6fwlNaWzAaPxT9rpVE2kgeP8QbEhPRvTxQ95CJ
+PwVASKSfJ5tMSzZpxl5Vp3U5OyanvpBoFVIj/2tlsAcRm9ywXiqS4HLS1CY67uwb
+G7NkMO8oteO0ZPgXS5sLLGnMlfl/tkhG440tH8UKtWMRXzrXP6sLBwuk3v7RQxN0
+XZHPM4sBA7b8aIi0VKcNR5yby1xDFnI+fdRUT9ILmG8OCijmowFE0fknY78kzmr7
+HF1CRelNU3Wy5hlt6Q5MAY87E5Piw2TU0QY7AZU6eZeb0qLIFsUwVawDATvsqias
+C3RJ9OWSwJTCaUNjwCvwX+1miwfjqLCE30ze0qzZ6NcF67qQBc1pIMUg0HCWkS3E
+rhVyscH7IOUNqCLG9uBCXKL5
+=TZ6g
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-26:11/dhclient.patch b/website/static/security/patches/EN-26:11/dhclient.patch
new file mode 100644
index 0000000000..c4f4a88d9a
--- /dev/null
+++ b/website/static/security/patches/EN-26:11/dhclient.patch
@@ -0,0 +1,112 @@
+--- sbin/dhclient/dhclient.c.orig
++++ sbin/dhclient/dhclient.c
+@@ -1161,7 +1161,7 @@
+ lease = malloc(sizeof(struct client_lease));
+
+ if (!lease) {
+- warning("dhcpoffer: no memory to record lease.");
++ warning("dhcpoffer: no memory to record lease");
+ return (NULL);
+ }
+
+@@ -1211,7 +1211,7 @@
+
+ /* If the server name was filled out, copy it.
+ Do not attempt to validate the server name as a host name.
+- RFC 2131 merely states that sname is NUL-terminated (which do
++ RFC 2131 merely states that sname is NUL-terminated (which we
+ do not assume) and that it is the server's host name. Since
+ the ISC client and server allow arbitrary characters, we do
+ as well. */
+@@ -1219,39 +1219,72 @@
+ !(packet->options[DHO_DHCP_OPTION_OVERLOAD].data[0] & 2)) &&
+ packet->raw->sname[0]) {
+ lease->server_name = malloc(DHCP_SNAME_LEN + 1);
+- if (!lease->server_name) {
+- warning("dhcpoffer: no memory for server name.");
++ if (lease->server_name == NULL) {
++ warning("dhcpoffer: no memory for server name");
+ free_client_lease(lease);
+ return (NULL);
+ }
+- memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN);
+- lease->server_name[DHCP_SNAME_LEN]='\0';
+- if (strchr(lease->server_name, '"') != NULL ||
+- strchr(lease->server_name, '\\') != NULL) {
+- warning("dhcpoffer: server name contains invalid characters.");
+- free_client_lease(lease);
+- return (NULL);
++ for (i = 0; i < DHCP_SNAME_LEN; i++) {
++ if (packet->raw->sname[i] == '\0') {
++ break;
++ }
++ if (packet->raw->sname[i] < ' ' ||
++ packet->raw->sname[i] == '"' ||
++ packet->raw->sname[i] == '\\') {
++ warning("dhcpoffer: server name contains "
++ "unsafe characters");
++ free(lease->server_name);
++ lease->server_name = NULL;
++ break;
++ }
++ lease->server_name[i] = packet->raw->sname[i];
++ }
++ /* Terminate and zero-pad */
++ if (lease->server_name != NULL) {
++ while (i < DHCP_SNAME_LEN + 1) {
++ lease->server_name[i++] = '\0';
++ }
+ }
+ }
+
+- /* Ditto for the filename. */
++ /* Ditto for the file name. */
+ if ((!packet->options[DHO_DHCP_OPTION_OVERLOAD].len ||
+ !(packet->options[DHO_DHCP_OPTION_OVERLOAD].data[0] & 1)) &&
+ packet->raw->file[0]) {
+ /* Don't count on the NUL terminator. */
+ lease->filename = malloc(DHCP_FILE_LEN + 1);
+- if (!lease->filename) {
+- warning("dhcpoffer: no memory for filename.");
++ if (lease->filename == NULL) {
++ warning("dhcpoffer: no memory for file name");
+ free_client_lease(lease);
+ return (NULL);
+ }
+- memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN);
+- lease->filename[DHCP_FILE_LEN]='\0';
+- if (strchr(lease->filename, '"') != NULL ||
+- strchr(lease->filename, '\\') != NULL) {
+- warning("dhcpoffer: filename contains invalid characters.");
+- free_client_lease(lease);
+- return (NULL);
++ for (i = 0; i < DHCP_FILE_LEN; i++) {
++ if (packet->raw->file[i] == '\0') {
++ break;
++ }
++ if (packet->raw->file[i] < ' ' ||
++ packet->raw->file[i] == '"') {
++ warning("dhcpoffer: file name contains "
++ "unsafe characters");
++ free(lease->filename);
++ lease->filename = NULL;
++ break;
++ }
++ if (packet->raw->file[i] == '\\') {
++ /*
++ * This is common in Windows-centric
++ * environments. Instead of rejecting,
++ * silently convert to forward slash.
++ */
++ packet->raw->file[i] = '/';
++ }
++ lease->filename[i] = packet->raw->file[i];
++ }
++ /* Terminate and zero-pad */
++ if (lease->filename != NULL) {
++ while (i < DHCP_FILE_LEN + 1) {
++ lease->filename[i++] = '\0';
++ }
+ }
+ }
+ return lease;
diff --git a/website/static/security/patches/EN-26:11/dhclient.patch.asc b/website/static/security/patches/EN-26:11/dhclient.patch.asc
new file mode 100644
index 0000000000..e663d9bde6
--- /dev/null
+++ b/website/static/security/patches/EN-26:11/dhclient.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmn0xiUbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvP3IP/jxonX89dJSBsH0i12F0
+dVgVOeCYMf9dhEnd9Oyw/KY6p8OMWkNHg2D3rRR0wDzEf8k7RAVNoD87uKzOHfQk
+IeKE6n5LubG3WdLbEnWSMScHjvJ7+8+vDbU2brkXdWaBQxqdZRJ/QReRvLvLHR/8
+2xomS4l3uS1He+xxCPXk5G116zaDfEZWnYL1rHEbBI81Nxnktb/mSNwHLxf41E3A
+QdGOaPKCbuKKkq98Bo5zaTu9B/68iXq9yDGnPHJoUhZnpCSXA/21PNkUP+G4N1VG
+6bzCgl7e0tWL048nBv7V8A0cyZ8K0rCSjurlPNF82QxGGUD/Z6qKaclpwuQO/X50
+t3gzh0nJ1g6/F/FmywVjZEDAUIIpgHkyMGlWdzqlzLZ1jymSRXnZGGJVGU1tpcPF
+AZC/avfvGAZNrSXVaM5IoduzW7xLzlF4XyJt3aT2GbmegnVmfWD2hgIVzktq/bWj
+5UfalA/T/+2dusWLtbnUVQrZLppQBe5XfH1uNUONwguV4YDQ0ndP9hGUV5UM40Os
+RvrMnHGPjszURPWKN01V5GQRoMZkur/vIglOkFPLcKfr6rYRP4yxpJN70E1xV/pK
+AIjKUxIflDtAUdcgL0uaJHGJX6O8R4eXrl2RjdPv8EGDJcz/Y+zULSDbujCbcLys
+BT3xt7JyKXIB92PonZo28Xn5
+=2BEv
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-26:12/ensa-135.patch b/website/static/security/patches/EN-26:12/ensa-135.patch
new file mode 100644
index 0000000000..e01596907a
--- /dev/null
+++ b/website/static/security/patches/EN-26:12/ensa-135.patch
@@ -0,0 +1,56 @@
+--- tests/sys/netpfil/pf/sctp.py.orig
++++ tests/sys/netpfil/pf/sctp.py
+@@ -448,53 +448,6 @@
+
+ @pytest.mark.require_user("root")
+ @pytest.mark.require_progs(["scapy"])
+- def test_initiate_tag_check(self):
+- # Ensure we don't send ABORTs in response to the other end's INIT_ACK
+- # That'd interfere with our test.
