Add EN-19:14, EN-19:15, and SA-19:18 to SA-19:21.

Approved by:	so

20 files changed, 1918 insertions, 0 deletions

diff --git a/share/security/advisories/FreeBSD-EN-19:14.epoch.asc b/share/security/advisories/FreeBSD-EN-19:14.epoch.asc
new file mode 100644
index 0000000000..079671b589
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-19:14.epoch.asc
@@ -0,0 +1,125 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-19:14.epoch                                          Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Incorrect locking in epoch(9)
+
+Category:       core
+Module:         kernel
+Announced:      2019-08-06
+Credits:        Mark Johnston
+Affects:        FreeBSD 12.0
+Corrected:      2019-07-27 16:11:04 UTC (stable/12, 12.0-STABLE)
+                2019-08-06 17:07:43 UTC (releng/12.0, 12.0-RELEASE-p9)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+Some parts of the kernel use a new synchronization primitive, epoch(9),
+which can be used to implement safe memory reclamation.  In this usage,
+threads can use the epoch(9) KPI to ensure that no other threads hold
+a reference to a given object in memory.
+
+II.  Problem Description
+
+In the case where epoch(9) must wait for a thread that is blocked on
+a lock, it will use the turnstile(9) KPI to propagate the current
+thread's priority to the lock holder.  However, in the case where the
+lock has no designated owner - for example, it is a reader-writer lock
+owned by one or more readers - a bug in the interaction with the
+turnstile meant that pair of spin locks were left locked when they
+should have been unlocked.
+
+III. Impact
+
+In rare cases and under heavy load, the kernel may panic or lock up.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and reboot.
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-19:14/epoch.patch
+# fetch https://security.FreeBSD.org/patches/EN-19:14/epoch.patch.asc
+# gpg --verify epoch.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r350373
+releng/12.0/                                                      r350641
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:14.epoch.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1JtztfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJgXA//Wbh6Nv6OL+Aer7oZ8uiZEhDTj+a+IMG617uCyeD+x4/8Hj73J7Pg6vaT
+CGqGAslxy8GMmvrO8Jmn0RFDyfJb+mW1M9FqQS4u9DNm1r7nNuOBWj9UcAC9TQOY
+rIEoqe/wD6a+EKQ01tgsWm2TYA2hX/WwtKJiYuPJOyuTzm9d3PhQ2SPmU0NaqyfU
++0YT3QHRYUEYHU/tZwAV3axcihYP7NfrgEWmE3LY7fBX1ShxFOYZVlexY4604wyc
+SLxCMVnfqFiB8vH5X8R4J9OlsK00j1W2B+PJodocDzNjvHgnRb3RSHeo+EC+3y7k
+/P3qRCxtgPzb/VHCCRry0LAmeijxQDWVf4vydjaMVDQEv/zQ+Y5ujAucRAtvtjRm
+gYLRTOHnXVTpZk/c8h2Gch9g3sB9aqrsMYtPUqSfRRUFDYJjN3NVmVLo4ciAhjwY
+EvGr7HloO3O4n+zYWOagvSvu05TjOA1SGGURAkslthjTXRpmiqDSS6yawW23v7Jw
+gC7pvVUnmGSGzlwGPojE6LBSX3CWlgwJV/6g2s0wizPGv3K/IQMMQn7NaaLl09xw
+X6TND7mVGqk2w3do1k9ZSkvqI+jr4MkJbGh5Vl8q1J/oW9KPTVO3+mQEi91SvgU+
+YEyzryregBP69ta7gqT0Pgb2+LR9733qPLSh3Hgn/4zRI/seSkU=
+=pBEN
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-EN-19:15.libunwind.asc b/share/security/advisories/FreeBSD-EN-19:15.libunwind.asc
new file mode 100644
index 0000000000..89f82f720c
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-19:15.libunwind.asc
@@ -0,0 +1,130 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-19:15.libunwind                                      Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Incorrect exception handling
+
+Category:       contrib
+Module:         libunwind
+Announced:      2019-08-06
+Affects:        FreeBSD 11.2, FreeBSD 12.0
+Corrected:      2019-08-06 17:08:30 UTC (releng/12.0, 12.0-RELEASE-p9)
+                2019-08-06 17:08:30 UTC (releng/11.2, 11.2-RELEASE-p13)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The libunwind library, which originates from the LLVM project, is responsible
+for handling the unwinding of stack frames, when programs throw C or C++
+style exceptions.  It uses exception handling information embedded in the
+executable file to determine the layout of the stack, at the time the
+exception is being processed.
+
+II.  Problem Description
+
+In some cases, the exception handling information embedded in executables is
+not correctly interpreted by libunwind.  This causes it to emit a runtime
+error, and abort the affected program.
+
+III. Impact
+
+Affected programs will show an message on the standard error stream, when
+they attempt to throw an exception:
+
+libunwind: getEncodedP \
+ /usr/src/contrib/llvm/projects/libunwind/src/AddressSpace.hpp:280 - \
+ unknown pointer encoding
+
+After this message, the program will be aborted using the abort(3) function,
+which usually results in a core dump.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and reboot.
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-19:15/libunwind.patch
+# fetch https://security.FreeBSD.org/patches/EN-19:15/libunwind.patch.asc
+# gpg --verify libunwind.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>, and
+reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+releng/12.0/                                                      r350642
+releng/11.2/                                                      r350642
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234201>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:15.libunwind.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt0pfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJOkQ/+N8Esx4GPWNOzNOGJAnBgtujVeCDjbubny9ktMElEw6mZJKWqcgFmG1bm
+hdz5iAz6xn/W6Y5fUR07aM6KFLTN7Is0LqaC+4mWFgbmPu9t0DVgjjsSHAJk6+fu
+NpkSMDYq0tUqhNUFlP36EoTHUuM7KlD3/a1dlGZwSOmT3tQitosD8MYNm8bXdsiG
+Fx8xXJz8l7qtSw5a1HI2yrRmR7hZHEblGVDP1BjU+QVh7O+0oTeSWHjtriCeYXOl
+KUNypPNU5HTySLI0XE+wXJ8S3SblmCOJSdEy/EDZYd8KxG2ib+abn6KdewQl0dIL
+0evKaSeIfrVyHfbQporrUotpuTgHrxdD63vowtyH4fL/JzNmw38ZBRzu/4Lib4eF
+uaMr7IXyUvifJRBNHCSV5waEQXdcaZ4/YiNg93kiBCC1FhqKEEel0TLARTqtCEVu
+ByQVjjZ5v45OAq74uFSYfnSReLt96VnQFD8J5JIKlYaR145tSUKzgetUy+iekjq2
+7sRr0kh7lGFFNoOhbFDBURr3HrFgfpWgRA12/AuAVelXPTG4ik8tU6X/vNlvysK6
+TJel41R8++MPUQuaQPU9KfUiAycvV4P9/hHEodnjhNY7NaWkXaP+fJpxCtctcFGd
+eIcI3nIoJX+6W2KjZkJcrbuZsqkVSsz0MXgfLNuoNZruzdppLAY=
+=Sq9+
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-19:18.bzip2.asc b/share/security/advisories/FreeBSD-SA-19:18.bzip2.asc
new file mode 100644
index 0000000000..fe300211c9
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-19:18.bzip2.asc
@@ -0,0 +1,144 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:18.bzip2                                      Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Multiple vulnerabilities in bzip2
+
+Category:       contrib
+Module:         bzip2
+Announced:      2019-08-06
+Affects:        All supported versions of FreeBSD.
+Corrected:      2019-07-04 07:29:18 UTC (stable/12, 12.0-STABLE)
+                2019-08-06 17:09:47 UTC (releng/12.0, 12.0-RELEASE-p9)
+                2019-07-04 07:32:25 UTC (stable/11, 11.3-STABLE)
+                2019-08-06 17:09:47 UTC (releng/11.3, 11.3-RELEASE-p2)
+                2019-08-06 17:09:47 UTC (releng/11.2, 11.2-RELEASE-p13)
+CVE Name:       CVE-2016-3189, CVE-2019-12900
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The bzip2(1)/bunzip2(1) utilities and the libbz2 library compress and
+decompress files using an algorithm based on the Burrows-Wheeler transform.
+They are generally slower than Lempel-Ziv compressors such as gzip, but
+usually provide a greater compression ratio.
+
+The bzip2recover utility extracts blocks from a damaged bzip2(1) file,
+permitting partial recovery of the contents of the file.
+
+II.  Problem Description
+
+The decompressor used in bzip2 contains a bug which can lead to an
+out-of-bounds write when processing a specially crafted bzip2(1) file.
+
+bzip2recover contains a heap use-after-free bug which can be triggered
+when processing a specially crafted bzip2(1) file.
+
+III. Impact
+
+An attacker who can cause maliciously crafted input to be processed
+may trigger either of these bugs.  The bzip2recover bug may cause a
+crash, permitting a denial-of-service.  The bzip2 decompressor bug
+could potentially be exploited to execute arbitrary code.
+
+Note that some utilities, including the tar(1) archiver and the bspatch(1)
+binary patching utility (used in portsnap(8) and freebsd-update(8))
+decompress bzip2(1)-compressed data internally; system administrators should
+assume that their systems will at some point decompress bzip2(1)-compressed
+data even if they never explicitly invoke the bunzip2(1) utility.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and restart daemons if necessary.
