Add SA-19:03 to SA-19:07 and EN-19:08 to EN-19:10.

Approved by: so
author: Gordon Tetlow <gordon@FreeBSD.org> 2019-05-14 23:48:52 +0000
committer: Gordon Tetlow <gordon@FreeBSD.org> 2019-05-14 23:48:52 +0000
commit: b9b9eea0f4656a51843a75af16e004a2061162c4 (patch)
tree: e07fbd702d53fcf9587b33457cb7c298bab616a8 /share/security/advisories
parent: 2a48f90e8baf0d3947271d39ba48f61fcd8b8087 (diff)
8 files changed, 1165 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-EN-19:08.tzdata.asc b/share/security/advisories/FreeBSD-EN-19:08.tzdata.asc
new file mode 100644
index 0000000000..a9a2584008
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-19:08.tzdata.asc
@@ -0,0 +1,146 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-19:08.tzdata                                         Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Timezone database information update
+
+Category:       contrib
+Module:         zoneinfo
+Announced:      2019-01-09
+Affects:        All supported versions of FreeBSD.
+Corrected:      2019-03-29 01:39:20 UTC (stable/12, 12.0-STABLE)
+                2019-05-14 22:48:36 UTC (releng/12.0, 12.0-RELEASE-p4)
+                2019-01-01 01:40:44 UTC (stable/11, 11.3-PRERELEASE)
+                2019-05-14 22:48:36 UTC (releng/11.2, 11.2-RELEASE-p10)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The tzsetup(8) program allows the user to specify the default local timezone.
+Based on the selected timezone, tzsetup(8) copies one of the files from
+/usr/share/zoneinfo to /etc/localtime.  This file actually controls the
+conversion.
+
+II.  Problem Description
+
+Several changes in Daylight Savings Time happened after previous FreeBSD
+releases were released that would affect many people who live in different
+countries.  Because of these changes, the data in the zoneinfo files need to
+be updated, and if the local timezone on the running system is affected,
+tzsetup(8) needs to be run so the /etc/localtime is updated.
+
+III. Impact
+
+An incorrect time will be displayed on a system configured to use one of the
+affected timezones if the /usr/share/zoneinfo and /etc/localtime files are
+not updated, and all applications on the system that rely on the system time,
+such as cron(8) and syslog(8), will be affected.
+
+IV.  Workaround
+
+The system administrator can install an updated timezone database from the
+misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected.
+
+Applications that store and display times in Coordinated Universal Time (UTC)
+are not affected.
+
+V.   Solution
+
+Please note that some third party software, for instance PHP, Ruby, Java and
+Perl, may be using different zoneinfo data source, in such cases this
+software must be updated separately.  For software packages that is installed
+via binary packages, they can be upgraded by executing `pkg upgrade'.
+
+Following the instructions in this Errata Notice will update all of the
+zoneinfo files to be the same as what was released with FreeBSD release.
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.  Restart all the affected
+applications and daemons, or reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all the affected applications and daemons, or reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-19:08/tzdata-2019a.patch
+# fetch https://security.FreeBSD.org/patches/EN-19:08/tzdata-2019a.patch.asc
+# gpg --verify tzdata-2019a.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all the affected applications and daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r345669
+releng/12.0/                                                      r347584
+stable/11/                                                        r345670
+releng/11.2/                                                      r347584
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:08.tzdata.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTplfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cK4Dw//Y28mXrmzitCE3RclEPrP90hcRYOzknKv8xLYNo3SnCOfSnJCQqoeNw/X
+HoAgX5Blm1sSYJ7GvK+AmKVn6FLoRGyd2tLzK5lofpbuExqrIZM6crHUx7HrblfO
+4EfUJsIPr70y0+DeD4lBgZtpV5umOVFVWz8plgyeffGwTG3qNEES8RLI62uMrtpW