+- ToolsHelper.print_output("/sbin/sysctl net.inet.sctp.blackhole=2")
+-
+- import scapy.all as sp
+-
+- packet = sp.IP(src="192.0.2.1", dst="192.0.2.2") \
+- / sp.SCTP(sport=1234, dport=1234) \
+- / sp.SCTPChunkInit(init_tag=1, n_in_streams=1, n_out_streams=1, a_rwnd=1500)
+- packet.show()
+-
+- r = sp.sr1(packet, timeout=3)
+- assert r
+- r.show()
+- assert r.getlayer(sp.SCTP)
+- assert r.getlayer(sp.SCTPChunkInitAck)
+- assert r.getlayer(sp.SCTP).tag == 1
+-
+- # Send another INIT with the same initiate tag, expect another init ack
+- packet = sp.IP(src="192.0.2.1", dst="192.0.2.2") \
+- / sp.SCTP(sport=1234, dport=1234) \
+- / sp.SCTPChunkInit(init_tag=1, n_in_streams=1, n_out_streams=1, a_rwnd=1500)
+- packet.show()
+-
+- r = sp.sr1(packet, timeout=3)
+- assert r
+- r.show()
+- assert r.getlayer(sp.SCTP)
+- assert r.getlayer(sp.SCTPChunkInitAck)
+- assert r.getlayer(sp.SCTP).tag == 1
+-
+- # Send an INIT with a different initiate tag, expect another init ack
+- packet = sp.IP(src="192.0.2.1", dst="192.0.2.2") \
+- / sp.SCTP(sport=1234, dport=1234) \
+- / sp.SCTPChunkInit(init_tag=42, n_in_streams=1, n_out_streams=1, a_rwnd=1500)
+- packet.show()
+-
+- r = sp.sr1(packet, timeout=3)
+- assert r
+- r.show()
+- assert r.getlayer(sp.SCTP)
+- assert r.getlayer(sp.SCTPChunkInitAck)
+- assert r.getlayer(sp.SCTP).tag == 42
+-
+- @pytest.mark.require_user("root")
+- @pytest.mark.require_progs(["scapy"])
+ def test_too_many_add_ip(self):
+ import scapy.all as sp
+ DEPTH=90
diff --git a/website/static/security/patches/EN-26:12/ensa-135.patch.asc b/website/static/security/patches/EN-26:12/ensa-135.patch.asc
new file mode 100644
index 0000000000..b9015d82dd
--- /dev/null
+++ b/website/static/security/patches/EN-26:12/ensa-135.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmn0xigbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvKRoQAOoQG727h+K+Ggup1bPR
+abGWXO72V+ouikfjx34bFYoZkti0/beAnH0/C8KhFCql23kdWVAk576nLz6a1TYe
+6XAkw+MbsL/TN07xexstUfZzBlO6oZGvOed1fkGsK7FNdN47NvTn5bAaSDOIwyvr
+c35FsjD2+ojqc+KdlyaNMidSlS58SbKtcZ1OrcJD3VMB3FJZ6D+ko0adCoXgyfPN
+noaWId+aANmFTksykWsDAgMKEdlyE8d+/dAec9m9qDY6Yza1IgU3bi2jh91lAx/y
+/n3QRfvdllFh1gJ+YTe0B1SpIimqjBnvGjUNNcDrpgbVrc5Yp9fPiPKSnxSit6eP
+dcLNNs3o4yLBScG9R5raZ184H64Uv1boD69I1MFEGWi2qkGxlc0hREj5G5v2NOny
+oGIOzA0yXEb9aXAAH1fP+WV9eADYheCQy3OJqZeJAEOda5actOKFfdoAOpNMNFAm
+2gUlOZO2hrR6RNJiAAJO0vzusuo66Wx97FPJUez/SoQSHriNY/e+yOnnGWe1Fjp+
+2EYa/cUcfHTs5nGy+cUXCjYKL0AL7HD7kiEiOoTG2TT438RtcMNLDH29gjPsnY6F
+nRBF7Sm994wwCKlWW1cmgxyZczpBVByHI8/mAT3i7wEyZsuBij0fkyIJZlHAxJQb
+XPcrcVNqkzLQzucFwGQ1jczC
+=Mn9N
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-26:12/ensa-143.patch b/website/static/security/patches/EN-26:12/ensa-143.patch
new file mode 100644
index 0000000000..8b87835c4a
--- /dev/null
+++ b/website/static/security/patches/EN-26:12/ensa-143.patch
@@ -0,0 +1,487 @@
+--- lib/libnv/tests/Makefile.orig
++++ lib/libnv/tests/Makefile
+@@ -1,6 +1,15 @@
++.include
+
+ ATF_TESTS_C= \
+ nvlist_send_recv_test
++
++.PATH: ${SRCTOP}/lib/libnv
++SRCS.nvlist_send_recv_test= msgio.c nvlist_send_recv_test.c
++CFLAGS.nvlist_send_recv_test+=-I${SRCTOP}/sys/contrib/libnv
++CFLAGS.nvlist_send_recv_test+=-I${SRCTOP}/lib/libnv
++.if ${MK_ASAN} != "yes"
++CFLAGS.nvlist_send_recv_test+=-DNO_ASAN
++.endif
+
+ ATF_TESTS_CXX= \
+ cnv_tests \
+--- lib/libnv/tests/nv_array_tests.cc.orig
++++ lib/libnv/tests/nv_array_tests.cc
+@@ -1,6 +1,5 @@
+ /*-
+- * Copyright (c) 2015 Mariusz Zaborski
+- * All rights reserved.