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch.asc
+# gpg --verify bzip2.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r349717
+releng/12.0/                                                      r350643
+stable/11/                                                        r349718
+releng/11.3/                                                      r350643
+releng/11.2/                                                      r350643
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt09fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJWEQ//dBiFwPCKcUaeSBuM9opVUxWzFYrpWdYwwagQXzNqO3Z77Vi2hHQnfpkD
+bM8WgWwChOJmlTja7sjnF+QjoV9/elzYhFrD6q0W1nLZ2XHcXyHrbFLMJ+CrvCWR
+AuVCEkmT2fchE/5c71l/v8I452EpGZG7P0fwG1bpf84p1PFLl3esfeo8+CzN1x2h
+YLnvfp69/tC18LR0/yozRUuFSqoYBhbnJsclB1JkrGx0fPOcE9y3sudVhBIDbH7h
+nYSTJl/KkTHf6tbJVXWUVr5gJzCgGvvhUer49RCdJMAwj6hKYT49vWnOFl1T8DAL
++co0ZzTiKoCdrrrguijh4QTEUe4UAGS3PPAwhUiOu+y8Bry06/U565uO9y9iILef
+M5oYTbM7h/TErPxSE421fWeexeK0seCHqmj/rO1Yf7RkRvLg/QaJk5YWM0KoP3NH
+QQRdX8qNiy4liEqGvJwfUdNcVXA3d7BKifl6MKH+5/2i5B23wHItIeuIGYo5LgdI
+mnH59L5wylhWGa0Dc+N9fP0jFvBfk7/4a0joXYIQ7/KDQg0X+WdiGZ/mzZ4GEisX
+hwI2laAh/oyksInrMcLCbvgWql+lrUvK3ltHo17U+wrMeb+8btDLR5T/9XlLPWGp
+s101XS6ewcwpZ8g5uBtlFBLmp8BGkALTAJtwwqJ2eoLfLYCXq3I=
+=3O6m
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-19:19.mldv2.asc b/share/security/advisories/FreeBSD-SA-19:19.mldv2.asc
new file mode 100644
index 0000000000..5780ab4a4a
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-19:19.mldv2.asc
@@ -0,0 +1,137 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:19.mldv2                                      Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          ICMPv6 / MLDv2 out-of-bounds memory access
+
+Category:       core
+Module:         net
+Announced:      2019-08-06
+Credits:        CJD of Apple
+Affects:        All supported versions of FreeBSD.
+Corrected:      2019-08-06 17:13:41 UTC (stable/12, 12.0-STABLE)
+                2019-08-06 17:11:17 UTC (releng/12.0, 12.0-RELEASE-p9)
+                2019-08-06 17:15:46 UTC (stable/11, 11.3-STABLE)
+                2019-08-06 17:11:17 UTC (releng/11.3, 11.3-RELEASE-p2)
+                2019-08-06 17:11:17 UTC (releng/11.2, 11.2-RELEASE-p13)
+CVE Name:       CVE-2019-5608
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+MLDv2 is the Multicast Listener Discovery protocol, version 2.  It is used
+by IPv6 routers to discover multicast listeners.
+
+II.  Problem Description
+
+The ICMPv6 input path incorrectly handles cases where an MLDv2 listener
+query packet is internally fragmented across multiple mbufs.
+
+III. Impact
+
+A remote attacker may be able to cause an out-of-bounds read or write that
+may cause the kernel to attempt to access an unmapped page and subsequently
+panic.
+
+IV.  Workaround
+
+No workaround is available.  Systems not using IPv6 are not affected.
+
+V.   Solution
+
+Perform one of the following:
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Reboot for security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.2, FreeBSD 11.3]
+# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch.asc
+# gpg --verify mldv2.11.patch.asc
+
+[FreeBSD 12.0]
+# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch.asc
+# gpg --verify mldv2.12.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r350648
+releng/12.0/                                                      r350644
+stable/11/                                                        r350650
+releng/11.3/                                                      r350644
+releng/11.2/                                                      r350644
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5608>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:19.mldv2.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1RfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLzTA/+OyyukXWH7rfwMhOlpD60UH4hxN3purvdNeBe4ZxlYvtf8gSUzS1VbK5r
+NR9D2HiYRlmaePOil5myan6cVkrKoANoWTrQsCcsFLe6KKbiKlQDx/btbENmCMsR
+VoS0ZPx3l9iGuVUwDk6k1JXwKCcO3U3dCDYEI941hEKxYadR+twUP3JOceg8Zn0h
+oODXW7LcPXWQKAyFc0Kun1VrjrUGdRGfqk30joR20GP2IjgQceFHKUbiOyBbbIjW
++UVvp2wPBxXvcXNPTpcIpTW5UGJBHCT2OsDulh7hqpiWf78VE8BoksKAvDjtI4i0
+15fmwn7tmQ3aGWK3WoaKWUOXZUlKrxRQDzGyAZ3LzOqPWhv12tJjNJhjnRmCVLfo
++F4I/MHzPgjitZhv8gfn+MRiPG4E1ueAYnPQWiR3qRCLQGhemVdKZIAVnYg6NGpQ
+Jgsr1QS8/3GHZ8yrMXUOSNOSuiMmRHbI9915vVzu+hWkfnrCcSr3uVkJeQvx4CZJ
+gdTL083Knnkdo4IPOdHWnQjGfrv2rGRyvCJ88m/DIC6hw4weR1LyFWMEHeJCEcJl
+5LHiVWmOUJE4ltJXrRoXwxuh9Dia0Mq6KfNA0343JFpQF9rdt3JQ/54FPGtK6NUO
+LyX5a42RIKRxWNTN+ADrSk8czbHFIg8MfTwpjiRGx2rYtxjp1qU=
+=WaXC
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-19:20.bsnmp.asc b/share/security/advisories/FreeBSD-SA-19:20.bsnmp.asc
new file mode 100644
index 0000000000..be75d912eb
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-19:20.bsnmp.asc
@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:20.bsnmp                                      Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Insufficient message length validation in bsnmp library
+
+Category:       contrib
+Module:         bsnmp
+Announced:      2019-08-06
+Credits:        Guido Vranken <guidovranken@gmail.com>
+Affects:        All supported versions of FreeBSD.
+Corrected:      2019-08-06 16:11:16 UTC (stable/12, 12.0-STABLE)
+                2019-08-06 17:12:17 UTC (releng/12.0, 12.0-RELEASE-p9)
+                2019-08-06 16:12:43 UTC (stable/11, 11.3-STABLE)
+                2019-08-06 17:12:17 UTC (releng/11.3, 11.3-RELEASE-p2)
+                2019-08-06 17:12:17 UTC (releng/11.2, 11.2-RELEASE-p13)
+CVE Name:       CVE-2019-5610
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The bsnmp software library is used for the Internet SNMP (Simple Network
+Management Protocol).  As part of this it includes functions to handle ASN.1
+(Abstract Syntax Notation One).
+
+II.  Problem Description
+
+A function extracting the length from type-length-value encoding is not
+properly validating the submitted length.
+
+III. Impact
+
+A remote user could cause, for example, an out-of-bounds read, decoding of
+unrelated data, or trigger a crash of the software such as bsnmpd resulting
+in a denial of service.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch.asc
+# gpg --verify bsnmp.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r350637
+releng/12.0/                                                      r350646
+stable/11/                                                        r350638
+releng/11.3/                                                      r350646
+releng/11.2/                                                      r350646
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5610>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:20.bsnmp.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1lfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKtBBAAltxFzxuMqWCgJoL9SemLRQxGGk0hRFdN5b78mgVdk2lfDgVz8U7mVM6v
+XbcCa4lIy7wMYpUdEySAZLR2ENt0xdpx7oQ6lAg5fnnvrUvom4wU9ruxEs5txFVL
+K6RaJnQJyOkI2c/LYvI/ZYmuc29/Nt3p/DvVe7wq86taoqUufN11MXkrRHgn68N3
+7vewixzWpqH5L/aY2qP1d+Xe3QmHX0IcFqeo4U3/3G4wUGRCfHtaENY4w5eUbCa2
+1Qk0oS9iUdX1IJjM5l1ccoFqsjbcO6vNS337qeYNKhLspXMQPwoS0K0HfB6LKt1D
+dCBFoXu/qUFjf3qqbpcqGEFrFPZjlNmC4R0Ngx1rfZ1t1dXbj83NOOE1okd3Gb/V
+TPDU/jzwt+/6DE6ryNQpeanPdim83w/j+qeA0UaTyxlbj+oSz1gU9Ckaauf+9peI
+GT8TPnrgmFlYg2tkYl4tbq5LtRstPGZYguqEt5SHCxBOg3dxByMPzikSFUL9oNxS
+9GX7JZT36J20f62hG8Watp2y3W0QsMjJpxF9OojRU6B15Z4Q2aCht4F6DnvEkVfN
+1GvS5NAHPHU09TniSgYK3ThkoYrLYykhsXPmJmETV7DU1Qhny1p8H0NwIwB20DEm
+AOAcYzLhiXHGpniE5y+MT9Pvt3BDBt36k6WgZ4eZ4RWuzGOumiU=
+=rH6X
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-19:21.bhyve.asc b/share/security/advisories/FreeBSD-SA-19:21.bhyve.asc
new file mode 100644
index 0000000000..fc75aba842
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-19:21.bhyve.asc
@@ -0,0 +1,142 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:21.bhyve                                      Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Insufficient validation of guest-supplied data (e1000 device)
+
+Category:       core
+Module:         bhyve
+Announced:      2019-08-06
+Credits:        Reno Robert
+Affects:        All supported versions of FreeBSD.
+Corrected:      2019-08-05 22:04:16 UTC (stable/12, 12.0-STABLE)
+                2019-08-06 17:13:17 UTC (releng/12.0, 12.0-RELEASE-p9)
+                2019-08-05 22:04:16 UTC (stable/11, 11.3-STABLE)
+                2019-08-06 17:13:17 UTC (releng/11.3, 11.3-RELEASE-p2)
+                2019-08-06 17:13:17 UTC (releng/11.2, 11.2-RELEASE-p13)
+CVE Name:       CVE-2019-5609
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+bhyve(8) is a hypervisor that supports running a variety of guest operating
+systems in virtual machines.  bhyve(8) includes an emulated Intel 82545
+network interface adapter ("e1000").
+
+II.  Problem Description
+
+The e1000 network adapters permit a variety of modifications to an Ethernet
+packet when it is being transmitted.  These include the insertion of IP and
+TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation
+offload ("TSO").  The e1000 device model uses an on-stack buffer to generate
+the modified packet header when simulating these modifications on transmitted
+packets.
+
+When TCP segmentation offload is requested for a transmitted packet, the
+e1000 device model used a guest-provided value to determine the size of the
+on-stack buffer without validation.  The subsequent header generation could
+overflow an incorrectly sized buffer or indirect a pointer composed of stack
+garbage.
+
+III. Impact
+
+A misbehaving bhyve guest could overwrite memory in the bhyve process on the
+host.