+bkp+/l90eo2P9Wo34DqZSwW4V7JUwmFqooF4akZ0NBJnGpyz0iK+EZjluiRnsZxT
+ueG5yqh5BpPPQ4UTxkTMoFrF2cKP18cDzQ2e1Z27JF+MpfW3Ki4zBLcmbFrVdHhR
+1vlw1uIVKzusntEYX05oJUG8nkXckf6b7Wr6i1hD8tC7xgg4uBvTU4k/nLuGOHE/
+Oe6pAfLHvFS2ISk97FtImJd3UHR62+ZVX544dOxnY8N86tTU8p9vaO2AnfvTxzMR
+5lyqIHgDd1RWH41aASin2fM3jeXUTubq5UsTiujaFUM5Cqoe8u5UrDAzFjxx8y2H
+Uci9zi0IggRp7z8HbiXLtmoqqzwuUkXIk36j2CT7JLwH/QiP2w34Euh2wrWAeblG
+tpITlvvMl9B1+zljUCxs1+8++Q/jLbhmsH1U+r7Qj6CKAg/9hCmNYZp5WAmwDHfY
+V1JMNu6eaZpbCscJu9/QTsnvWiZZFBdHFubUueFsBNoKyQGVDkw=
+=69LY
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-EN-19:09.xinstall.asc b/share/security/advisories/FreeBSD-EN-19:09.xinstall.asc
new file mode 100644
index 0000000000..49d63b9921
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-19:09.xinstall.asc
@@ -0,0 +1,128 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-19:09.xinstall                                       Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          install(1) broken with partially matching relative paths
+
+Category:       core
+Module:         xinstall
+Announced:      2019-05-14
+Affects:        All supported versions of FreeBSD
+Corrected:      2019-02-16 04:48:30 UTC (stable/12, 12.0-STABLE)
+                2019-05-14 22:51:49 UTC (releng/12.0, 12.0-RELEASE-p4)
+                2019-02-16 04:49:10 UTC (stable/11, 11.3-PRERELEASE)
+                2019-05-14 22:51:49 UTC (releng/11.2, 11.2-RELEASE-p10)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The install(1) utility installs files and links, optionally calculating
+relative paths for an installed symbolic link.
+
+II.  Problem Description
+
+Due to an issue in the way install(1) determines common components of the
+source and target paths, the relative link may be incorrectly calculated and
+drop a component of the link because a partial match existed on that
+component.
+
+III. Impact
+
+The ports tree and other software very frequently use install(1) to create
+relative symlinks without checking whether a partial match of the path
+exists that would result in such a truncation.
+
+IV.  Workaround
+
+No workaround is available, but using install(1) to install non-relative
+links and files is unaffected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-19:09/xinstall.patch
+# fetch https://security.FreeBSD.org/patches/EN-19:09/xinstall.patch.asc
+# gpg --verify xinstall.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r344205
+releng/12.0/                                                      r347585
+stable/11/                                                        r344206
+releng/11.2/                                                      r347585
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235330>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:09.xinstall.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTqhfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJV2RAAjFslsJRGQlL5piJPcAixaQO3gEgmaAp+q79whcsN3O8cqQpApU0BApTA
+cT7cNnm3/sMteHFd6wCTLsssBnDsTWYxqccOeUIiCIgpXXkP67XYpLxxjBZqq5Tn
+egFesjpZdu2yr+0gdRrpf54msed7ts8E0dDVoGIYeGhU7omIqlYWJGJfsZ4tg1La
+Mod40JgxXcHMTca7Et46LBu/j/cF5MeQhzIepRrj1awiElQY/dMesmJwD9AuYL9m
+cuS7yTH4eC6A/b7TdhUXBqBTbNipUCmwUuIWJ6OxpcrKPrtv/qGhUCEDdsNvMxpA
+i8ciQY4YD06wdmZP+9Ugp/qXMXpLlxzwHrUYPe/Xn6/NvUgMp+KyMWgfkmtPBuIl
+YKRTp5S4ZAs6U7RPSOMUWmQ2bWh0yZqEaQXAgzzNwIpqdghrZj73krr99pCeWc81
+1MWv6K9/ZMdm8i31Iur3Mz/4hkv5WQSObU9SdjigtvFGu5ldVEJzE5f3Zu9Vr5ja
+keCB1HVYtU25ekngLYPdFiVf9B/HAWwHugOyeZNV2jPB6VVSeFkyeicm8zZ95G63
+Ww0BQbc830AFYlhb6DpciaP1Epokywr+wO4O+I3DRN3K6Zi47ODv7881milM8KQO
+jWYn0kemMIgnz0R0ZluU/I5SU1cnXbWZuKvsw9efd++irqEHrBw=
+=t05i
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-EN-19:10.scp.asc b/share/security/advisories/FreeBSD-EN-19:10.scp.asc
new file mode 100644
index 0000000000..bd1e18dd6f
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-19:10.scp.asc
@@ -0,0 +1,125 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-19:10.scp                                            Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Insufficient filename validation in scp(1) client
+
+Category:       contrib
+Module:         scp
+Announced:      2019-05-14
+Affects:        All supported versions of FreeBSD.