++ * Copyright (c) 2015-2024 Mariusz Zaborski
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -28,6 +27,7 @@
+ #include
+ #include
+ #include
++#include
+ #include
+
+ #include
+@@ -1162,6 +1162,58 @@
+ free(packed);
+ }
+
++
++ATF_TEST_CASE_WITHOUT_HEAD(nvlist_string_array_nonull__pack);
++ATF_TEST_CASE_BODY(nvlist_string_array_nonull__pack)
++{
++ nvlist_t *testnvl, *unpacked;
++ const char *somestr[3] = { "a", "b", "XXX" };
++ uint8_t *packed, *twopages, *dataptr, *secondpage;
++ size_t packed_size, page_size;
++ bool found;
++
++ page_size = sysconf(_SC_PAGESIZE);
++ testnvl = nvlist_create(0);
++ ATF_REQUIRE(testnvl != NULL);
++ ATF_REQUIRE_EQ(nvlist_error(testnvl), 0);
++ nvlist_add_string_array(testnvl, "nvl/string", somestr,
++ nitems(somestr));
++ ATF_REQUIRE_EQ(nvlist_error(testnvl), 0);
++
++ packed = (uint8_t *)nvlist_pack(testnvl, &packed_size);
++ ATF_REQUIRE(packed != NULL);
++
++ twopages = (uint8_t *)mmap(NULL, page_size * 2, PROT_READ | PROT_WRITE,
++ MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
++ ATF_REQUIRE(twopages != MAP_FAILED);
++ dataptr = &twopages[page_size - packed_size];
++ secondpage = &twopages[page_size];
++
++ memset(twopages, 'A', page_size * 2);
++
++ mprotect(secondpage, page_size, PROT_NONE);
++ memcpy(dataptr, packed, packed_size);
++
++ found = false;
++ for (size_t i = 0; i < packed_size - 3; i++) {
++ if (dataptr[i] == 'X' && dataptr[i + 1] == 'X' &&
++ dataptr[i + 2] == 'X' && dataptr[i + 3] == '\0') {
++ dataptr[i + 3] = 'X';
++ found = true;
++ break;
++ }
++ }
++ ATF_REQUIRE(found == true);
++
++ unpacked = nvlist_unpack(dataptr, packed_size, 0);
++ ATF_REQUIRE(unpacked == NULL);
++
++ nvlist_destroy(testnvl);
++ free(packed);
++ munmap(twopages, page_size * 2);
++}
++
++
+ ATF_INIT_TEST_CASES(tp)
+ {
+
+@@ -1191,5 +1243,7 @@
+ ATF_ADD_TEST_CASE(tp, nvlist_descriptor_array__pack)
+ ATF_ADD_TEST_CASE(tp, nvlist_string_array__pack)
+ ATF_ADD_TEST_CASE(tp, nvlist_nvlist_array__pack)
++
++ ATF_ADD_TEST_CASE(tp, nvlist_string_array_nonull__pack)
+ }
+
+--- lib/libnv/tests/nvlist_send_recv_test.c.orig
++++ lib/libnv/tests/nvlist_send_recv_test.c
+@@ -1,5 +1,8 @@
+ /*-
++ * SPDX-License-Identifier: BSD-2-Clause
++ *
+ * Copyright (c) 2013 The FreeBSD Foundation
++ * Copyright (c) 2024-2026 Mariusz Zaborski
+ *
+ * This software was developed by Pawel Jakub Dawidek under sponsorship from
+ * the FreeBSD Foundation.
+@@ -28,6 +31,8 @@
+
+ #include
+ #include
++#include
++#include
+ #include
+ #include
+ #include
+@@ -44,6 +49,9 @@
+
+ #include
+
++#include
++#include
++
+ #define ALPHABET "abcdefghijklmnopqrstuvwxyz"
+ #define fd_is_valid(fd) (fcntl((fd), F_GETFL) != -1 || errno != EBADF)
+
+@@ -531,6 +539,59 @@
+ nvlist_send_recv__send_nvlist(SOCK_STREAM);
+ }
+
++/*
++ * Regression test for fd_wait(): the previous select(2)-based implementation
++ * called FD_SET() unconditionally, which is an out-of-bounds stack write when
++ * the socket fd is >= FD_SETSIZE. Force the socketpair fds above FD_SETSIZE
++ * and verify a full nvlist round-trip still works.
++ */
++ATF_TC_WITHOUT_HEAD(nvlist_send_recv__highfd);
++ATF_TC_BODY(nvlist_send_recv__highfd, tc)
++{
++ struct rlimit rl;
++ nvlist_t *nvl;
++ int socks[2], hi_send, hi_recv, status;
++ pid_t pid;
++
++ hi_send = FD_SETSIZE + 5;
++ hi_recv = FD_SETSIZE + 6;
++
++ rl.rlim_cur = rl.rlim_max = hi_recv + 1;
++ if (setrlimit(RLIMIT_NOFILE, &rl) != 0)
++ atf_tc_skip("cannot raise RLIMIT_NOFILE: %s", strerror(errno));
++
++ ATF_REQUIRE(socketpair(PF_UNIX, SOCK_STREAM, 0, socks) == 0);
++ ATF_REQUIRE(dup2(socks[0], hi_recv) == hi_recv);
++ ATF_REQUIRE(dup2(socks[1], hi_send) == hi_send);
++ (void)close(socks[0]);
++ (void)close(socks[1]);
++
++ pid = fork();
++ ATF_REQUIRE(pid >= 0);
++ if (pid == 0) {
++ /* Child: send. */
++ (void)close(hi_recv);
++ nvl = nvlist_create(0);
++ nvlist_add_string(nvl, "key", "value");
++ if (nvlist_send(hi_send, nvl) != 0)
++ err(EXIT_FAILURE, "nvlist_send");
++ nvlist_destroy(nvl);
++ _exit(0);
++ }
++
++ (void)close(hi_send);
++ nvl = nvlist_recv(hi_recv, 0);
++ ATF_REQUIRE(nvl != NULL);
++ ATF_REQUIRE(nvlist_error(nvl) == 0);
++ ATF_REQUIRE(nvlist_exists_string(nvl, "key"));
++ ATF_REQUIRE(strcmp(nvlist_get_string(nvl, "key"), "value") == 0);
++ nvlist_destroy(nvl);
++
++ ATF_REQUIRE(waitpid(pid, &status, 0) == pid);
++ ATF_REQUIRE(status == 0);
++ (void)close(hi_recv);
++}
++
+ ATF_TC_WITHOUT_HEAD(nvlist_send_recv__send_closed_fd__dgram);
+ ATF_TC_BODY(nvlist_send_recv__send_closed_fd__dgram, tc)
+ {
+@@ -543,15 +604,260 @@
+ nvlist_send_recv__send_closed_fd(SOCK_STREAM);
+ }
+
++ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_header_size);
++ATF_TC_BODY(nvlist_send_recv__overflow_header_size, tc)
++{
++ nvlist_t *nvl;
++ void *packed;
++ size_t packed_size;
++ struct nvlist_header *header;
++ int fd, socks[2], status;
++ pid_t pid;
++
++#ifdef NO_ASAN
++ atf_tc_skip("This test requires ASAN");
++#endif
++
++ ATF_REQUIRE_EQ(socketpair(PF_UNIX, SOCK_STREAM, 0, socks), 0);
++
++ pid = fork();
++ ATF_REQUIRE(pid >= 0);
++
++ if (pid == 0) {
++ /* Child. */
++ fd = socks[0];
++ close(socks[1]);
++
++ nvl = nvlist_create(0);
++ ATF_REQUIRE(nvl != NULL);
++ ATF_REQUIRE(nvlist_empty(nvl));
++
++ packed = nvlist_pack(nvl, &packed_size);
++ ATF_REQUIRE(packed != NULL);
++ ATF_REQUIRE(packed_size >= sizeof(struct nvlist_header));
++
++ header = (struct nvlist_header *)packed;
++ header->nvlh_size = SIZE_MAX - sizeof(struct nvlist_header) + 2;
++
++ ATF_REQUIRE_EQ(write(fd, packed, packed_size),
++ (ssize_t)sizeof(struct nvlist_header));
++
++ nvlist_destroy(nvl);
++ free(packed);
++
++ exit(0);
++ } else {
++ /* Parent */
++ fd = socks[1];
++ close(socks[0]);
++
++ errno = 0;
++ nvl = nvlist_recv(fd, 0);
++ ATF_REQUIRE(nvl == NULL);
++
++ /*
++ * Make sure it has failed on EINVAL, and not on
++ * errors returned by malloc or recv.