+
+IV.  Workaround
+
+Only the e1000 device model is affected; the virtio-net device is not
+affected by this issue.  If supported by the guest operating system
+presenting only the virtio-net device to the guest is a suitable workaround.
+No workaround is available if the e1000 device model is required.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and restart any affected virtual machines.
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch.asc
+# gpg --verify bhyve.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable virtual machines, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r350619
+releng/12.0/                                                      r350647
+stable/11/                                                        r350619
+releng/11.3/                                                      r350647
+releng/11.2/                                                      r350647
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5609>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:21.bhyve.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1xfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cL0qA//ZdapXUMl6KuuvtZIveMZgNdMVLYaqB1K8yHXO5udd58fTsH6+Khei0LT
+gYGxDEJkHinM1EWy688xE+PSzb9twmEmawW4N4WMhWB9oMoTuLQ5E4Zm9my1TdDh
+ducK6Q4GqOojIXJ0LtHDqs9qveAfkgB6L6jmLt/1jpZelLupte3S+bPmI4yta7ge
+7k54V9GcN05i7wX2TaZA7H3ROQziW537ZeoRB8BQwt7bekFw2uBfO9s0CWcJZPnG
++0D6QEsRqbtYMJr5RkUCc1y4qaqnWBBn/Zyyr0P+bXZklU/IW2GJTDWNObXN7DPE
+NOhuVY7PQHN6jv3u+nKa1AY7mjI3zBo009iAfPQFCb9Kn08tJ2A9WrExEMwZdcbI
+nXVqCRdp7xCSPO73vjNv4btzvAU7iwbaBkpGFs721cH72ImvmXi7TwepPEAul0do
+VwKYMxhStZtoDQhEea1eq41KNvqxmA/mkbEjpKcTZCUJq7xVyV4uaVme3Uq45uaa
+mKMWx+Gg09A2Y5NfSCiz9AGuMkIGn05hKIOK39yAG159uTks60Ybsw/bOnE9WnMJ
+5igcI+U6utIMi2M6nH4rn/wKBYM9cHWmQLfo6kECUi2CCTmR5VL8BTJ/8vHCqXi1
+vCcAPacKYAROsvGQyynSVLiXJAXOrc8/VyoXRHC5cAapVeParcw=
+=0XzG
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-19:14/epoch.patch b/share/security/patches/EN-19:14/epoch.patch
new file mode 100644
index 0000000000..55912d93bc
--- /dev/null
+++ b/share/security/patches/EN-19:14/epoch.patch
@@ -0,0 +1,87 @@
+--- sys/kern/subr_epoch.c.orig
++++ sys/kern/subr_epoch.c
+@@ -325,24 +325,20 @@
+ 			 */
+ 			critical_enter();
+ 			thread_unlock(td);
+-			owner = turnstile_lock(ts, &lock);
+-			/*
+-			 * The owner pointer indicates that the lock succeeded. Only
+-			 * in case we hold the lock and the turnstile we locked is still
+-			 * the one that curwaittd is blocked on can we continue. Otherwise
+-			 * The turnstile pointer has been changed out from underneath
+-			 * us, as in the case where the lock holder has signalled curwaittd,
+-			 * and we need to continue.
+-			 */
+-			if (owner != NULL && ts == curwaittd->td_blocked) {
+-				MPASS(TD_IS_INHIBITED(curwaittd) && TD_ON_LOCK(curwaittd));
+-				critical_exit();
+-				turnstile_wait(ts, owner, curwaittd->td_tsqueue);
+-				counter_u64_add(turnstile_count, 1);
+-				thread_lock(td);
+-				return;
+-			} else if (owner != NULL)
++
++			if (turnstile_lock(ts, &lock, &owner)) {
++				if (ts == curwaittd->td_blocked) {
++					MPASS(TD_IS_INHIBITED(curwaittd) &&
++					    TD_ON_LOCK(curwaittd));
++					critical_exit();
++					turnstile_wait(ts, owner,
++					    curwaittd->td_tsqueue);
++					counter_u64_add(turnstile_count, 1);
++					thread_lock(td);
++					return;
++				}
+ 				turnstile_unlock(ts, lock);
++			}
+ 			thread_lock(td);
+ 			critical_exit();
+ 			KASSERT(td->td_locks == locksheld,
+--- sys/kern/subr_turnstile.c.orig
++++ sys/kern/subr_turnstile.c
+@@ -566,14 +566,15 @@
+ 	return (ts);
+ }
+ 
+-struct thread *
+-turnstile_lock(struct turnstile *ts, struct lock_object **lockp)
++bool
++turnstile_lock(struct turnstile *ts, struct lock_object **lockp,
++    struct thread **tdp)
+ {
+ 	struct turnstile_chain *tc;
+ 	struct lock_object *lock;
+ 
+ 	if ((lock = ts->ts_lockobj) == NULL)
+-		return (NULL);
++		return (false);
+ 	tc = TC_LOOKUP(lock);
+ 	mtx_lock_spin(&tc->tc_lock);
+ 	mtx_lock_spin(&ts->ts_lock);
+@@ -580,10 +581,11 @@
+ 	if (__predict_false(lock != ts->ts_lockobj)) {
+ 		mtx_unlock_spin(&tc->tc_lock);
+ 		mtx_unlock_spin(&ts->ts_lock);
+-		return (NULL);
++		return (false);
+ 	}
+ 	*lockp = lock;
+-	return (ts->ts_owner);
++	*tdp = ts->ts_owner;
++	return (true);
+ }
+ 
+ void
+--- sys/sys/turnstile.h.orig
++++ sys/sys/turnstile.h
+@@ -100,7 +100,8 @@
+ struct turnstile *turnstile_trywait(struct lock_object *);
+ void	turnstile_unpend(struct turnstile *);
+ void	turnstile_wait(struct turnstile *, struct thread *, int);
+-struct thread *turnstile_lock(struct turnstile *, struct lock_object **);
++bool	turnstile_lock(struct turnstile *, struct lock_object **,
++	    struct thread **);
+ void	turnstile_unlock(struct turnstile *, struct lock_object *);
+ void	turnstile_assert(struct turnstile *);
+ #endif	/* _KERNEL */
diff --git a/share/security/patches/EN-19:14/epoch.patch.asc b/share/security/patches/EN-19:14/epoch.patch.asc
new file mode 100644
index 0000000000..bde9659ec7
--- /dev/null
+++ b/share/security/patches/EN-19:14/epoch.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt2lfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLIBg//ekpEak+WE5KSx7vvkel/UzUPtLMDHdcgb6w4xps5I0/jvbjGLp0JuNsW
+Tj73NBDA3KkzTlZSaus38yauUzq8Io6Q11/6ovI15TR58V6R35RSDnI2Df9ML0Wg
+GcTnm1bTYbJ1TADQtILO6hxCNR1rvHcj0GycT8NGRNFSerNAhpF+YfMba+Tc3rOU
+BeOacXDr8WCTgpa46nltcKE7Qmov2JdMS4yMH21KqXSU3ZCnwHZK+pWthPbeAVyO
+NzsRPDn9PKp6sYVc5t7BE5Vn3cg76QNYZBNrHcHJNxhJ1IXOyL/SWg1j3zeiOygp
+lDxZPja+mKXerEALBdGVfr/eg1ZeySlKRdETezCuzKnUSMbrQEVGL4pgaPepBCg6
+eGa6PRiwVz+y93w1UpVl8aDOTr/u2O/LeRZX5lLBSa4nBp7sOLilzbDQNsgHWXCX
+R4G72PnAkPNwA158u+/vvz1moLWggVeO8edjKNEwiH/i2gyNllXFOtG1TuBL1+EV
+T8ySrByEJ/0/Hq+prZCr7ELry+EZcnaag6+Jg29bfxMOK8RAfjqFHgmtSzblWllg
+RCTr6Wttw85XcAKYwTXR9CwBf7yuIJb3taMp7XXHljjaMAvQIybRiHphwZSFOh1q
+mktgzP1Yp/CdUw8BKFR1cbB5kkQY6Ezq1XTUDH3qebdWLpTqizI=
+=Wj+f
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-19:15/libunwind.patch b/share/security/patches/EN-19:15/libunwind.patch
new file mode 100644
index 0000000000..5a05e45847
--- /dev/null
+++ b/share/security/patches/EN-19:15/libunwind.patch
@@ -0,0 +1,13 @@
+--- contrib/llvm/projects/libunwind/src/EHHeaderParser.hpp.orig
++++ contrib/llvm/projects/libunwind/src/EHHeaderParser.hpp
+@@ -68,7 +68,9 @@
+   ehHdrInfo.eh_frame_ptr =
+       addressSpace.getEncodedP(p, ehHdrEnd, eh_frame_ptr_enc, ehHdrStart);
+   ehHdrInfo.fde_count =
+-      addressSpace.getEncodedP(p, ehHdrEnd, fde_count_enc, ehHdrStart);
++      fde_count_enc == DW_EH_PE_omit
++          ? 0
++          : addressSpace.getEncodedP(p, ehHdrEnd, fde_count_enc, ehHdrStart);
+   ehHdrInfo.table = p;
+ }
+ 
diff --git a/share/security/patches/EN-19:15/libunwind.patch.asc b/share/security/patches/EN-19:15/libunwind.patch.asc
new file mode 100644
index 0000000000..eb2112c420
--- /dev/null
+++ b/share/security/patches/EN-19:15/libunwind.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt25fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJ1hw/+I2Gj+htbN2MhOodcLa4e4LsgxP9rGW9NZw3F9MbjgDNlVnlVLXrvyKjB
+sCBuzLWGWMPkrhyh8zkHTHBq+0An3dCPk5LW5jHy6k31mofL8Jj7SyqQVigK93BN
+24NcJP51ScUV0sBrhArd2We1bqmVWXsw0ZZYwm0iHVNFqaxJ1+kkvcw4KQmer+/d
+E8+bCKszDyPU3rVVlb6OIsXhMrLgW8Qu0LDP9Ym6qNsfXIGwpFhrtuG1OUiSLiT8
+lnDpB9x5tDYTBVv9//XVZinoTQY4aJ/IcMdK8B7TS2CTyjCL+n+xXgW3bj0u8zKE
+gNoxFwH8JNg3srVSelvEkhxGta35JefjIxu0aqD38DHTcyWoqOfdHFcnsQob9SEq
+5/afVzFFUutqjfENmYoQ2CvSt3d4GALRGeoNbp0uysIhw1IqIGGuYt5loAYwDApc
+4ic6l4bZ+eNXz7GNYBS+CRqHhMdJH5/YxT0UO2uY7Cpd/FtgcM1kHf9xItnL5Kru
+cgo35Aw/LWWC5xI1B9ivERtYuQkvQ1KA4wabAhiblA/2bzbEzuc+zB9NDof1nqFp
+4BPSYOm8CYYPX8psoKLvxQzeWind1VlJ8NNKQijTmlSsJcR9OjGq5P5KiGYM41X7
+29hUiG8WFFn/3+VglGM6MrGxTCwYTGJ3ry0yFq5LhxDTdH1Yrrg=
+=pcMq
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-19:18/bzip2.patch b/share/security/patches/SA-19:18/bzip2.patch
new file mode 100644
index 0000000000..d4ee655d3d
--- /dev/null
+++ b/share/security/patches/SA-19:18/bzip2.patch
@@ -0,0 +1,490 @@
+--- contrib/bzip2/CHANGES.orig
++++ contrib/bzip2/CHANGES
+@@ -2,8 +2,8 @@
+  This file is part of bzip2/libbzip2, a program and library for
+  lossless, block-sorting data compression.