+Corrected:      2019-05-07 19:48:39 UTC (stable/12, 12.0-STABLE)
+                2019-05-14 22:54:17 UTC (releng/12.0, 12.0-RELEASE-p10)
+CVE Name:       CVE-2019-6111
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+scp(1) is a file transfer protocol running over an SSH session.
+
+II.  Problem Description
+
+The scp(1) client implementation fails to verify if the objects returned by
+the server match what was requested.
+
+III. Impact
+
+A malicious scp server can write arbitrary files to the client.
+
+IV.  Workaround
+
+Switch to using the sftp(1) client, if possible.
+
+V.   Solution
+
+Note: While stable/11 and its release branches are currently affected by this
+errata, due to the lack of patches, no fix is currently available for
+stable/11.  We are currently evaluating a backport for these fixes to
+stable/11.
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.0]
+# fetch https://security.FreeBSD.org/patches/EN-19:10/scp.patch
+# fetch https://security.FreeBSD.org/patches/EN-19:10/scp.patch.asc
+# gpg --verify scp.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r347232
+releng/12.0/                                                      r347586
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:10.scp.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTq1fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJXGQ/+Ii19QUq6MdSeNPPOHVTtW8G/FIlsaYYlCFooIvzxYxvcqDcCyabVlX/a
+Lt815YY7+EbKcSbA0Gh/YFm9S05rwUg4Dnj8nIQwMVp9OEtziIdY6TVU0JhRoUpe
++YVG9e5eh8wK7FFJ/jIaZbAcr2MfMYV2KPouA1HZdqsMBkAkr8xuS3HrmkeE0nxo
+6QHTWaaD7qvr8foUSHS1hJsAX3+1eIsdytGUTJIGeL6g7DWsLYYiX7v2k+eZuSe1
+dkt7/3J+RqpyJAv+LfGh3QnILC52fO7jOVlnOBt5H/HefX+xRdb8lwHfoBeyxIFc
+N4v4Ecypewci6Hv4moTeZF+FtIETHj3EfPIe04eiikiGhrpGQ4cCveK6+kk49x4m
+RR7TE+y7klGIfoSuxoooaJ1/UyFJ9T0eICmBUh1B5rcrnwbbhgpXVPpbbee7IFL2
+HYiEuDECPN45zek+bL0M5D0wHZc823e7p1Ioxl1NNzawdts7hWwIpNmFTlfWNczQ
+KZ9y0bDFffK3nuUkMHORLagCM6ou/wAPunsnWXY3Xg3X61svYIvZThDIeeOi9SbF
+d1ve8/H/t5yHRQBpqWk51FfO4RdPmQAo6Y9w9WzhnkETsNXeTruQq7D8SnOaWgXG
+JUh9PAVQKcJRWPXVwDTPEsqRgaDVB0gpaPCt5IS2j2tyB8UuAd4=
+=2h+W
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-19:03.wpa.asc b/share/security/advisories/FreeBSD-SA-19:03.wpa.asc
new file mode 100644
index 0000000000..219ebfd1d9
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-19:03.wpa.asc
@@ -0,0 +1,154 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:03.wpa                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Multiple vulnerabilities in hostapd and wpa_supplicant
+
+Category:       contrib
+Module:         wpa
+Announced:      2019-05-14
+Affects:        All supported versions of FreeBSD.