++ */
++ ATF_REQUIRE(errno == EINVAL);
++
++ ATF_REQUIRE(waitpid(pid, &status, 0) == pid);
++ ATF_REQUIRE(status == 0);
++ close(fd);
++ }
++}
++
++ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_big_endian_size);
++ATF_TC_BODY(nvlist_send_recv__overflow_big_endian_size, tc)
++{
++ static const unsigned char payload[] = {
++ 0x6c, /* magic */
++ 0x00, /* version */
++ 0x80, /* flags: NV_FLAG_BIG_ENDIAN */
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf5,
++ };
++ nvlist_t *nvl;
++ int sv[2];
++
++ ATF_REQUIRE_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, sv), 0);
++ ATF_REQUIRE_EQ(write(sv[1], payload, sizeof(payload)),
++ (ssize_t)sizeof(payload));
++ ATF_REQUIRE_EQ(close(sv[1]), 0);
++
++ errno = 0;
++ nvl = nvlist_recv(sv[0], 0);
++ ATF_REQUIRE(nvl == NULL);
++ ATF_REQUIRE_EQ(errno, EINVAL);
++
++ ATF_REQUIRE_EQ(close(sv[0]), 0);
++}
++
++ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_little_endian_size);
++ATF_TC_BODY(nvlist_send_recv__overflow_little_endian_size, tc)
++{
++ static const unsigned char payload[] = {
++ 0x6c, /* magic */
++ 0x00, /* version */
++ 0x00, /* flags */
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0xf5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++ };
++ nvlist_t *nvl;
++ int sv[2];
++
++ ATF_REQUIRE_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, sv), 0);
++ ATF_REQUIRE_EQ(write(sv[1], payload, sizeof(payload)),
++ (ssize_t)sizeof(payload));
++ ATF_REQUIRE_EQ(close(sv[1]), 0);
++
++ errno = 0;
++ nvl = nvlist_recv(sv[0], 0);
++ ATF_REQUIRE(nvl == NULL);
++ ATF_REQUIRE_EQ(errno, EINVAL);
++
++ ATF_REQUIRE_EQ(close(sv[0]), 0);
++}
++
++ATF_TC_WITHOUT_HEAD(nvlist_send_recv__invalid_fd_size);
++ATF_TC_BODY(nvlist_send_recv__invalid_fd_size, tc)
++{
++ nvlist_t *nvl;
++ void *packed;
++ size_t packed_size;
++ struct nvlist_header *header;
++ int fd, socks[2], status;
++ pid_t pid;
++
++ ATF_REQUIRE_EQ(socketpair(PF_UNIX, SOCK_STREAM, 0, socks), 0);
++
++ pid = fork();
++ ATF_REQUIRE(pid >= 0);
++
++ if (pid == 0) {
++ /* Child. */
++ fd = socks[0];
++ close(socks[1]);
++
++ nvl = nvlist_create(0);
++ ATF_REQUIRE(nvl != NULL);
++ ATF_REQUIRE(nvlist_empty(nvl));
++
++ nvlist_add_string(nvl, "nvl/string", "test");
++ ATF_REQUIRE_EQ(nvlist_error(nvl), 0);
++
++ packed = nvlist_pack(nvl, &packed_size);
++ ATF_REQUIRE(packed != NULL);
++ ATF_REQUIRE(packed_size >= sizeof(struct nvlist_header));
++
++ header = (struct nvlist_header *)packed;
++ header->nvlh_descriptors = 0x20;
++
++ ATF_REQUIRE_EQ(write(fd, packed, packed_size),
++ (ssize_t)packed_size);
++
++ nvlist_destroy(nvl);
++ free(packed);
++
++ exit(0);
++ } else {
++ /* Parent */
++ fd = socks[1];
++ close(socks[0]);
++
++ nvl = nvlist_recv(fd, 0);
++ ATF_REQUIRE(nvl == NULL);
++
++ ATF_REQUIRE(waitpid(pid, &status, 0) == pid);
++ ATF_REQUIRE(status == 0);
++ }
++
++ close(fd);
++}
++
++ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_fd_size);
++ATF_TC_BODY(nvlist_send_recv__overflow_fd_size, tc)
++{
++ nvlist_t *nvl;
++ void *packed;
++ size_t packed_size;
++ struct nvlist_header *header;
++ int fd, socks[2], fds[1], status;
++ pid_t pid;
++
++ ATF_REQUIRE_EQ(socketpair(PF_UNIX, SOCK_STREAM, 0, socks), 0);
++
++ pid = fork();
++ ATF_REQUIRE(pid >= 0);
++
++ if (pid == 0) {
++ /* Child. */
++ fd = socks[0];
++ close(socks[1]);
++
++ nvl = nvlist_create(0);
++ ATF_REQUIRE(nvl != NULL);
++ ATF_REQUIRE(nvlist_empty(nvl));
++
++ nvlist_add_string(nvl, "nvl/string", "test");
++ ATF_REQUIRE_EQ(nvlist_error(nvl), 0);
++
++ packed = nvlist_pack(nvl, &packed_size);
++ ATF_REQUIRE(packed != NULL);
++ ATF_REQUIRE(packed_size >= sizeof(struct nvlist_header));
++
++ header = (struct nvlist_header *)packed;
++ header->nvlh_descriptors = 0x4000000000000002;
++
++ ATF_REQUIRE_EQ(write(fd, packed, packed_size),
++ (ssize_t)packed_size);
++
++ fds[0] = dup(STDERR_FILENO);
++ ATF_REQUIRE(fds[0] >= 0);
++ ATF_REQUIRE_EQ(fd_send(fd, fds, 1), 0);
++
++ nvlist_destroy(nvl);
++ free(packed);
++
++ close(fds[0]);
++ close(fd);
++
++ exit(0);
++ } else {
++ /* Parent */
++ fd = socks[1];
++ close(socks[0]);
++
++ nvl = nvlist_recv(fd, 0);
++ ATF_REQUIRE(nvl == NULL);
++
++ /* Make sure that fd was not parsed by nvlist */
++ ATF_REQUIRE(fd_recv(fd, fds, 1) == 0);
++
++ ATF_REQUIRE(waitpid(pid, &status, 0) == pid);
++ ATF_REQUIRE(status == 0);
++
++ close(fds[0]);
++ close(fd);
++ }
++}
++
+ ATF_TP_ADD_TCS(tp)
+ {
+
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_nvlist__dgram);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_nvlist__stream);
++ ATF_TP_ADD_TC(tp, nvlist_send_recv__highfd);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_closed_fd__dgram);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_closed_fd__stream);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_many_fds__dgram);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_many_fds__stream);
++
++ ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_header_size);
++ ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_big_endian_size);
++ ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_little_endian_size);
++ ATF_TP_ADD_TC(tp, nvlist_send_recv__invalid_fd_size);
++ ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_fd_size);
+
+ return (atf_no_error());
+ }
+--- sys/contrib/libnv/nv_impl.h.orig
++++ sys/contrib/libnv/nv_impl.h
+@@ -42,6 +42,14 @@
+ typedef struct nvpair nvpair_t;
+ #endif
+
++struct nvlist_header {
++ uint8_t nvlh_magic;
++ uint8_t nvlh_version;
++ uint8_t nvlh_flags;
++ uint64_t nvlh_descriptors;