+ 
+- bzip2/libbzip2 version 1.0.6 of 6 September 2010
+- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
++ bzip2/libbzip2 version 1.0.7 of 27 June 2019
++ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
+ 
+  Please read the WARNING, DISCLAIMER and PATENTS sections in the 
+  README file.
+@@ -325,3 +325,16 @@
+   Izdebski.
+ 
+ * Make the documentation build on Ubuntu 10.04
++
++1.0.7 (27 Jun 19)
++~~~~~~~~~~~~~~~~~
++
++* Fix undefined behavior in the macros SET_BH, CLEAR_BH, & ISSET_BH
++
++* bzip2: Fix return value when combining --test,-t and -q.
++
++* bzip2recover: Fix buffer overflow for large argv[0]
++
++* bzip2recover: Fix use after free issue with outFile (CVE-2016-3189)
++
++* Make sure nSelectors is not out of range (CVE-2019-12900)
+--- contrib/bzip2/LICENSE.orig
++++ contrib/bzip2/LICENSE
+@@ -36,7 +36,7 @@
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ 
+-Julian Seward, jseward@bzip.org
+-bzip2/libbzip2 version 1.0.6 of 6 September 2010
++Julian Seward, jseward@acm.org
++bzip2/libbzip2 version 1.0.7 of 27 June 2019
+ 
+ --------------------------------------------------------------------------
+--- contrib/bzip2/README.orig
++++ contrib/bzip2/README
+@@ -6,8 +6,8 @@
+ This file is part of bzip2/libbzip2, a program and library for
+ lossless, block-sorting data compression.
+ 
+-bzip2/libbzip2 version 1.0.6 of 6 September 2010
+-Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
++bzip2/libbzip2 version 1.0.7 of 27 June 2019
++Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
+ 
+ Please read the WARNING, DISCLAIMER and PATENTS sections in this file.
+ 
+@@ -73,7 +73,7 @@
+ 
+ It's difficult for me to support compilation on all these platforms.
+ My approach is to collect binaries for these platforms, and put them
+-on the master web site (http://www.bzip.org).  Look there.  However
++on the master web site (https://sourceware.org/bzip2/).  Look there.  However
+ (FWIW), bzip2-1.0.X is very standard ANSI C and should compile
+ unmodified with MS Visual C.  If you have difficulties building, you
+ might want to read README.COMPILATION.PROBLEMS.
+@@ -161,33 +161,12 @@
+    * Many small improvements in file and flag handling.
+    * A Y2K statement.
+ 
+-WHAT'S NEW IN 1.0.0 ?
++WHAT'S NEW IN 1.0.x ?
+ 
+    See the CHANGES file.
+ 
+-WHAT'S NEW IN 1.0.2 ?
+-
+-   See the CHANGES file.
+-
+-WHAT'S NEW IN 1.0.3 ?
+-
+-   See the CHANGES file.
+-
+-WHAT'S NEW IN 1.0.4 ?
+-
+-   See the CHANGES file.
+-
+-WHAT'S NEW IN 1.0.5 ?
+-
+-   See the CHANGES file.
+-
+-WHAT'S NEW IN 1.0.6 ?
+-
+-   See the CHANGES file.
+-
+-
+ I hope you find bzip2 useful.  Feel free to contact me at
+-   jseward@bzip.org
++   jseward@acm.org
+ if you have any suggestions or queries.  Many people mailed me with
+ comments, suggestions and patches after the releases of bzip-0.15,
+ bzip-0.21, and bzip2 versions 0.1pl2, 0.9.0, 0.9.5, 1.0.0, 1.0.1,
+@@ -194,10 +173,10 @@
+ 1.0.2 and 1.0.3, and the changes in bzip2 are largely a result of this
+ feedback.  I thank you for your comments.
+ 
+-bzip2's "home" is http://www.bzip.org/
++bzip2's "home" is https://sourceware.org/bzip2/
+ 
+ Julian Seward
+-jseward@bzip.org
++jseward@acm.org
+ Cambridge, UK.
+ 
+ 18     July 1996 (version 0.15)
+@@ -213,3 +192,4 @@
+ 20 December 2006 (bzip2, version 1.0.4)
+ 10 December 2007 (bzip2, version 1.0.5)
+  6     Sept 2010 (bzip2, version 1.0.6)
++27     June 2019 (bzip2, version 1.0.7)
+--- contrib/bzip2/README.COMPILATION.PROBLEMS.orig
++++ contrib/bzip2/README.COMPILATION.PROBLEMS
+@@ -2,8 +2,8 @@
+ This file is part of bzip2/libbzip2, a program and library for
+ lossless, block-sorting data compression.
+ 
+-bzip2/libbzip2 version 1.0.6 of 6 September 2010
+-Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
++bzip2/libbzip2 version 1.0.7 of 27 June 2019
++Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
+ 
+ Please read the WARNING, DISCLAIMER and PATENTS sections in the 
+ README file.
+@@ -12,7 +12,7 @@
+ in the file LICENSE.
+ ------------------------------------------------------------------
+ 
+-bzip2-1.0.6 should compile without problems on the vast majority of
++bzip2 should compile without problems on the vast majority of
+ platforms.  Using the supplied Makefile, I've built and tested it
+ myself for x86-linux and amd64-linux.  With makefile.msc, Visual C++
+ 6.0 and nmake, you can build a native Win32 version too.  Large file
+--- contrib/bzip2/blocksort.c.orig
++++ contrib/bzip2/blocksort.c
+@@ -8,8 +8,8 @@
+    This file is part of bzip2/libbzip2, a program and library for
+    lossless, block-sorting data compression.
+ 
+-   bzip2/libbzip2 version 1.0.6 of 6 September 2010
+-   Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
++   bzip2/libbzip2 version 1.0.7 of 27 June 2019
++   Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
+ 
+    Please read the WARNING, DISCLAIMER and PATENTS sections in the 
+    README file.
+@@ -202,9 +202,9 @@
+       bhtab [ 0 .. 2+(nblock/32) ] destroyed
+ */
+ 
+-#define       SET_BH(zz)  bhtab[(zz) >> 5] |= (1 << ((zz) & 31))
+-#define     CLEAR_BH(zz)  bhtab[(zz) >> 5] &= ~(1 << ((zz) & 31))
+-#define     ISSET_BH(zz)  (bhtab[(zz) >> 5] & (1 << ((zz) & 31)))
++#define       SET_BH(zz)  bhtab[(zz) >> 5] |= ((UInt32)1 << ((zz) & 31))
++#define     CLEAR_BH(zz)  bhtab[(zz) >> 5] &= ~((UInt32)1 << ((zz) & 31))
++#define     ISSET_BH(zz)  (bhtab[(zz) >> 5] & ((UInt32)1 << ((zz) & 31)))
+ #define      WORD_BH(zz)  bhtab[(zz) >> 5]
+ #define UNALIGNED_BH(zz)  ((zz) & 0x01f)
+ 
+--- contrib/bzip2/bzip2.1.orig
++++ contrib/bzip2/bzip2.1
+@@ -1,6 +1,6 @@
+ .TH bzip2 1
+ .SH NAME
+-bzip2, bunzip2 \- a block-sorting file compressor, v1.0.6
++bzip2, bunzip2 \- a block-sorting file compressor, v1.0.7
+ .br
+ bzcat \- decompresses files to stdout
+ .br
+@@ -404,7 +404,7 @@
+ tries hard to detect I/O errors and exit cleanly, but the details of
+ what the problem is sometimes seem rather misleading.
+ 
+-This manual page pertains to version 1.0.6 of
++This manual page pertains to version 1.0.7 of
+ .I bzip2.  
+ Compressed data created by this version is entirely forwards and
+ backwards compatible with the previous public releases, versions
+@@ -426,9 +426,9 @@
+ 
+ 
+ .SH AUTHOR
+-Julian Seward, jsewardbzip.org.
++Julian Seward, jseward@acm.org.
+ 
+-http://www.bzip.org
++https://sourceware.org/bzip2/
+ 
+ The ideas embodied in
+ .I bzip2
+--- contrib/bzip2/bzip2.c.orig
++++ contrib/bzip2/bzip2.c
+@@ -7,8 +7,8 @@
+    This file is part of bzip2/libbzip2, a program and library for
+    lossless, block-sorting data compression.
+ 
+-   bzip2/libbzip2 version 1.0.6 of 6 September 2010
+-   Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
++   bzip2/libbzip2 version 1.0.7 of 27 June 2019
++   Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
+ 
+    Please read the WARNING, DISCLAIMER and PATENTS sections in the 
+    README file.