+Corrected:      2019-05-01 01:42:38 UTC (stable/12, 12.0-STABLE)
+                2019-05-14 22:57:29 UTC (releng/12.0, 12.0-RELEASE-p4)
+                2019-05-01 01:43:17 UTC (stable/11, 11.2-STABLE)
+                2019-05-14 22:59:32 UTC (releng/11.2, 11.2-RELEASE-p10)
+CVE Name:       CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497,
+                CVE-2019-9498, CVE-2019-9499, CVE-2019-11555
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+Wi-Fi Protected Access II (WPA2) is a security protocol developed by the
+Wi-Fi Alliance to secure wireless computer networks.
+
+hostapd(8) and wpa_supplicant(8) are implementations of user space daemon for
+access points and wireless client that implements the WPA2 protocol.
+
+II.  Problem Description
+
+Multiple vulnerabilities exist in the hostapd(8) and wpa_supplicant(8)
+implementations.  For more details, please see the reference URLs in the
+References section below.
+
+III. Impact
+
+Security of the wireless network may be compromised.  For more details,
+please see the reference URLS in the References section below.
+
+IV.  Workaround
+
+No workaround is available, but systems not using hostapd(8) or
+wpa_supplicant(8) are not affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Afterwards, restart hostapd(8) or wpa_supplicant(8).
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterwards, restart hostapd(8) or wpa_supplicant(8).
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.0]
+# fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch.asc
+# gpg --verify wpa-12.patch.asc
+
+[FreeBSD 11.2]
+# fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch.asc
+# gpg --verify wpa-11.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r346980
+releng/12.0/                                                      r347587
+stable/11/                                                        r346981
+releng/11.2/                                                      r347588
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://w1.fi/security/2019-1>
+<URL:https://w1.fi/security/2019-2>
+<URL:https://w1.fi/security/2019-3>
+<URL:https://w1.fi/security/2019-4>
+<URL:https://w1.fi/security/2019-5>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9494>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9495>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9496>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9497>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9498>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9499>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11555>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTrVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLsaA/9EB577JYdYdwFCOQ6TiOVhyluLJzgrhG3aiXeBntj8ytkRjcXKnP0aega
+3G2R1do7pixVYUF52OWJwaNO3Hm+LHMngiOqujcLI+49ISI3T/APaU/D2dqmXVb8
+nN/Pd+0HDGj3R3MwyyHT8/3fX0pJ395vcQhYb61M6PUSrwr8uiBbILT57iCadZoL
+F4KOCvRv7I4EFWXvqngGfeohZbbeHPBga2DwuebWR/E/1uWrMKEOF2pvh4b6ZSN2
+pdr7ZHMiL1cZt+p+2gwWoqDWyD93u2lTC7Gmo3Vom+meH7eaQ79obXEN541aiQ04
+CYhjkwuW5uNGUWCO/Xsfn5gqICeB1G5A/aBHQlAyVgUGia8jukL1jn3ga4AQgKrN
+h9aTmvrQs17PjMVtq81ZS0xm0ztW0Y6t2A9fRgGcnOOw+uy5tHMbJaKSMy8x97NT
+gUyXtoyu47tjjMrzsQcma2t6/+iCEDuW1P1LybSmv/v59gro9uveCdl0busgM9GS
+M5bpWK/qYQS1HYmYeTKMRynmD8ntRbflYoUP/SpijHsz+56rgyeJO12WyltyT32f
+j5fgnKaznW/UPtgmK0wnPIG9XEj3Nzs4C4cypO5t8OiuLEli4wRdb6MYlvEjq4la
+R3lnCzmTd9sg+K6cod2qWWSYdsdEwizcpQDp7M9lRqomiANLqJ4=
+=MXma
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-19:04.ntp.asc b/share/security/advisories/FreeBSD-SA-19:04.ntp.asc
new file mode 100644
index 0000000000..de2dd01682
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-19:04.ntp.asc
@@ -0,0 +1,146 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:04.ntp                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Authenticated denial of service in ntpd
+
+Category:       contrib
+Module:         ntp
+Announced:      2019-05-14
+Credits:        Magnus Stubman
+Affects:        All supported versions of FreeBSD
+Corrected:      2019-03-07 13:45:36 UTC (stable/12, 12.0-STABLE)
+                2019-05-14 23:02:56 UTC (releng/12.0, 12.0-RELEASE-p4)
+                2019-03-07 13:45:36 UTC (stable/11, 11.3-PRERELEASE)
+                2019-05-14 23:06:26 UTC (releng/11.2, 11.2-RELEASE-p10)
+CVE Name:       CVE-2019-8936
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The ntpd(8) daemon is an implementation of the Network Time Protocol
+(NTP) used to synchronize the time of a computer system to a reference
+time source.  The ntpd(8) daemon uses a protocol called mode 6 to both get
+status information from the running ntpd(8) daemon and configure it on the
+fly.  This protocol is typically used by the ntpq(8) program, among others.