++ uint64_t nvlh_size;
++} __packed;
++
+ #define NV_TYPE_NVLIST_ARRAY_NEXT 254
+ #define NV_TYPE_NVLIST_UP 255
+
+--- sys/contrib/libnv/nvlist.c.orig
++++ sys/contrib/libnv/nvlist.c
+@@ -118,13 +118,6 @@
+
+ #define NVLIST_HEADER_MAGIC 0x6c
+ #define NVLIST_HEADER_VERSION 0x00
+-struct nvlist_header {
+- uint8_t nvlh_magic;
+- uint8_t nvlh_version;
+- uint8_t nvlh_flags;
+- uint64_t nvlh_descriptors;
+- uint64_t nvlh_size;
+-} __packed;
+
+ nvlist_t *
+ nvlist_create(int flags)
diff --git a/website/static/security/patches/EN-26:12/ensa-143.patch.asc b/website/static/security/patches/EN-26:12/ensa-143.patch.asc
new file mode 100644
index 0000000000..817e56b18b
--- /dev/null
+++ b/website/static/security/patches/EN-26:12/ensa-143.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmn0xikbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvXoIQAMu1Z+MW43UPDQ7tLgn2
+4aVfe0l+NqdQS3t9diugP8SdwmSXuCgs6nnXFgp0s6iBRyDqWyHtc3w6eaf24QSD
+Iho64XCvcZrik5QkLCE0agDZ4JutaPFy2Tkv1CWgeBmQyZl09LyYgILqtqIgK5qm
+WZXhxDdPK+d16QRvHr06AhOWHqQzDo7/Exk5U82LrwuEbJCu9Szy5yTT5tBJrmIq
+fvQYVYf2RLyNad2LA13xRLLCF0K/Tdpaj6TnkBLJragNwjCExBtnXyi+c4FCnqTF
+7d+FzOAF2sgMSFxFh075FPXAlItfcMOIxUXjbH03vmXgxOV20izwQP0i3PRR3lPl
+eGZobqaO7Oe7vhCJ1vgY2OPRuOr2VHrKQMcTAeQCCLYkN7MMjx1mWspRSWRTbIv5
+3KzZfy89v+NWO5vbXQ6zVqsknNUjeYbqbHS6Hlk5xr9kwYkxA0HBm/6RVwmVg5bm
+dthtj7jtZcuiYQwgNuGp908SuZkU0g+MzzGijOvZ60nckfvx+CX/tAEWecDKn8zZ
+V4UiEggNR5tSkqnNIfFtelAYtNGKX5lia/3lb/FijxM8mFgVjLC3IAyR5z8OSYDQ
+zdYrC5aYsWUCFyBENN4VElz2RnJgIGFMRWFCfb4vpbHFC7Zo6ce6Rln1TnsuH0bE
+MJH+dVpEzdrjYOq74oc0fHgA
+=/8Ff
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-26:12/ensa-144.patch b/website/static/security/patches/EN-26:12/ensa-144.patch
new file mode 100644
index 0000000000..8b87835c4a
--- /dev/null
+++ b/website/static/security/patches/EN-26:12/ensa-144.patch
@@ -0,0 +1,487 @@
+--- lib/libnv/tests/Makefile.orig
++++ lib/libnv/tests/Makefile
+@@ -1,6 +1,15 @@
++.include
+
+ ATF_TESTS_C= \
+ nvlist_send_recv_test
++
++.PATH: ${SRCTOP}/lib/libnv
++SRCS.nvlist_send_recv_test= msgio.c nvlist_send_recv_test.c
++CFLAGS.nvlist_send_recv_test+=-I${SRCTOP}/sys/contrib/libnv
++CFLAGS.nvlist_send_recv_test+=-I${SRCTOP}/lib/libnv
++.if ${MK_ASAN} != "yes"
++CFLAGS.nvlist_send_recv_test+=-DNO_ASAN
++.endif
+
+ ATF_TESTS_CXX= \
+ cnv_tests \
+--- lib/libnv/tests/nv_array_tests.cc.orig
++++ lib/libnv/tests/nv_array_tests.cc
+@@ -1,6 +1,5 @@
+ /*-
+- * Copyright (c) 2015 Mariusz Zaborski
+- * All rights reserved.
++ * Copyright (c) 2015-2024 Mariusz Zaborski
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -28,6 +27,7 @@
+ #include
+ #include
+ #include
++#include
+ #include
+
+ #include
+@@ -1162,6 +1162,58 @@
+ free(packed);
+ }
+
++
++ATF_TEST_CASE_WITHOUT_HEAD(nvlist_string_array_nonull__pack);
++ATF_TEST_CASE_BODY(nvlist_string_array_nonull__pack)
++{
++ nvlist_t *testnvl, *unpacked;
++ const char *somestr[3] = { "a", "b", "XXX" };
++ uint8_t *packed, *twopages, *dataptr, *secondpage;
++ size_t packed_size, page_size;
++ bool found;
++
++ page_size = sysconf(_SC_PAGESIZE);
++ testnvl = nvlist_create(0);
++ ATF_REQUIRE(testnvl != NULL);
++ ATF_REQUIRE_EQ(nvlist_error(testnvl), 0);
++ nvlist_add_string_array(testnvl, "nvl/string", somestr,
++ nitems(somestr));
++ ATF_REQUIRE_EQ(nvlist_error(testnvl), 0);
++
++ packed = (uint8_t *)nvlist_pack(testnvl, &packed_size);
++ ATF_REQUIRE(packed != NULL);
++
++ twopages = (uint8_t *)mmap(NULL, page_size * 2, PROT_READ | PROT_WRITE,
++ MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
++ ATF_REQUIRE(twopages != MAP_FAILED);
++ dataptr = &twopages[page_size - packed_size];
++ secondpage = &twopages[page_size];
++
++ memset(twopages, 'A', page_size * 2);
++
++ mprotect(secondpage, page_size, PROT_NONE);
++ memcpy(dataptr, packed, packed_size);
++
++ found = false;
++ for (size_t i = 0; i < packed_size - 3; i++) {
++ if (dataptr[i] == 'X' && dataptr[i + 1] == 'X' &&
++ dataptr[i + 2] == 'X' && dataptr[i + 3] == '\0') {
++ dataptr[i + 3] = 'X';
++ found = true;
++ break;
++ }
++ }
++ ATF_REQUIRE(found == true);
++
++ unpacked = nvlist_unpack(dataptr, packed_size, 0);
++ ATF_REQUIRE(unpacked == NULL);
++
++ nvlist_destroy(testnvl);
++ free(packed);
++ munmap(twopages, page_size * 2);
++}
++
++
+ ATF_INIT_TEST_CASES(tp)
+ {
+
+@@ -1191,5 +1243,7 @@
+ ATF_ADD_TEST_CASE(tp, nvlist_descriptor_array__pack)
+ ATF_ADD_TEST_CASE(tp, nvlist_string_array__pack)
+ ATF_ADD_TEST_CASE(tp, nvlist_nvlist_array__pack)
++
++ ATF_ADD_TEST_CASE(tp, nvlist_string_array_nonull__pack)
+ }
+
+--- lib/libnv/tests/nvlist_send_recv_test.c.orig
++++ lib/libnv/tests/nvlist_send_recv_test.c
+@@ -1,5 +1,8 @@
+ /*-
++ * SPDX-License-Identifier: BSD-2-Clause
++ *
+ * Copyright (c) 2013 The FreeBSD Foundation
++ * Copyright (c) 2024-2026 Mariusz Zaborski
+ *
+ * This software was developed by Pawel Jakub Dawidek under sponsorship from
+ * the FreeBSD Foundation.
+@@ -28,6 +31,8 @@
+
+ #include
+ #include
++#include
++#include
+ #include
+ #include
+ #include
+@@ -44,6 +49,9 @@
+
+ #include
+
++#include
++#include
++
+ #define ALPHABET "abcdefghijklmnopqrstuvwxyz"
+ #define fd_is_valid(fd) (fcntl((fd), F_GETFL) != -1 || errno != EBADF)
+
+@@ -531,6 +539,59 @@
+ nvlist_send_recv__send_nvlist(SOCK_STREAM);
+ }
+
++/*
++ * Regression test for fd_wait(): the previous select(2)-based implementation
++ * called FD_SET() unconditionally, which is an out-of-bounds stack write when
++ * the socket fd is >= FD_SETSIZE. Force the socketpair fds above FD_SETSIZE
++ * and verify a full nvlist round-trip still works.