+@@ -554,7 +554,7 @@
+ Bool testStream ( FILE *zStream )
+ {
+    BZFILE* bzf = NULL;
+-   Int32   bzerr, bzerr_dummy, ret, nread, streamNo, i;
++   Int32   bzerr, bzerr_dummy, ret, streamNo, i;
+    UChar   obuf[5000];
+    UChar   unused[BZ_MAX_UNUSED];
+    Int32   nUnused;
+@@ -577,7 +577,7 @@
+       streamNo++;
+ 
+       while (bzerr == BZ_OK) {
+-         nread = BZ2_bzRead ( &bzerr, bzf, obuf, 5000 );
++         BZ2_bzRead ( &bzerr, bzf, obuf, 5000 );
+          if (bzerr == BZ_DATA_ERROR_MAGIC) goto errhandler;
+       }
+       if (bzerr != BZ_STREAM_END) goto errhandler;
+@@ -749,7 +749,7 @@
+              "\n%s: PANIC -- internal consistency error:\n"
+              "\t%s\n"
+              "\tThis is a BUG.  Please report it to me at:\n"
+-             "\tjseward@bzip.org\n",
++             "\tjseward@acm.org\n",
+              progName, s );
+    showFileNames();
+    cleanUpAndFail( 3 );
+@@ -829,7 +829,7 @@
+       "   The user's manual, Section 4.3, has more info on (1) and (2).\n"
+       "   \n"
+       "   If you suspect this is a bug in bzip2, or are unsure about (1)\n"
+-      "   or (2), feel free to report it to me at: jseward@bzip.org.\n"
++      "   or (2), feel free to report it to me at: jseward@acm.org.\n"
+       "   Section 4.3 of the user's manual describes the info a useful\n"
+       "   bug report should have.  If the manual is available on your\n"
+       "   system, please try and read it before mailing me.  If you don't\n"
+@@ -852,7 +852,7 @@
+       "   The user's manual, Section 4.3, has more info on (2) and (3).\n"
+       "   \n"
+       "   If you suspect this is a bug in bzip2, or are unsure about (2)\n"
+-      "   or (3), feel free to report it to me at: jseward@bzip.org.\n"
++      "   or (3), feel free to report it to me at: jseward@acm.org.\n"
+       "   Section 4.3 of the user's manual describes the info a useful\n"
+       "   bug report should have.  If the manual is available on your\n"
+       "   system, please try and read it before mailing me.  If you don't\n"
+@@ -1609,7 +1609,7 @@
+     "   \n"
+     "   This program is free software; you can redistribute it and/or modify\n"
+     "   it under the terms set out in the LICENSE file, which is included\n"
+-    "   in the bzip2-1.0.6 source distribution.\n"
++    "   in the bzip2 source distribution.\n"
+     "   \n"
+     "   This program is distributed in the hope that it will be useful,\n"
+     "   but WITHOUT ANY WARRANTY; without even the implied warranty of\n"
+@@ -2005,12 +2005,14 @@
+             testf ( aa->name );
+ 	 }
+       }
+-      if (testFailsExist && noisy) {
+-         fprintf ( stderr,
+-           "\n"
+-           "You can use the `bzip2recover' program to attempt to recover\n"
+-           "data from undamaged sections of corrupted files.\n\n"
+-         );
++      if (testFailsExist) {
++	 if (noisy) {
++            fprintf ( stderr,
++               "\n"
++               "You can use the `bzip2recover' program to attempt to recover\n"
++               "data from undamaged sections of corrupted files.\n\n"
++            );
++	 }
+          setExit(2);
+          exit(exitValue);
+       }
+--- contrib/bzip2/bzip2recover.c.orig
++++ contrib/bzip2/bzip2recover.c
+@@ -7,8 +7,8 @@
+    This file is part of bzip2/libbzip2, a program and library for
+    lossless, block-sorting data compression.
+ 
+-   bzip2/libbzip2 version 1.0.6 of 6 September 2010
+-   Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
++   bzip2/libbzip2 version 1.0.7 of 27 June 2019
++   Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
+ 
+    Please read the WARNING, DISCLAIMER and PATENTS sections in the 
+    README file.
+@@ -309,11 +309,12 @@
+    UInt32      buffHi, buffLo, blockCRC;
+    Char*       p;
+ 
+-   strcpy ( progName, argv[0] );
++   strncpy ( progName, argv[0], BZ_MAX_FILENAME-1);
++   progName[BZ_MAX_FILENAME-1]='\0';
+    inFileName[0] = outFileName[0] = 0;
+ 
+    fprintf ( stderr, 
+-             "bzip2recover 1.0.6: extracts blocks from damaged .bz2 files.\n" );
++             "bzip2recover 1.0.7: extracts blocks from damaged .bz2 files.\n" );
+ 
+    if (argc != 2) {
+       fprintf ( stderr, "%s: usage is `%s damaged_file_name'.\n",
+@@ -457,6 +458,7 @@
+             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
+             bsPutUInt32 ( bsWr, blockCRC );
+             bsClose ( bsWr );
++            outFile = NULL;
+          }
+          if (wrBlock >= rbCtr) break;
+          wrBlock++;
+--- contrib/bzip2/bzlib.c.orig
++++ contrib/bzip2/bzlib.c
+@@ -8,8 +8,8 @@
+    This file is part of bzip2/libbzip2, a program and library for
+    lossless, block-sorting data compression.
+ 
+-   bzip2/libbzip2 version 1.0.6 of 6 September 2010
+-   Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
++   bzip2/libbzip2 version 1.0.7 of 27 June 2019
++   Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
+ 
+    Please read the WARNING, DISCLAIMER and PATENTS sections in the 
+    README file.
+@@ -47,7 +47,7 @@
+    fprintf(stderr, 
+       "\n\nbzip2/libbzip2: internal error number %d.\n"
+       "This is a bug in bzip2/libbzip2, %s.\n"
+-      "Please report it to me at: jseward@bzip.org.  If this happened\n"
++      "Please report it to me at: jseward@acm.org.  If this happened\n"
+       "when you were using some program which uses libbzip2 as a\n"
+       "component, you should also report this bug to the author(s)\n"
+       "of that program.  Please make an effort to report this bug;\n"
+--- contrib/bzip2/bzlib.h.orig
++++ contrib/bzip2/bzlib.h
+@@ -8,8 +8,8 @@
+    This file is part of bzip2/libbzip2, a program and library for
+    lossless, block-sorting data compression.
+ 
+-   bzip2/libbzip2 version 1.0.6 of 6 September 2010
+-   Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
++   bzip2/libbzip2 version 1.0.7 of 27 June 2019
++   Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
+ 
+    Please read the WARNING, DISCLAIMER and PATENTS sections in the 
+    README file.
+--- contrib/bzip2/bzlib_private.h.orig
++++ contrib/bzip2/bzlib_private.h
+@@ -8,8 +8,8 @@
+    This file is part of bzip2/libbzip2, a program and library for
+    lossless, block-sorting data compression.
+ 
+-   bzip2/libbzip2 version 1.0.6 of 6 September 2010
+-   Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
++   bzip2/libbzip2 version 1.0.7 of 27 June 2019
++   Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
+ 
+    Please read the WARNING, DISCLAIMER and PATENTS sections in the 
+    README file.
+@@ -36,7 +36,7 @@
+ 
+ /*-- General stuff. --*/
+ 
+-#define BZ_VERSION  "1.0.6, 6-Sept-2010"
++#define BZ_VERSION  "1.0.7, 27-Jun-2019"
+ 
+ typedef char            Char;
+ typedef unsigned char   Bool;
+--- contrib/bzip2/compress.c.orig
++++ contrib/bzip2/compress.c
+@@ -8,8 +8,8 @@
+    This file is part of bzip2/libbzip2, a program and library for
+    lossless, block-sorting data compression.
+ 
+-   bzip2/libbzip2 version 1.0.6 of 6 September 2010
+-   Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
++   bzip2/libbzip2 version 1.0.7 of 27 June 2019
++   Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
+ 
+    Please read the WARNING, DISCLAIMER and PATENTS sections in the 
+    README file.
+--- contrib/bzip2/crctable.c.orig
++++ contrib/bzip2/crctable.c
+@@ -8,8 +8,8 @@
+    This file is part of bzip2/libbzip2, a program and library for
+    lossless, block-sorting data compression.
+ 
+-   bzip2/libbzip2 version 1.0.6 of 6 September 2010
+-   Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
++   bzip2/libbzip2 version 1.0.7 of 27 June 2019
++   Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
+ 
+    Please read the WARNING, DISCLAIMER and PATENTS sections in the 
+    README file.
+--- contrib/bzip2/decompress.c.orig
++++ contrib/bzip2/decompress.c
+@@ -8,8 +8,8 @@
+    This file is part of bzip2/libbzip2, a program and library for
+    lossless, block-sorting data compression.
+ 
+-   bzip2/libbzip2 version 1.0.6 of 6 September 2010
+-   Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
++   bzip2/libbzip2 version 1.0.7 of 27 June 2019
++   Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
+ 
+    Please read the WARNING, DISCLAIMER and PATENTS sections in the 
+    README file.
+@@ -285,9 +285,9 @@
+ 
+       /*--- Now the selectors ---*/
+       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+-      if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
++      if (nGroups < 2 || nGroups > BZ_N_GROUPS) RETURN(BZ_DATA_ERROR);
+       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+-      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
++      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
+       for (i = 0; i < nSelectors; i++) {
+          j = 0;
+          while (True) {
+--- contrib/bzip2/huffman.c.orig
++++ contrib/bzip2/huffman.c
+@@ -8,8 +8,8 @@
+    This file is part of bzip2/libbzip2, a program and library for
+    lossless, block-sorting data compression.
+ 
+-   bzip2/libbzip2 version 1.0.6 of 6 September 2010
+-   Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
++   bzip2/libbzip2 version 1.0.7 of 27 June 2019
++   Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
+ 
+    Please read the WARNING, DISCLAIMER and PATENTS sections in the 
+    README file.
+--- contrib/bzip2/randtable.c.orig
++++ contrib/bzip2/randtable.c
+@@ -8,8 +8,8 @@
+    This file is part of bzip2/libbzip2, a program and library for
+    lossless, block-sorting data compression.
+ 
+-   bzip2/libbzip2 version 1.0.6 of 6 September 2010
+-   Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
++   bzip2/libbzip2 version 1.0.7 of 27 June 2019
++   Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
+ 
+    Please read the WARNING, DISCLAIMER and PATENTS sections in the 
+    README file.
+--- contrib/bzip2/spewG.c.orig
++++ contrib/bzip2/spewG.c
+@@ -13,8 +13,8 @@
+    This file is part of bzip2/libbzip2, a program and library for
+    lossless, block-sorting data compression.