+
+II.  Problem Description
+
+A crafted malicious authenticated mode 6 packet from a permitted network
+address can trigger a NULL pointer dereference.
+
+Note for this attack to work, the sending system must be on an address from
+which the target ntpd(8) accepts mode 6 packets, and must use a private key
+that is specifically listed as being used for mode 6 authorization.
+
+III. Impact
+
+The ntpd daemon can crash due to the NULL pointer dereference, causing a
+denial of service.
+
+IV.  Workaround
+
+Use 'restrict noquery' in the ntpd configuration to limit addresses that
+can send mode 6 queries.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterwards, restart the ntpd service:
+# service ntpd restart
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.0]
+# fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch.asc
+# gpg --verify ntp.patch.asc
+
+[FreeBSD 11.2-RELEASE/11.3-PRERELEASE]
+# fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch.asc
+# gpg --verify ntp-11.2.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the ntpd service, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r344884
+releng/12.0/                                                      r347589
+stable/11/                                                        r344884
+releng/11.2/                                                      r347590
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://support.ntp.org/bin/view/Main/SecurityNotice#March_2019_ntp_4_2_8p13_NTP_Rele>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8936>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:04.ntp.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTrdfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLGtw/8CNAYnLxARrMUK1QeC9sE7EaboYInSOgaunfK2Uw5tJk9b4GwWWjCSE0C
+hSWg4a9xv3pks2ppfEJzRuy0eoYmiU0MYblnAnCwCmE2d3WYlExO7hZJa1iK3uPO
+WvHre5q80kF8TJhS9rbph+6oyLaPun8f9PDIo4Oc2knTppNfrfzbB/HEuzP27KMp
+gCXD/Nk/5tHbXjkIGamWCf9wgYuw/typYRV3W6sWDuPhug2sAvWk1TMo0cMJ4BHL
+wL7Qh00rZ+nHWdk5GKFslga9gNjVPqD2DzRKCQO2bj4o+7ly2d+yk4jUpMKBq2r4
+eQcQQnk9xj60NQ5cHGprOv6xwulBYycugF57iouNAP241cvVf+XZd4b/GthJODgz
+fhP0aquusmtkawida3ZWWIVCjkM5NmHQsY5VTQLvTudtemb3kdmRMy3dFDN7oyXZ
+PqP6JJUqamxNHilxRVytNCZLiSuy1P2MnJamyLZIqcDiT6yvMVBqwuGdQrSTSKyu
+g/sR+vUohuJrP2i3pCCEfGtH5Nfq6GpY6Swxec81wUoqReGVCGmSFSEaas21TFYf
+ZzAEAhywveGegkhqvsGP9A1zrTs6ZTCRzun32MhSo4xH/YZaArMvRa6JiSWTA1fG
+ctwXEwIBj0XNEWBsCPgVvaF9bglmQZ2Iqn4iOiHlRGT7KxgjT7w=
+=o9t5
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-19:05.pf.asc b/share/security/advisories/FreeBSD-SA-19:05.pf.asc
new file mode 100644
index 0000000000..90a1fe7706
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-19:05.pf.asc
@@ -0,0 +1,134 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:05.pf                                         Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          IPv6 fragment reassembly panic in pf(4)
+
+Category:       contrib
+Module:         pf
+Announced:      2019-05-14
+Credits:        Synacktiv
+Affects:        All supported versions of FreeBSD
+Corrected:      2019-03-01 18:12:05 UTC (stable/12, 12.0-STABLE)
+                2019-05-14 23:10:21 UTC (releng/12.0, 12.0-RELEASE-p4)
+                2019-03-01 18:12:07 UTC (stable/11, 11.3-PRERELEASE)
+                2019-05-14 23:10:21 UTC (releng/11.2, 11.2-RELEASE-p10)
+CVE Name:       CVE-2019-5597
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+pf(4) is an Internet Protocol packet filter originally written for OpenBSD.