++ */
++ATF_TC_WITHOUT_HEAD(nvlist_send_recv__highfd);
++ATF_TC_BODY(nvlist_send_recv__highfd, tc)
++{
++ struct rlimit rl;
++ nvlist_t *nvl;
++ int socks[2], hi_send, hi_recv, status;
++ pid_t pid;
++
++ hi_send = FD_SETSIZE + 5;
++ hi_recv = FD_SETSIZE + 6;
++
++ rl.rlim_cur = rl.rlim_max = hi_recv + 1;
++ if (setrlimit(RLIMIT_NOFILE, &rl) != 0)
++ atf_tc_skip("cannot raise RLIMIT_NOFILE: %s", strerror(errno));
++
++ ATF_REQUIRE(socketpair(PF_UNIX, SOCK_STREAM, 0, socks) == 0);
++ ATF_REQUIRE(dup2(socks[0], hi_recv) == hi_recv);
++ ATF_REQUIRE(dup2(socks[1], hi_send) == hi_send);
++ (void)close(socks[0]);
++ (void)close(socks[1]);
++
++ pid = fork();
++ ATF_REQUIRE(pid >= 0);
++ if (pid == 0) {
++ /* Child: send. */
++ (void)close(hi_recv);
++ nvl = nvlist_create(0);
++ nvlist_add_string(nvl, "key", "value");
++ if (nvlist_send(hi_send, nvl) != 0)
++ err(EXIT_FAILURE, "nvlist_send");
++ nvlist_destroy(nvl);
++ _exit(0);
++ }
++
++ (void)close(hi_send);
++ nvl = nvlist_recv(hi_recv, 0);
++ ATF_REQUIRE(nvl != NULL);
++ ATF_REQUIRE(nvlist_error(nvl) == 0);
++ ATF_REQUIRE(nvlist_exists_string(nvl, "key"));
++ ATF_REQUIRE(strcmp(nvlist_get_string(nvl, "key"), "value") == 0);
++ nvlist_destroy(nvl);
++
++ ATF_REQUIRE(waitpid(pid, &status, 0) == pid);
++ ATF_REQUIRE(status == 0);
++ (void)close(hi_recv);
++}
++
+ ATF_TC_WITHOUT_HEAD(nvlist_send_recv__send_closed_fd__dgram);
+ ATF_TC_BODY(nvlist_send_recv__send_closed_fd__dgram, tc)
+ {
+@@ -543,15 +604,260 @@
+ nvlist_send_recv__send_closed_fd(SOCK_STREAM);
+ }
+
++ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_header_size);
++ATF_TC_BODY(nvlist_send_recv__overflow_header_size, tc)
++{
++ nvlist_t *nvl;
++ void *packed;
++ size_t packed_size;
++ struct nvlist_header *header;
++ int fd, socks[2], status;
++ pid_t pid;
++
++#ifdef NO_ASAN
++ atf_tc_skip("This test requires ASAN");
++#endif
++
++ ATF_REQUIRE_EQ(socketpair(PF_UNIX, SOCK_STREAM, 0, socks), 0);
++
++ pid = fork();
++ ATF_REQUIRE(pid >= 0);
++
++ if (pid == 0) {
++ /* Child. */
++ fd = socks[0];
++ close(socks[1]);
++
++ nvl = nvlist_create(0);
++ ATF_REQUIRE(nvl != NULL);
++ ATF_REQUIRE(nvlist_empty(nvl));
++
++ packed = nvlist_pack(nvl, &packed_size);
++ ATF_REQUIRE(packed != NULL);
++ ATF_REQUIRE(packed_size >= sizeof(struct nvlist_header));
++
++ header = (struct nvlist_header *)packed;
++ header->nvlh_size = SIZE_MAX - sizeof(struct nvlist_header) + 2;
++
++ ATF_REQUIRE_EQ(write(fd, packed, packed_size),
++ (ssize_t)sizeof(struct nvlist_header));
++
++ nvlist_destroy(nvl);
++ free(packed);
++
++ exit(0);
++ } else {
++ /* Parent */
++ fd = socks[1];
++ close(socks[0]);
++
++ errno = 0;
++ nvl = nvlist_recv(fd, 0);
++ ATF_REQUIRE(nvl == NULL);
++
++ /*
++ * Make sure it has failed on EINVAL, and not on
++ * errors returned by malloc or recv.
++ */
++ ATF_REQUIRE(errno == EINVAL);
++
++ ATF_REQUIRE(waitpid(pid, &status, 0) == pid);
++ ATF_REQUIRE(status == 0);
++ close(fd);
++ }
++}
++
++ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_big_endian_size);
++ATF_TC_BODY(nvlist_send_recv__overflow_big_endian_size, tc)
++{
++ static const unsigned char payload[] = {
++ 0x6c, /* magic */
++ 0x00, /* version */
++ 0x80, /* flags: NV_FLAG_BIG_ENDIAN */
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf5,
++ };
++ nvlist_t *nvl;
++ int sv[2];
++
++ ATF_REQUIRE_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, sv), 0);
++ ATF_REQUIRE_EQ(write(sv[1], payload, sizeof(payload)),
++ (ssize_t)sizeof(payload));
++ ATF_REQUIRE_EQ(close(sv[1]), 0);
++
++ errno = 0;
++ nvl = nvlist_recv(sv[0], 0);
++ ATF_REQUIRE(nvl == NULL);
++ ATF_REQUIRE_EQ(errno, EINVAL);
++
++ ATF_REQUIRE_EQ(close(sv[0]), 0);
++}
++
++ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_little_endian_size);
++ATF_TC_BODY(nvlist_send_recv__overflow_little_endian_size, tc)
++{
++ static const unsigned char payload[] = {
++ 0x6c, /* magic */
++ 0x00, /* version */
++ 0x00, /* flags */
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0xf5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++ };
++ nvlist_t *nvl;
++ int sv[2];
++
++ ATF_REQUIRE_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, sv), 0);
++ ATF_REQUIRE_EQ(write(sv[1], payload, sizeof(payload)),
++ (ssize_t)sizeof(payload));
++ ATF_REQUIRE_EQ(close(sv[1]), 0);
++
++ errno = 0;
++ nvl = nvlist_recv(sv[0], 0);
++ ATF_REQUIRE(nvl == NULL);
++ ATF_REQUIRE_EQ(errno, EINVAL);
++
++ ATF_REQUIRE_EQ(close(sv[0]), 0);
++}
++
++ATF_TC_WITHOUT_HEAD(nvlist_send_recv__invalid_fd_size);
++ATF_TC_BODY(nvlist_send_recv__invalid_fd_size, tc)
++{
++ nvlist_t *nvl;
++ void *packed;
++ size_t packed_size;
++ struct nvlist_header *header;
++ int fd, socks[2], status;
++ pid_t pid;
++
++ ATF_REQUIRE_EQ(socketpair(PF_UNIX, SOCK_STREAM, 0, socks), 0);
++
++ pid = fork();
++ ATF_REQUIRE(pid >= 0);
++
++ if (pid == 0) {
++ /* Child. */
++ fd = socks[0];
++ close(socks[1]);
++
++ nvl = nvlist_create(0);
++ ATF_REQUIRE(nvl != NULL);
++ ATF_REQUIRE(nvlist_empty(nvl));
++
++ nvlist_add_string(nvl, "nvl/string", "test");
++ ATF_REQUIRE_EQ(nvlist_error(nvl), 0);
++
++ packed = nvlist_pack(nvl, &packed_size);
++ ATF_REQUIRE(packed != NULL);
++ ATF_REQUIRE(packed_size >= sizeof(struct nvlist_header));
++
++ header = (struct nvlist_header *)packed;
++ header->nvlh_descriptors = 0x20;
++
++ ATF_REQUIRE_EQ(write(fd, packed, packed_size),
++ (ssize_t)packed_size);
++
++ nvlist_destroy(nvl);
++ free(packed);
++
++ exit(0);
++ } else {
++ /* Parent */
++ fd = socks[1];
++ close(socks[0]);
++