+ 
+-   bzip2/libbzip2 version 1.0.6 of 6 September 2010
+-   Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
++   bzip2/libbzip2 version 1.0.7 of 27 June 2019
++   Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
+ 
+    Please read the WARNING, DISCLAIMER and PATENTS sections in the 
+    README file.
+--- contrib/bzip2/unzcrash.c.orig
++++ contrib/bzip2/unzcrash.c
+@@ -17,8 +17,8 @@
+    This file is part of bzip2/libbzip2, a program and library for
+    lossless, block-sorting data compression.
+ 
+-   bzip2/libbzip2 version 1.0.6 of 6 September 2010
+-   Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
++   bzip2/libbzip2 version 1.0.7 of 27 June 2019
++   Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
+ 
+    Please read the WARNING, DISCLAIMER and PATENTS sections in the 
+    README file.
+--- contrib/bzip2/words2.orig
++++ contrib/bzip2/words2
+@@ -1,5 +1,5 @@
+ 
+ Checking test results.  If any of the four "cmp"s which follow
+ report any differences, something is wrong.  If you can't easily
+-figure out what, please let me know (jseward@bzip.org).
++figure out what, please let me know (jseward@acm.org).
+ 
diff --git a/share/security/patches/SA-19:18/bzip2.patch.asc b/share/security/patches/SA-19:18/bzip2.patch.asc
new file mode 100644
index 0000000000..1fecad4cf9
--- /dev/null
+++ b/share/security/patches/SA-19:18/bzip2.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt3ZfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLgdBAAmQQ+moDndbNdPyCwkOOBA0UaVA4J+XBuJxtSK9hm8WxvXjy3hpo26vwM
+JUho+ftP7igYL/oyOQPrSO0AUpVgHiEMROOHnfpwTETU4jNUhRZmkkahvmskocuA
+Xi+Up4v2ED7E97k+LpN6FwUOZsaqoNfXlYxsRf3gze9VzmtcUGDoP2V3q2icqy0X
+HHcvI5BTpU4AJWXeH1KA/XCWWXsbmQAqV4pysJeSLFnaN4ZMb3Z7rYikGimnfiKE
+s9ihgr5zJxIbEWACwhhcSRRzBzLB6PrN4J/bZoUzZXAVcYktmhOWmEYSZMZgbzDY
+aSKxpXO6yw+w4TM1JzXdatCca0HN0Isml6Mq+EsPE8PWwzu2QcV3jv4L1reW422b
+8wSMkjpJElmz4+S5gw2NHOrIC7/W365A//BdqHfdQwkCzkm+Vnuzf7Y3D7eorwa+
+Z0RqZ/J5LmMqA6pdzfNgXKVMzCaGNLYelOkZAQYwBDR/buJcbu6WWpa+LU4GKy0Y
+RdTevl+vqwyArcASRFZm0RAROO3dkE8C4DL4qBVn8AXn+5yLF1vgOirpwF83bEiG
+A85bsRgQS0aFVau+ih9WYYxl51+L0ZuE94/o6s2aZnhJMyQDzl5stH1HIRJrAk+a
+WVue+uo9LyK6AtvXymLzIoVs1K0x486FFAILGFN3r/SP31DxkrI=
+=9IqU
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-19:19/mldv2.11.patch b/share/security/patches/SA-19:19/mldv2.11.patch
new file mode 100644
index 0000000000..a9efb81762
--- /dev/null
+++ b/share/security/patches/SA-19:19/mldv2.11.patch
@@ -0,0 +1,138 @@
+--- sys/netinet6/mld6.c.orig
++++ sys/netinet6/mld6.c
+@@ -137,7 +137,7 @@
+ 		    struct in6_multi *, const int, const int, const int,
+ 		    const int);
+ static int	mld_v2_input_query(struct ifnet *, const struct ip6_hdr *,
+-		    struct mbuf *, const int, const int);
++		    struct mbuf *, struct mldv2_query *, const int, const int);
+ static int	mld_v2_merge_state_changes(struct in6_multi *,
+ 		    struct mbufq *);
+ static void	mld_v2_process_group_timers(struct mld_ifsoftc *,
+@@ -144,7 +144,8 @@
+ 		    struct mbufq *, struct mbufq *,
+ 		    struct in6_multi *, const int);
+ static int	mld_v2_process_group_query(struct in6_multi *,
+-		    struct mld_ifsoftc *mli, int, struct mbuf *, const int);
++		    struct mld_ifsoftc *mli, int, struct mbuf *,
++		    struct mldv2_query *, const int);
+ static int	sysctl_mld_gsr(SYSCTL_HANDLER_ARGS);
+ static int	sysctl_mld_ifinfo(SYSCTL_HANDLER_ARGS);
+ 
+@@ -794,16 +795,16 @@
+  * Process a received MLDv2 general, group-specific or
+  * group-and-source-specific query.
+  *
+- * Assumes that the query header has been pulled up to sizeof(mldv2_query).
++ * Assumes that mld points to a struct mldv2_query which is stored in
++ * contiguous memory.
+  *
+  * Return 0 if successful, otherwise an appropriate error code is returned.
+  */
+ static int
+ mld_v2_input_query(struct ifnet *ifp, const struct ip6_hdr *ip6,
+-    struct mbuf *m, const int off, const int icmp6len)
++    struct mbuf *m, struct mldv2_query *mld, const int off, const int icmp6len)
+ {
+ 	struct mld_ifsoftc	*mli;
+-	struct mldv2_query	*mld;
+ 	struct in6_multi	*inm;
+ 	uint32_t		 maxdelay, nsrc, qqi;
+ 	int			 is_general_query;
+@@ -828,8 +829,6 @@
+ 
+ 	CTR2(KTR_MLD, "input v2 query on ifp %p(%s)", ifp, if_name(ifp));
+ 
+-	mld = (struct mldv2_query *)(mtod(m, uint8_t *) + off);
+-
+ 	maxdelay = ntohs(mld->mld_maxdelay);	/* in 1/10ths of a second */
+ 	if (maxdelay >= 32768) {
+ 		maxdelay = (MLD_MRC_MANT(maxdelay) | 0x1000) <<
+@@ -954,7 +953,7 @@
+ 		 * group-specific or group-and-source query.
+ 		 */
+ 		if (mli->mli_v2_timer == 0 || mli->mli_v2_timer >= timer)
+-			mld_v2_process_group_query(inm, mli, timer, m, off);
++			mld_v2_process_group_query(inm, mli, timer, m, mld, off);
+ 
+ 		/* XXX Clear embedded scope ID as userland won't expect it. */
+ 		in6_clearscope(&mld->mld_addr);
+@@ -975,9 +974,8 @@
+  */
+ static int
+ mld_v2_process_group_query(struct in6_multi *inm, struct mld_ifsoftc *mli,
+-    int timer, struct mbuf *m0, const int off)
++    int timer, struct mbuf *m0, struct mldv2_query *mld, const int off)
+ {
+-	struct mldv2_query	*mld;
+ 	int			 retval;
+ 	uint16_t		 nsrc;
+ 
+@@ -985,7 +983,6 @@
+ 	MLD_LOCK_ASSERT();
+ 
+ 	retval = 0;
+-	mld = (struct mldv2_query *)(mtod(m0, uint8_t *) + off);
+ 
+ 	switch (inm->in6m_state) {
+ 	case MLD_NOT_MEMBER:
+@@ -1005,6 +1002,15 @@
+ 
+ 	nsrc = ntohs(mld->mld_numsrc);
+ 
++	/* Length should be checked by calling function. */
++	KASSERT((m0->m_flags & M_PKTHDR) == 0 ||
++	    m0->m_pkthdr.len >= off + sizeof(struct mldv2_query) +
++	    nsrc * sizeof(struct in6_addr),
++	    ("mldv2 packet is too short: (%d bytes < %zd bytes, m=%p)",
++	    m0->m_pkthdr.len, off + sizeof(struct mldv2_query) +
++	    nsrc * sizeof(struct in6_addr), m0));
++
++
+ 	/*
+ 	 * Deal with group-specific queries upfront.
+ 	 * If any group query is already pending, purge any recorded
+@@ -1046,28 +1052,20 @@
+ 	 * report for those sources.