+In addition to filtering packets, it also has packet normalization
+capabilities.
+
+II.  Problem Description
+
+A bug in the pf(4) IPv6 fragment reassembly logic incorrectly uses the last
+extension header offset from the last received packet instead of from the
+first packet.
+
+III. Impact
+
+Malicious IPv6 packets with different IPv6 extensions could cause a kernel
+panic or potentially a filtering rule bypass.
+
+IV.  Workaround
+
+Only systems leveraging the pf(4) firewall and include packet scrubbing using
+the recommended 'scrub all in' or similar are affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+Afterwards, reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterwards, reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch.asc
+# gpg --verify pf.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r344706
+releng/12.0/                                                      r347591
+stable/11/                                                        r344707
+releng/11.2/                                                      r347591
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://www.synacktiv.com/ressources/Synacktiv_OpenBSD_PacketFilter_CVE-2019-5597_ipv6_frag.pdf>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5597>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:05.pf.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cL1cxAAjYy90WBfuBkU/FddQWMJkXOn2YqABFxY/BfFpJEbGrnXXuxz9YJByK3b
+6ikWq5HcxgL/9ek6QULwEOoNvms8tT4m4waJOLa3hZPoPlgD2ArgvdcEI00R/8T9
+Z+k1YlT0oLOY4XbVynPGNmiFNTAcsg7Ognp9yam3kmPZTMGYm6cKIBy1idrzCCmI
+nj0SscyoL4Z09kSWe3UOitjh8cpxqGuvGosCb7YGPl6yTSalBUgP44Lyg7jS4nrZ
+xjZxqhAfp7tk9peF4rov8apZIsrBF5GMaahnIGIwZzmRn/E1pND9qx1lB1Uh7rfR
+nb8OmwbshJTWdnS1GXyLxRGJOd0zmh+YZ10ygZAQTM5sNaxfn6pWJFmr2S/mR+kN
+RG/Bhj+lN7jh1eUNdwk/pAm0aZZ+J8GX4/QOrqPfGDko/s/S7YwJB/DKR/14uPY7
+Fwcgv4tvgoRstSKHdIe45d7/N0SgQCS/EfzVIO5XPQtkrk9/zalQubionijObr1Q
+ARVl7H5M7m7kP8PJz/vRNvhar0c0xTk9ov2JDxKHKTd+7D78LQEAFvEGPIFREBsY
+VBW8BqZbuVcsgrhr/YWFE3TEw4O0YbnY5g9wmVv+d/pdDngLuTsfbNEsAQewWcu/
+dYefeBMKBukyLUKtLYHjVAhUlL3hF3j/aBu498F6LRCzFcaoIOQ=
+=0alQ
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-19:06.pf.asc b/share/security/advisories/FreeBSD-SA-19:06.pf.asc
new file mode 100644
index 0000000000..e137475380
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-19:06.pf.asc
@@ -0,0 +1,134 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:06.pf                                         Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          ICMP/ICMP6 packet filter bypass in pf
+
+Category:       contrib
+Module:         pf
+Announced:      2019-05-14
+Credits:        Synacktiv
+Affects:        All supported versions of FreeBSD
+Corrected:      2019-03-21 14:17:10 UTC (stable/12, 12.0-STABLE)
+                2019-05-14 23:12:22 UTC (releng/12.0, 12.0-RELEASE-p4)
+                2019-03-21 14:17:12 UTC (stable/11, 11.3-PRERELEASE)
+                2019-05-14 23:12:22 UTC (releng/11.2, 11.2-RELEASE-p10)
+CVE Name:       CVE-2019-5598
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+pf(4) is an Internet Protocol packet filter originally written for OpenBSD.
+In addition to filtering packets, it also has packet normalization
+capabilities.