++ nvl = nvlist_recv(fd, 0);
++ ATF_REQUIRE(nvl == NULL);
++
++ ATF_REQUIRE(waitpid(pid, &status, 0) == pid);
++ ATF_REQUIRE(status == 0);
++ }
++
++ close(fd);
++}
++
++ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_fd_size);
++ATF_TC_BODY(nvlist_send_recv__overflow_fd_size, tc)
++{
++ nvlist_t *nvl;
++ void *packed;
++ size_t packed_size;
++ struct nvlist_header *header;
++ int fd, socks[2], fds[1], status;
++ pid_t pid;
++
++ ATF_REQUIRE_EQ(socketpair(PF_UNIX, SOCK_STREAM, 0, socks), 0);
++
++ pid = fork();
++ ATF_REQUIRE(pid >= 0);
++
++ if (pid == 0) {
++ /* Child. */
++ fd = socks[0];
++ close(socks[1]);
++
++ nvl = nvlist_create(0);
++ ATF_REQUIRE(nvl != NULL);
++ ATF_REQUIRE(nvlist_empty(nvl));
++
++ nvlist_add_string(nvl, "nvl/string", "test");
++ ATF_REQUIRE_EQ(nvlist_error(nvl), 0);
++
++ packed = nvlist_pack(nvl, &packed_size);
++ ATF_REQUIRE(packed != NULL);
++ ATF_REQUIRE(packed_size >= sizeof(struct nvlist_header));
++
++ header = (struct nvlist_header *)packed;
++ header->nvlh_descriptors = 0x4000000000000002;
++
++ ATF_REQUIRE_EQ(write(fd, packed, packed_size),
++ (ssize_t)packed_size);
++
++ fds[0] = dup(STDERR_FILENO);
++ ATF_REQUIRE(fds[0] >= 0);
++ ATF_REQUIRE_EQ(fd_send(fd, fds, 1), 0);
++
++ nvlist_destroy(nvl);
++ free(packed);
++
++ close(fds[0]);
++ close(fd);
++
++ exit(0);
++ } else {
++ /* Parent */
++ fd = socks[1];
++ close(socks[0]);
++
++ nvl = nvlist_recv(fd, 0);
++ ATF_REQUIRE(nvl == NULL);
++
++ /* Make sure that fd was not parsed by nvlist */
++ ATF_REQUIRE(fd_recv(fd, fds, 1) == 0);
++
++ ATF_REQUIRE(waitpid(pid, &status, 0) == pid);
++ ATF_REQUIRE(status == 0);
++
++ close(fds[0]);
++ close(fd);
++ }
++}
++
+ ATF_TP_ADD_TCS(tp)
+ {
+
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_nvlist__dgram);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_nvlist__stream);
++ ATF_TP_ADD_TC(tp, nvlist_send_recv__highfd);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_closed_fd__dgram);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_closed_fd__stream);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_many_fds__dgram);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_many_fds__stream);
++
++ ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_header_size);
++ ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_big_endian_size);
++ ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_little_endian_size);
++ ATF_TP_ADD_TC(tp, nvlist_send_recv__invalid_fd_size);
++ ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_fd_size);
+
+ return (atf_no_error());
+ }
+--- sys/contrib/libnv/nv_impl.h.orig
++++ sys/contrib/libnv/nv_impl.h
+@@ -42,6 +42,14 @@
+ typedef struct nvpair nvpair_t;
+ #endif
+
++struct nvlist_header {
++ uint8_t nvlh_magic;
++ uint8_t nvlh_version;
++ uint8_t nvlh_flags;
++ uint64_t nvlh_descriptors;
++ uint64_t nvlh_size;
++} __packed;
++
+ #define NV_TYPE_NVLIST_ARRAY_NEXT 254
+ #define NV_TYPE_NVLIST_UP 255
+
+--- sys/contrib/libnv/nvlist.c.orig
++++ sys/contrib/libnv/nvlist.c
+@@ -118,13 +118,6 @@
+
+ #define NVLIST_HEADER_MAGIC 0x6c
+ #define NVLIST_HEADER_VERSION 0x00
+-struct nvlist_header {
+- uint8_t nvlh_magic;
+- uint8_t nvlh_version;
+- uint8_t nvlh_flags;
+- uint64_t nvlh_descriptors;
+- uint64_t nvlh_size;
+-} __packed;
+
+ nvlist_t *
+ nvlist_create(int flags)
diff --git a/website/static/security/patches/EN-26:12/ensa-144.patch.asc b/website/static/security/patches/EN-26:12/ensa-144.patch.asc
new file mode 100644
index 0000000000..4c41ef8f55
--- /dev/null
+++ b/website/static/security/patches/EN-26:12/ensa-144.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmn0xiobFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvsj4QAKU6z5Bwr7Mz1EuIurfY
+KWC8nPyOciXn+b0pITMGZKKmYOOk3uhjcVwuQa3BRL0XGFEVm2b1GSO7exvSHTjo
+TUD/w80wyzjiqUV3T7LfXZD2hZKnIL3erCDKwgmXX3D5cSOjjKQPaDgb/ax0Jk+G
+/mccSWKg+4oMrISwcD2urimU5OZcvrgTNNksRnFtVlKb1bKttdTIERtcB40fb3G9
+6CAI6Gwpg/OzARHICC9GgMrrSvnaknL5peMLfTpwNBwdYJJLJLXuGVlugKnH46/3
+py5e1zdbR6Y/ieEhJpZ3bhHV38UZBgstVGCmtpMPVFXo7N6ustrBM+861CeLGez4
+ct9d8LcHMNoOGtFkzDsWL/Pp99TV8wYEVoVVZkx0dJv/awzmmasAN8q9KN4tlTzB
++4DHYIToTRdhghpp9aRm7ZCoShKARpbSp4XH1sOdj6t82MR/mIDQnvl+t7uw69oY
+Y3Ch+atdUuZAU+2RcxGPlcQJ4bhQ2UlXG1fZnyD6HeizkTCZaOlLn2aSmPtpv+bH
+nihTiuLFCPcpmdrNsj6ukVBBftpojF9Jufo4d95sKgOr1mImYWBJUjCIZjc3bHFL
+Qk/GnOSKgsD9UQjgtoQoQlZRmjTBlX04HqMgE4TBfjrnfb/5jezIlxE/TPpA4wrU
+/eawpZgNuXq1uaBn/w1aNBkE
+=rZUQ
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-26:12/ensa-150.patch b/website/static/security/patches/EN-26:12/ensa-150.patch
new file mode 100644
index 0000000000..7adccac45b
--- /dev/null
+++ b/website/static/security/patches/EN-26:12/ensa-150.patch
@@ -0,0 +1,166 @@
+--- lib/libnv/tests/nvlist_send_recv_test.c.orig
++++ lib/libnv/tests/nvlist_send_recv_test.c
+@@ -1,5 +1,8 @@
+ /*-
++ * SPDX-License-Identifier: BSD-2-Clause
++ *
+ * Copyright (c) 2013 The FreeBSD Foundation
++ * Copyright (c) 2024-2026 Mariusz Zaborski
+ *
+ * This software was developed by Pawel Jakub Dawidek under sponsorship from
+ * the FreeBSD Foundation.
+@@ -27,6 +30,8 @@
+ */
+
+ #include
++#include
++#include
+ #include
+ #include
+ #include
+@@ -533,6 +538,59 @@
+ nvlist_send_recv__send_nvlist(SOCK_STREAM);
+ }
+
++/*
++ * Regression test for fd_wait(): the previous select(2)-based implementation
++ * called FD_SET() unconditionally, which is an out-of-bounds stack write when
++ * the socket fd is >= FD_SETSIZE. Force the socketpair fds above FD_SETSIZE
++ * and verify a full nvlist round-trip still works.