+ 	 */
+ 	if (inm->in6m_nsrc > 0) {
+-		struct mbuf		*m;
+-		uint8_t			*sp;
++		struct in6_addr		 srcaddr;
+ 		int			 i, nrecorded;
+ 		int			 soff;
+ 
+-		m = m0;
+ 		soff = off + sizeof(struct mldv2_query);
+ 		nrecorded = 0;
+ 		for (i = 0; i < nsrc; i++) {
+-			sp = mtod(m, uint8_t *) + soff;
+-			retval = in6m_record_source(inm,
+-			    (const struct in6_addr *)sp);
++			m_copydata(m0, soff, sizeof(struct in6_addr),
++			    (caddr_t)&srcaddr);
++			retval = in6m_record_source(inm, &srcaddr);
+ 			if (retval < 0)
+ 				break;
+ 			nrecorded += retval;
+ 			soff += sizeof(struct in6_addr);
+-			if (soff >= m->m_len) {
+-				soff = soff - m->m_len;
+-				m = m->m_next;
+-				if (m == NULL)
+-					break;
+-			}
+ 		}
+ 		if (nrecorded > 0) {
+ 			CTR1(KTR_MLD,
+@@ -1276,8 +1274,8 @@
+ 			if (mld_v1_input_query(ifp, ip6, mld) != 0)
+ 				return (0);
+ 		} else if (icmp6len >= sizeof(struct mldv2_query)) {
+-			if (mld_v2_input_query(ifp, ip6, m, off,
+-			    icmp6len) != 0)
++			if (mld_v2_input_query(ifp, ip6, m,
++			    (struct mldv2_query *)mld, off, icmp6len) != 0)
+ 				return (0);
+ 		}
+ 		break;
diff --git a/share/security/patches/SA-19:19/mldv2.11.patch.asc b/share/security/patches/SA-19:19/mldv2.11.patch.asc
new file mode 100644
index 0000000000..2d670a3f34
--- /dev/null
+++ b/share/security/patches/SA-19:19/mldv2.11.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt4dfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJ3OQ/+IaP24bKUpPEK2xAzOrYJ0aWGFxL4Xee0X6hH0LTBQhOheomRaLQhPzcZ
+YevSFHc099f7Bw3lPTloc/A7TnQkl9cpsV8a6SD2B6NuDPP+q4sSza8AAJFBSc8K
+CDw9VAhz99Arjm6o3pKSj9RLq2JbSPyFKUBxpWEpfNE4Kom6UfSumxbEGix8/+Zp
+P2yd6DfrzDoNZCFO2XIvauoK3Ypa9znlZ+S06TzxeST2IF3jtRkhdLXgQuwGmZ2a
+nUxkUsP6Zdj8x6oEKTf+sGWb1K4zRekLIsEFP5xGeOcej8NAQZ2Kk4NaXw798zoD
+/Zn3gpojxzSkWGmsREkOZcGh/fRcHeAI06JDn/A+l3CqCiVXLwHgKrlilQQkfChN
+FrgogibC9ZSAQveNjE2vw7SphQwmN2nJ479h2qNkLy98TRqo1YhWLCLGFV/N+SUB
+vIS92pM7rklfp++yeyvhyXT511wWtJR8dppJRywY1OfO5odHnlKrDMdCj1Q7l8+W
+eHeYoHKcKxWkWrbrw9O/bBUYy+oBXN8cu552OjnzSl4vv+aNQ79mCwUhFdawFE6J
+jNbbC/mYZO2sn9jk3gLzdtyARhTQ4h3dLPTryZ6xqINn9iY3O5d38qaaTRK5arme
+nIcqS3Q1zqXnZhw+lQ6fwK2KAqHPnae7ZrScwdLAQjQ+eaHsCTw=
+=/GVp
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-19:19/mldv2.12.patch b/share/security/patches/SA-19:19/mldv2.12.patch
new file mode 100644
index 0000000000..ddbf0d270b
--- /dev/null
+++ b/share/security/patches/SA-19:19/mldv2.12.patch
@@ -0,0 +1,138 @@
+--- sys/netinet6/mld6.c.orig
++++ sys/netinet6/mld6.c
+@@ -139,7 +139,7 @@
+ 		    struct in6_multi *, const int, const int, const int,
+ 		    const int);
+ static int	mld_v2_input_query(struct ifnet *, const struct ip6_hdr *,
+-		    struct mbuf *, const int, const int);
++		    struct mbuf *, struct mldv2_query *, const int, const int);
+ static int	mld_v2_merge_state_changes(struct in6_multi *,
+ 		    struct mbufq *);
+ static void	mld_v2_process_group_timers(struct in6_multi_head *,
+@@ -146,7 +146,8 @@
+ 		    struct mbufq *, struct mbufq *,
+ 		    struct in6_multi *, const int);
+ static int	mld_v2_process_group_query(struct in6_multi *,
+-		    struct mld_ifsoftc *mli, int, struct mbuf *, const int);
++		    struct mld_ifsoftc *mli, int, struct mbuf *,
++		    struct mldv2_query *, const int);
+ static int	sysctl_mld_gsr(SYSCTL_HANDLER_ARGS);
+ static int	sysctl_mld_ifinfo(SYSCTL_HANDLER_ARGS);
+ 
+@@ -803,16 +804,16 @@
+  * Process a received MLDv2 general, group-specific or
+  * group-and-source-specific query.
+  *
+- * Assumes that the query header has been pulled up to sizeof(mldv2_query).
++ * Assumes that mld points to a struct mldv2_query which is stored in
++ * contiguous memory.
+  *
+  * Return 0 if successful, otherwise an appropriate error code is returned.
+  */
+ static int
+ mld_v2_input_query(struct ifnet *ifp, const struct ip6_hdr *ip6,
+-    struct mbuf *m, const int off, const int icmp6len)
++    struct mbuf *m, struct mldv2_query *mld, const int off, const int icmp6len)
+ {
+ 	struct mld_ifsoftc	*mli;
+-	struct mldv2_query	*mld;
+ 	struct in6_multi	*inm;
+ 	uint32_t		 maxdelay, nsrc, qqi;
+ 	int			 is_general_query;
+@@ -844,8 +845,6 @@
+ 
+ 	CTR2(KTR_MLD, "input v2 query on ifp %p(%s)", ifp, if_name(ifp));
+ 
+-	mld = (struct mldv2_query *)(mtod(m, uint8_t *) + off);
+-
+ 	maxdelay = ntohs(mld->mld_maxdelay);	/* in 1/10ths of a second */
+ 	if (maxdelay >= 32768) {
+ 		maxdelay = (MLD_MRC_MANT(maxdelay) | 0x1000) <<
+@@ -970,7 +969,7 @@
+ 		 * group-specific or group-and-source query.
+ 		 */
+ 		if (mli->mli_v2_timer == 0 || mli->mli_v2_timer >= timer)
+-			mld_v2_process_group_query(inm, mli, timer, m, off);
++			mld_v2_process_group_query(inm, mli, timer, m, mld, off);
+ 
+ 		/* XXX Clear embedded scope ID as userland won't expect it. */
+ 		in6_clearscope(&mld->mld_addr);
+@@ -991,9 +990,8 @@
+  */
+ static int
+ mld_v2_process_group_query(struct in6_multi *inm, struct mld_ifsoftc *mli,
+-    int timer, struct mbuf *m0, const int off)
++    int timer, struct mbuf *m0, struct mldv2_query *mld, const int off)
+ {
+-	struct mldv2_query	*mld;
+ 	int			 retval;
+ 	uint16_t		 nsrc;
+ 
+@@ -1001,7 +999,6 @@
+ 	MLD_LOCK_ASSERT();
+ 
+ 	retval = 0;
+-	mld = (struct mldv2_query *)(mtod(m0, uint8_t *) + off);
+ 
+ 	switch (inm->in6m_state) {
+ 	case MLD_NOT_MEMBER:
+@@ -1021,6 +1018,15 @@
+ 
+ 	nsrc = ntohs(mld->mld_numsrc);
+ 
++	/* Length should be checked by calling function. */
++	KASSERT((m0->m_flags & M_PKTHDR) == 0 ||
++	    m0->m_pkthdr.len >= off + sizeof(struct mldv2_query) +
++	    nsrc * sizeof(struct in6_addr),
++	    ("mldv2 packet is too short: (%d bytes < %zd bytes, m=%p)",
++	    m0->m_pkthdr.len, off + sizeof(struct mldv2_query) +
++	    nsrc * sizeof(struct in6_addr), m0));
++
++
+ 	/*
+ 	 * Deal with group-specific queries upfront.
+ 	 * If any group query is already pending, purge any recorded
+@@ -1062,28 +1068,20 @@
+ 	 * report for those sources.
+ 	 */
+ 	if (inm->in6m_nsrc > 0) {
+-		struct mbuf		*m;
+-		uint8_t			*sp;
++		struct in6_addr		 srcaddr;
+ 		int			 i, nrecorded;
+ 		int			 soff;
+ 
+-		m = m0;
+ 		soff = off + sizeof(struct mldv2_query);
+ 		nrecorded = 0;
+ 		for (i = 0; i < nsrc; i++) {
+-			sp = mtod(m, uint8_t *) + soff;
+-			retval = in6m_record_source(inm,
+-			    (const struct in6_addr *)sp);
++			m_copydata(m0, soff, sizeof(struct in6_addr),
++			    (caddr_t)&srcaddr);
++			retval = in6m_record_source(inm, &srcaddr);
+ 			if (retval < 0)
+ 				break;
+ 			nrecorded += retval;
+ 			soff += sizeof(struct in6_addr);
+-			if (soff >= m->m_len) {
+-				soff = soff - m->m_len;
+-				m = m->m_next;
+-				if (m == NULL)
+-					break;
+-			}
+ 		}
+ 		if (nrecorded > 0) {
+ 			CTR1(KTR_MLD,
+@@ -1292,8 +1290,8 @@
+ 			if (mld_v1_input_query(ifp, ip6, mld) != 0)
+ 				return (0);
+ 		} else if (icmp6len >= sizeof(struct mldv2_query)) {
+-			if (mld_v2_input_query(ifp, ip6, m, off,
+-			    icmp6len) != 0)
++			if (mld_v2_input_query(ifp, ip6, m,
++			    (struct mldv2_query *)mld, off, icmp6len) != 0)
+ 				return (0);
+ 		}
+ 		break;
diff --git a/share/security/patches/SA-19:19/mldv2.12.patch.asc b/share/security/patches/SA-19:19/mldv2.12.patch.asc
new file mode 100644
index 0000000000..5e9800764c