+
+II.  Problem Description
+
+States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in
+their payload matching an existing condition.  pf(4) does not check if the
+outer ICMP or ICMP6 packet has the same destination IP as the source IP of
+the inner protocol packet.
+
+III. Impact
+
+A maliciously crafted ICMP/ICMP6 packet could bypass the packet filter rules
+and be passed to a host that would otherwise be unavailable.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+Afterwards, reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterwards, reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch.asc
+# gpg --verify pf.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r345377
+releng/12.0/                                                      r347593
+stable/11/                                                        r345378
+releng/11.2/                                                      r347593
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://www.synacktiv.com/posts/systems/icmp-reachable.html>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5598>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:06.pf.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsdfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cIjXA/9FevC+Ygihzb0J9MN0znEM883dk5sPCSvMwiivsNRkDMXreYqPXU+Fkt0
+iV1OZ8tKwKAihm+iGJ5mzS5l40wWF1oDcqJrC0myICdvreraoJKZvTLhgGIBqKkE
+b8yIuzPueWdnnudoAzTV38RhyaP2aOb44OMUNPQZsEB/6hHsNvp9m6yAua/F+x9+
+N9J38Y/C6udsNfhqDeuCI4G8yiN33XfFiRbF+31rt3s0rUm6KGNsJanJe8dNAEvE
+DN4tA4+MORnQ7QTLgOobGuLFhWJ2urC6psH8duO72hcSTzSkTZpxrC3f6SW8RlZ+
+Pbr4LZ6FA3bZp/sCmWPOot94hotBDr03MZwrxURokeDHZU1nUBsw0rmTG4aypujl
+JrGPOAp89TtqrR0zV8DhpGO/RWoBeMDf7ZGvIplOIEF5rijQWEyC5pnYlBKPfSdm
+UTxcN9RoJCfz7O4KLAAqhHiuu6xc+CqlQH1dvyLbqGVv9LzUQlziTNsbQ4cGryuj
+g1TztU0VfpvHDkAKBh0iHwkoUqDSut3K19rFAQ3zkM/EodqSTkE1OG77pmsjYaVq
+AfcnN/se8lklq0lKi3BwNvVIWTjhMAwY63otVxvVD4wrJrgQH8NKgOeYuGBreXeW
+Uv569bIhR0/vsyGJK/SMKxBiAGfzkE7LqDMJqdXLsompX97nOwI=
+=m3as
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-19:07.mds.asc b/share/security/advisories/FreeBSD-SA-19:07.mds.asc
new file mode 100644
index 0000000000..42ca84a7c8
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-19:07.mds.asc
@@ -0,0 +1,198 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:07.mds                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Microarchitectural Data Sampling (MDS)
+
+Category:       core
+Module:         kernel
+Announced:      2019-05-14
+Credits:        Refer to Intel's security advisory at the URL below for
+                detailed acknowledgements.
+Affects:        All supported versions of FreeBSD.
+Corrected:      2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE)
+                2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4)
+                2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE)
+                2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10)
+CVE Name:       CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
+		CVE-2019-11091
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+Modern processors make use of speculative execution, an optimization
+technique which performs some action in advance of knowing whether the
+result will actually be used.
+
+II.  Problem Description
+
+On some Intel processors utilizing speculative execution a local process may
+be able to infer stale information from microarchitectural buffers to obtain
+a memory disclosure.
+
+III. Impact
+
+An attacker may be able to read secret data from the kernel or from a
+process when executing untrusted code (for example, in a web browser).
+
+IV.  Workaround
+
+No workaround is available.
+
+Systems with users or processors in different trust domains should disable
+Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0:
+
+# echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf'
+# shutdown
+
+V.   Solution
+
+Perform one of the following:
+
+Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD
+stable or release / security branch (releng) dated after the correction date,
+evaluate mitigation and Hyper Threading controls, and reboot the system.
+
+New CPU microcode may be available in a BIOS update from your system vendor,
+or by installing the devcpu-data package or sysutils/devcpu-data port.
+Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14.