++ */
++ATF_TC_WITHOUT_HEAD(nvlist_send_recv__highfd);
++ATF_TC_BODY(nvlist_send_recv__highfd, tc)
++{
++ struct rlimit rl;
++ nvlist_t *nvl;
++ int socks[2], hi_send, hi_recv, status;
++ pid_t pid;
++
++ hi_send = FD_SETSIZE + 5;
++ hi_recv = FD_SETSIZE + 6;
++
++ rl.rlim_cur = rl.rlim_max = hi_recv + 1;
++ if (setrlimit(RLIMIT_NOFILE, &rl) != 0)
++ atf_tc_skip("cannot raise RLIMIT_NOFILE: %s", strerror(errno));
++
++ ATF_REQUIRE(socketpair(PF_UNIX, SOCK_STREAM, 0, socks) == 0);
++ ATF_REQUIRE(dup2(socks[0], hi_recv) == hi_recv);
++ ATF_REQUIRE(dup2(socks[1], hi_send) == hi_send);
++ (void)close(socks[0]);
++ (void)close(socks[1]);
++
++ pid = fork();
++ ATF_REQUIRE(pid >= 0);
++ if (pid == 0) {
++ /* Child: send. */
++ (void)close(hi_recv);
++ nvl = nvlist_create(0);
++ nvlist_add_string(nvl, "key", "value");
++ if (nvlist_send(hi_send, nvl) != 0)
++ err(EXIT_FAILURE, "nvlist_send");
++ nvlist_destroy(nvl);
++ _exit(0);
++ }
++
++ (void)close(hi_send);
++ nvl = nvlist_recv(hi_recv, 0);
++ ATF_REQUIRE(nvl != NULL);
++ ATF_REQUIRE(nvlist_error(nvl) == 0);
++ ATF_REQUIRE(nvlist_exists_string(nvl, "key"));
++ ATF_REQUIRE(strcmp(nvlist_get_string(nvl, "key"), "value") == 0);
++ nvlist_destroy(nvl);
++
++ ATF_REQUIRE(waitpid(pid, &status, 0) == pid);
++ ATF_REQUIRE(status == 0);
++ (void)close(hi_recv);
++}
++
+ ATF_TC_WITHOUT_HEAD(nvlist_send_recv__send_closed_fd__dgram);
+ ATF_TC_BODY(nvlist_send_recv__send_closed_fd__dgram, tc)
+ {
+@@ -608,6 +666,58 @@
+ }
+ }
+
++ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_big_endian_size);
++ATF_TC_BODY(nvlist_send_recv__overflow_big_endian_size, tc)
++{
++ static const unsigned char payload[] = {
++ 0x6c, /* magic */
++ 0x00, /* version */
++ 0x80, /* flags: NV_FLAG_BIG_ENDIAN */
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf5,
++ };
++ nvlist_t *nvl;
++ int sv[2];
++
++ ATF_REQUIRE_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, sv), 0);
++ ATF_REQUIRE_EQ(write(sv[1], payload, sizeof(payload)),
++ (ssize_t)sizeof(payload));
++ ATF_REQUIRE_EQ(close(sv[1]), 0);
++
++ errno = 0;
++ nvl = nvlist_recv(sv[0], 0);
++ ATF_REQUIRE(nvl == NULL);
++ ATF_REQUIRE_EQ(errno, EINVAL);
++
++ ATF_REQUIRE_EQ(close(sv[0]), 0);
++}
++
++ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_little_endian_size);
++ATF_TC_BODY(nvlist_send_recv__overflow_little_endian_size, tc)
++{
++ static const unsigned char payload[] = {
++ 0x6c, /* magic */
++ 0x00, /* version */
++ 0x00, /* flags */
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0xf5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++ };
++ nvlist_t *nvl;
++ int sv[2];
++
++ ATF_REQUIRE_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, sv), 0);
++ ATF_REQUIRE_EQ(write(sv[1], payload, sizeof(payload)),
++ (ssize_t)sizeof(payload));
++ ATF_REQUIRE_EQ(close(sv[1]), 0);
++
++ errno = 0;
++ nvl = nvlist_recv(sv[0], 0);
++ ATF_REQUIRE(nvl == NULL);
++ ATF_REQUIRE_EQ(errno, EINVAL);
++
++ ATF_REQUIRE_EQ(close(sv[0]), 0);
++}
++
+ ATF_TC_WITHOUT_HEAD(nvlist_send_recv__invalid_fd_size);
+ ATF_TC_BODY(nvlist_send_recv__invalid_fd_size, tc)
+ {
+@@ -736,12 +846,15 @@
+
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_nvlist__dgram);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_nvlist__stream);
++ ATF_TP_ADD_TC(tp, nvlist_send_recv__highfd);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_closed_fd__dgram);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_closed_fd__stream);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_many_fds__dgram);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__send_many_fds__stream);
+
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_header_size);
++ ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_big_endian_size);
++ ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_little_endian_size);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__invalid_fd_size);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_fd_size);
+
+--- tests/sys/posixshm/posixshm_test.c.orig
++++ tests/sys/posixshm/posixshm_test.c
+@@ -1986,7 +1986,7 @@
+ error = sigaction(SIGSEGV, &sa, NULL);
+ ATF_REQUIRE(error == 0);
+
+- pscnt = pagesizes(ps, true);
++ pscnt = pagesizes(ps);
+
+ for (int i = 1; i < pscnt; i++) {
+ uint64_t val;
diff --git a/website/static/security/patches/EN-26:12/ensa-150.patch.asc b/website/static/security/patches/EN-26:12/ensa-150.patch.asc
new file mode 100644
index 0000000000..494c016118
--- /dev/null
+++ b/website/static/security/patches/EN-26:12/ensa-150.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmn0xisbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvZdYQAIY0794gvo9DtJHT/h1Z
+y5ezNg6C3axx4X1Ug1dVGQoH/+isH/hvMzHM/826SaGFBlD65SM+pQeZb9sUeeA9
+N65cW1m3dt+k+SNfpZ583adcwQBGQuC1NvNUDyJJmEnozCWmmqXXBtciPEIQEZ9c
+AmsSlL/TBVw1ruWPQ8nA/5xpPUEjAEw5CoMej9KG7/xziaYr5wC1e27FiDA8Z3Ar
+LiA/NM+4FmgZQvUIRWCrzBhesdKFFYOl8QMriOrxucqCcp6bqzQGRi5izfnvFCYH
+aWvN1FFe99+EYiVH3aQ1SoEBJ8etVPSrlhuOfic0WIhWlwKeL9Yvx9Be04LpJcu6
+3KY8Yr1O7mxQv8Jtwd7OeXUha2mDBLIxMtYs70SKgo+m1vfvLPoUckIDDszgIgCk
+swZEWhuGKSQ1aAMx5+6eRESKnOqATLWV04MHuC+TTD2v5kQvI4lb/bna87wUDlbl
+zSQn7FCv5KITrkhuFSF7vmoTUmB6EBDmfDvI2LSUKiHPAOwh8WJE4L0JoF9xgP2d
+G8SsONb5gb8YghWtF1KbPQlobGLy44vqZ/o1QvAxs7wZxPDx2Rw66PpEVWHXZKjN
+iXTAxheUwEYqMykzp7AQXuGvxeXrxfc6SoMLib1VsiRC4SGnVGaincF0jjqbeWeG
+r7Nd/REiFerNNNgKJGLXa5N0
+=U/vY
+-----END PGP SIGNATURE-----