--- /dev/null
+++ b/share/security/patches/SA-19:19/mldv2.12.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt4pfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLmARAAoqKzX/k9KMiZOAJAcY90Lv9w5d701GkJXjoEmPPQ+qS/9o4zSfEqhRsX
+/dmDAANkdn3ure+QkbpM95/IedCyrFJQymNQX+L1G5rRJ6bMiMCOZeht5mNZ8hTv
++qqDRcZyq31+VP4Qx/JNMRLcGNIB7Z+kvXAUlX6Kw0APbVRIGd7mXCZl7OyEwbk5
+A8BAifJEfZMA3CNv6vCDDCPvxvKKI9enxbeQ52o5/cSQvW5vFtIMD9HsFgxEbUGN
+V8BrWyKZkRJmLQNU76u5UBo0/b2XfCowopcNhT/Q43ptmolCxodbmFDH4Zxk5HC3
+4+BRSXd0Nn5CaSoAssPrQRMU+X/8OZU401LfOOzwRBztt73hSg7En+rS/AnN2aYa
+wKi2QvZkFctYW+CCjVPHLfRYPyYWbiiMV0GiEL2Fd72Ke7ooQOr5QR8M5SxaG80i
+cytYHb+Obhq4qgOlM0mGmDxrPSSa8uRuYsofje5uTANQW2PjUriBnKfvEwW2tgGk
+CN5Xk/2RjXiYWiYF05D2MaJ7cxUNqm/hnWDP7D/MRYrWk+EQVfrv2vf+tPQBDokQ
+IO7AjCGYjmB0h22oRtMTr5KyvOroTxxwEdZxmIEHvsiwiOPgAyJJtva6Od3ega/G
+q4zBU6P/Mypim74SYxHc2iwjtaqH9JK2UWy/MlsfoT4KOAoT0I0=
+=yhZI
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-19:20/bsnmp.patch b/share/security/patches/SA-19:20/bsnmp.patch
new file mode 100644
index 0000000000..c0876ebce5
--- /dev/null
+++ b/share/security/patches/SA-19:20/bsnmp.patch
@@ -0,0 +1,14 @@
+--- contrib/bsnmp/lib/asn1.c
++++ contrib/bsnmp/lib/asn1.c
+@@ -100,6 +100,11 @@ asn_get_header(struct asn_buf *b, u_char *type, as
+ 		*len = *b->asn_cptr++;
+ 		b->asn_len--;
+ 	}
++	if (*len > b->asn_len) {
++		asn_error(b, "len %u exceeding asn_len %u", *len, b->asn_len);
++		return (ASN_ERR_EOBUF);
++	}
++	
+ 	return (ASN_ERR_OK);
+ }
+ 
diff --git a/share/security/patches/SA-19:20/bsnmp.patch.asc b/share/security/patches/SA-19:20/bsnmp.patch.asc
new file mode 100644
index 0000000000..20bfa68317
--- /dev/null
+++ b/share/security/patches/SA-19:20/bsnmp.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt3pfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKf6A/+LoGq57ql7ySBBZxXNuOvFEjtBVI4X+bGGlbnWl+tqmfNwym9NkG/zpIW
+qM3Hc80nsGDSmtCeO4sfx3rhNadY0tE4qZWn4L3JcDmspwJzLwEuRxIxMjITb492
+cCnBOhRrytlxEUjLwqgWsUeBn+fpb3TgP1gDB5SWOiEYnv2pySDZOsXk9bdsbkvl
+JoFkPCo0lzH+rzYe/fuP8X1/38oyxk18VTIyGwcErik8e3f+7odzf5TGTwOp2CVf
+pYmwefd6t+MgnuF+k3UpZUrHJjznGkakqA0DmyK5nUQ1sApL5FRA5yvbf1yczOVt
+Z9nFGkrw2TgJb6HN/EFrKtAuTMWBbS+lyz0IB3MQ0ol0IgJvCzvlugwH+I1pcimF
+ibq8V8Y1NqBJ+LuCMQSPb3v0XoNwAPr05tY8s2GAsUFKWtHDXdCbWNOMmJKddyA1
+KzXIBcTvdyOQb8YuVdS22i7WvM/kcuqbG0oYsARg5lOOLTT9aOuDMJ0EUHwTOu8x
+HQbh89AVpxX6KEWEQqnHVhdEwNID/RGRMwzamV11IJVsiydv6gr1xSy6b9duQtOz
+FNMSHR5VUbimrQ8Y5zOXnV71R5KI7+0hMYVaIXJNd0AyuN46vihDe2ctV0pC6MkC
+FGEEtaKPX4W2XxGatXs6nyTaTVMpjklblL9ZgGEwLVlwzT4txqg=
+=ri0D
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-19:21/bhyve.patch b/share/security/patches/SA-19:21/bhyve.patch
new file mode 100644
index 0000000000..4577c92cdc
--- /dev/null
+++ b/share/security/patches/SA-19:21/bhyve.patch
@@ -0,0 +1,103 @@
+--- usr.sbin/bhyve/pci_e82545.c.orig
++++ usr.sbin/bhyve/pci_e82545.c
+@@ -1078,8 +1078,9 @@
+ 	struct ck_info ckinfo[2];
+ 	struct iovec *iov;
+ 	union  e1000_tx_udesc *dsc;
+-	int desc, dtype, len, ntype, iovcnt, tlen, hdrlen, vlen, tcp, tso;
++	int desc, dtype, len, ntype, iovcnt, tlen, tcp, tso;
+ 	int mss, paylen, seg, tiovcnt, left, now, nleft, nnow, pv, pvoff;
++	unsigned hdrlen, vlen;
+ 	uint32_t tcpsum, tcpseq;
+ 	uint16_t ipcs, tcpcs, ipid, ohead;
+ 
+@@ -1223,6 +1224,68 @@
+ 	} else {
+ 		/* In case of TSO header length provided by software. */
+ 		hdrlen = sc->esc_txctx.tcp_seg_setup.fields.hdr_len;
++
++		/*
++		 * Cap the header length at 240 based on 7.2.4.5 of
++		 * the Intel 82576EB (Rev 2.63) datasheet.
++		 */
++		if (hdrlen > 240) {
++			WPRINTF("TSO hdrlen too large: %d\r\n", hdrlen);
++			goto done;
++		}
++
++		/*
++		 * If VLAN insertion is requested, ensure the header
++		 * at least holds the amount of data copied during
++		 * VLAN insertion below.
++		 *
++		 * XXX: Realistic packets will include a full Ethernet
++		 * header before the IP header at ckinfo[0].ck_start,
++		 * but this check is sufficient to prevent
++		 * out-of-bounds access below.
++		 */
++		if (vlen != 0 && hdrlen < ETHER_ADDR_LEN*2) {
++			WPRINTF("TSO hdrlen too small for vlan insertion "
++			    "(%d vs %d) -- dropped\r\n", hdrlen,
++			    ETHER_ADDR_LEN*2);
++			goto done;
++		}
++
++		/*
++		 * Ensure that the header length covers the used fields
++		 * in the IP and TCP headers as well as the IP and TCP
++		 * checksums.  The following fields are accessed below:
++		 *
++		 * Header | Field | Offset | Length
++		 * -------+-------+--------+-------
++		 * IPv4   | len   | 2      | 2
++		 * IPv4   | ID    | 4      | 2
++		 * IPv6   | len   | 4      | 2
++		 * TCP    | seq # | 4      | 4
++		 * TCP    | flags | 13     | 1
++		 * UDP    | len   | 4      | 4
++		 */
++		if (hdrlen < ckinfo[0].ck_start + 6 ||
++		    hdrlen < ckinfo[0].ck_off + 2) {
++			WPRINTF("TSO hdrlen too small for IP fields (%d) "
++			    "-- dropped\r\n", hdrlen);
++			goto done;
++		}
++		if (sc->esc_txctx.cmd_and_length & E1000_TXD_CMD_TCP) {
++			if (hdrlen < ckinfo[1].ck_start + 14 ||
++			    (ckinfo[1].ck_valid &&
++			    hdrlen < ckinfo[1].ck_off + 2)) {
++				WPRINTF("TSO hdrlen too small for TCP fields "
++				    "(%d) -- dropped\r\n", hdrlen);
++				goto done;
++			}
++		} else {
++			if (hdrlen < ckinfo[1].ck_start + 8) {
++				WPRINTF("TSO hdrlen too small for UDP fields "
++				    "(%d) -- dropped\r\n", hdrlen);
++				goto done;
++			}
++		}
+ 	}
+ 
+ 	/* Allocate, fill and prepend writable header vector. */
+@@ -1244,7 +1307,8 @@
+ 		iovcnt++;
+ 		iov->iov_base = hdr;
+ 		iov->iov_len = hdrlen;
+-	}
++	} else
++		hdr = NULL;
+ 
+ 	/* Insert VLAN tag. */
+ 	if (vlen != 0) {
+@@ -1286,7 +1350,9 @@
+ 	DPRINTF("tx %s segmentation offload %d+%d/%d bytes %d iovs\r\n",
+ 	    tcp ? "TCP" : "UDP", hdrlen, paylen, mss, iovcnt);
+ 	ipid = ntohs(*(uint16_t *)&hdr[ckinfo[0].ck_start + 4]);
+-	tcpseq = ntohl(*(uint32_t *)&hdr[ckinfo[1].ck_start + 4]);
++	tcpseq = 0;
++	if (tcp)
++		tcpseq = ntohl(*(uint32_t *)&hdr[ckinfo[1].ck_start + 4]);
+ 	ipcs = *(uint16_t *)&hdr[ckinfo[0].ck_off];
+ 	tcpcs = 0;
+ 	if (ckinfo[1].ck_valid)	/* Save partial pseudo-header checksum. */
diff --git a/share/security/patches/SA-19:21/bhyve.patch.asc b/share/security/patches/SA-19:21/bhyve.patch.asc
new file mode 100644
index 0000000000..c52eadc7f4
--- /dev/null
+++ b/share/security/patches/SA-19:21/bhyve.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt35fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLaSA/7Bk8eZ0AGuu9qv+qXk/H2Do+n4JN2rZChHe3Lxhami2w1G4M6XQ6FBwsw
+Fax8Z/Q9TlySrUjzKbQe9tr+jPJ1JMJGTv18WWUbK0OIPR7tupvpIadxrHHkUMMX
+B5yXHoXqT0KUBCGb+5d72U7JgCwzHQ4x71oGCZVOirtJk3gN8p7D0z5LHYG7WvLW
+8V1I9n1rkDp9np3lOa0a2ErB1Qno6F7CFuPaxh61xMacmmtxRV83vXcfrFxxIgXy
+eKI0faAUkIcXsbsdVM2w3hzburMREJk1A69VDqyjaFVarWCR6uormAYS6r2NNlDl
+7GGKO8G+U21wnNKtWjE4f0/zV5TB7t+f2SEEAO/Fs6BIH/OQDWqmkwPEKPUYzRbX
+3YXqiNe/3Kn4B3Bsr0jhrDCYbeRmX8g/p13f7IUXDgEvr2hDGQpJYJI6ZTFzQArK
+ocQnLtMdcqSBS8SC2YtdShKHzonbCZ3m9pauNTnuVYb6CopS3kBdkkBbJxYQhItb
+HGPxsjYFQzT4GAj5GHxzqnFtcIqX6bYZb4UUgSp4BU7z7Bx/dWzh2fHNFHG9076o
+Nh9/e+CG8z4ydLcdgkydDvRp7c2ru10RKDezGE3gf/ENGGKlh6xmCJOpwgWe2d7l
+G2HK3Nb2aaY2mZ9kgBP3t94Q9vE9I2x1hClgC8QdQRiT4zdUBYI=
+=9NBj
+-----END PGP SIGNATURE-----