+
+If using the package or port the microcode update can be applied at boot time
+by adding the following lines to the system's /boot/loader.conf:
+
+cpu_microcode_load="YES"
+cpu_microcode_name="/boot/firmware/intel-ucode.bin"
+
+Microcode updates can also be applied while the system is running.  See
+cpucontrol(8) for details.
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Follow additional details under "Mitigation Configuration" below.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.0-STABLE]
+# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc
+# gpg --verify mds.12-stable.patch.asc
+
+[FreeBSD 12.0-RELEASE]
+# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc
+# gpg --verify mds.12.0.patch.asc
+
+[FreeBSD 11.3-PRERELEASE]
+# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc
+# gpg --verify mds.11-stable.patch.asc
+
+[FreeBSD 11.2-RELEASE]
+# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc
+# gpg --verify mds.11.2.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>.
+
+Mitigation Configuration
+
+Systems with users, processes, or virtual machines in different trust
+domains should disable Hyper-Threading by setting the
+machdep.hyperthreading_allowed tunable to 0:
+
+# echo machdep.hyperthreading_allowed=0 >> /boot/loader.conf
+
+To activate the MDS mitigation set the hw.mds_disable sysctl.  The settings
+are:
+
+0 - mitigation disabled
+1 - VERW instruction (microcode) mitigation enabled
+2 - Software sequence mitigation enabled (not recommended)
+3 - Automatic VERW or Software selection
+
+Automatic mode uses the VERW instruction if supported by the CPU / microcode,
+or software sequences if not.  To enable automatic mode at boot:
+
+# echo hw.mds_disable=3 >> /etc/sysctl.conf
+
+Reboot the system:
+
+# shutdown -r +10min "Security update"
+
+Check the mitigation status:
+
+# sysctl hw.mds_disable_state
+hw.mds_disable_state: software Silvermont
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r347567
+releng/12.0/                                                      r346594
+stable/11/                                                        r347568
+releng/11.2/                                                      r347595
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html>
+<URL:https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:07.mds.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTspfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKcyA//ZlJa5eoNt0L2pcWAjukf1X+/iTjHv/t3wWclEfuPv2S9lO5SDlwxUV5x
+woGkxcIj7Tp51HJZRBjn62x/cwd6CjbpxsYPUvRs1Nkruj82/p6Yj5nSYrDCqqj1
+k84hyCj0Y6V2NwbBEPTNXqqPbOmid0R3GrQJk1JXZ1zTf8VHGxrquXp1xP7PIPSX
+GWYup0k4edMCY2mbBb8QQQmQSg6S2k6eZnvF9AZUga5pM7FGYLo0rPHNVHx+te83
+THvmnrJXnCR5AEjqmsubxwF/p+HneJke7HJxj1GjokzFgzTz3C9X3vUWHedwlVoD
+BzeqSgWD0icgJMYl8xGabeRzXj49tIzrC+twdXMtTLiDIKGxaRxqGVTMHYHgh44h
+GilgZ60X4m8e4Nuzf8xcQ1X2/QLvfWwZR+zUzQwOiKVoNp7nPJ5m8nr1s9anqDdl
+n1fJw3tqw+8ant58k71IKD5lCV0KhJXgD/Kd3TZWu9a4mnMlvuJWYbEKEvxSlvTh
+ghORCSg+OBEgN//t9a/3UaAOzqKijkN6Iau1JpMrFNtBOXgOO17B1jQGz1R2VKKb
+mu5gotDQqkdQocN+94sB8T3fouSa6ub2cUox34+DngqxuFeMv6Ffg1o/Z4C0mRUu
+bVdzPrsUai/Z7O/kBpUF6ddsBGsDXWElfo9flfbJonLcYndWyWc=
+=QUYl
+-----END PGP SIGNATURE-----
author	Gordon Tetlow <gordon@FreeBSD.org>	2019-05-14 23:48:52 +0000
committer	Gordon Tetlow <gordon@FreeBSD.org>	2019-05-14 23:48:52 +0000
commit	b9b9eea0f4656a51843a75af16e004a2061162c4 (patch)
tree	e07fbd702d53fcf9587b33457cb7c298bab616a8 /share/security/advisories
parent	2a48f90e8baf0d3947271d39ba48f61fcd8b8087 (diff)