Add 4 latest advisories and 2 latest errata notices:

Fix bsnmpd remote denial of service vulnerability. [SA-14:01]

Fix ntpd distributed reflection Denial of Service vulnerability.
[SA-14:02]

Fix OpenSSL multiple vulnerabilities. [SA-14:03]

Fix BIND remote denial of service vulnerability. [SA-14:04]

Disable hardware RNGs by default. [EN-14:01]

Fix incorrect coalescing of stack entry with mmap. [EN-14:02]

26 files changed, 1369 insertions, 0 deletions

diff --git a/share/security/advisories/FreeBSD-EN-14:01.random.asc b/share/security/advisories/FreeBSD-EN-14:01.random.asc
new file mode 100644
index 0000000000..dca12523ee
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-14:01.random.asc
@@ -0,0 +1,142 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-14:01.random                                         Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          /dev/random should not make direct usage of hardware RNG
+
+Category:       core
+Module:         random
+Announced:      2014-01-14
+Affects:        All versions of FreeBSD prior to 10.0-BETA1
+Corrected:      2014-01-14 19:27:42 UTC (stable/9, 9.2-STABLE)
+                2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
+                2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
+                2014-01-14 19:27:42 UTC (stable/8, 8.4-STABLE)
+                2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
+                2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:http://security.freebsd.org/>.
+
+I.   Background
+
+The random(4) and urandom(4) devices return an endless supply of pseudo-random
+bytes when read.  Cryptographic algorithms often depend on the secrecy of these
+pseudo-random values for security.
+
+Yarrow is a secure pseudo-random number generator that combines entropy from
+several entropy sources, mitigating a possible attack when someone could
+predict the output when they are able to intercept one or more of the
+entropy sources
+
+II.  Problem Description
+
+When a hardware RNG exists, the FreeBSD random(4) and urandom(4) devices
+would use their output directly.
+
+III. Impact
+
+Someone who has control over these hardware RNGs would be able to
+predicate the output from random(4) and urandom(4) devices and may be able
+to reveal unique keys that are used to encrypt data.
+
+IV.  Workaround
+
+Disable the hardware RNGs by adding the following settings to /boot/loader.conf
+and reboot the system:
+
+hw.nehemiah_rng_enable=0
+hw.ivy_rng_enable=0
+
+V.   Solution
+
+Hardware RNGs would be disabled by default with this errata notice.  They
+can be re-enabled by setting the corresponding loader tunables to non-zero
+value.
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 9.2 and 8.4]
+# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.2-8.4.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.2-8.4.patch.asc
+# gpg --verify random-9.2-8.4.patch.asc
+
+[FreeBSD 9.1]
+# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.1.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.1.patch.asc
+# gpg --verify random-9.1.patch.asc
+
+[FreeBSD 8.3]
+# fetch http://security.FreeBSD.org/patches/EN-14:01/random-8.3.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:01/random-8.3.patch.asc
+# gpg --verify random-8.3.patch.asc
+
+b) Apply the patch.
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+3) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r260644
+releng/8.3/                                                       r260647
+releng/8.4/                                                       r260647
+stable/9/                                                         r260644
+releng/9.1/                                                       r260647
+releng/9.2/                                                       r260647
+- -------------------------------------------------------------------------
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+http://security.FreeBSD.org/advisories/FreeBSD-EN-14:01.random.asc
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJS1ZSoAAoJEO1n7NZdz2rnZcgP/3ITOg59t4PmOg2vUrlMsf35
+jVDZojqeu+XgDepYi37HJVB6pHSWusYoI59YP6O2N1n15W34Bp91Vcthofyr+jgx
+7Guz+DXOqZy1yxGMSGkAl0hIrksszqp5kAADy4f1NMkFmvc2+8dXW1xmxYpDHrkG
+d/alEeK0LuFgWXYnnrea3x/aWqEVVR+/YhCbk8FTD01Q4zqtfacIDfNL+gLf4Mhx
+gNO1HSHmvS4GEF1gawtHzY4i6rGX9e4LgxKSEKSMUXfl1WUfnD5f62z9FB1UN1Js
+EfVniP2ZN2ojAzoVWfiX5WDhpMA/KZpdTSLF+zOM1/Tr+7+N7WTYftL6nHy/HSj8
+LmsIZnSE4F7F2hFlZu7PPwGzaIj/rYk5tRzw3nTIoIwVoLbvbevzCrl0rIocq2CK
+Sm5WV2qvMuWB+ZK2ZuzCIxAj6/fuLbUIBHmHd2VFfxWXcSwoK/cW3pFPMDyHKtJJ
+ccocT7kXeHHtnSqzvSN1j1XFZsWdojbYU7HSU8QmiilG3ESvgrzZAKh7V+hC/aF/
+TE0Xhaip8X/sOt1NnjHGs8XzA3w7wUukssz2V7gRdarSS7c/+mU23pajLknQ4eiB
+l3g8z/iX4jPuL8e0sn9GUCXVtTZIXWGl9hSilWeYk6tEihhlf/gVhY6ldCwSoZjr
+U6gPf7bQn/NzE7wSUaQD
+=viar
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-EN-14:02.mmap.asc b/share/security/advisories/FreeBSD-EN-14:02.mmap.asc
new file mode 100644
index 0000000000..fa61742172
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-14:02.mmap.asc
@@ -0,0 +1,127 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-14:02.mmap                                           Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          mmap should not coalesce stack entry
+
+Category:       core
+Module:         kernel
+Announced:      2014-01-14
+Credits:        Konstantin Belousov
+Affects:        All supported versions of FreeBSD.
+Corrected:      2013-12-30 08:57:54 UTC (stable/10, 10.0-PRERELEASE)
+                2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC4)
+                2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC3-p1)
+                2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC2-p1)
+                2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC1-p1)
+                2013-12-30 09:04:06 UTC (stable/9, 9.2-STABLE)
+                2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
+                2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
+                2014-01-14 19:33:28 UTC (stable/8, 8.4-STABLE)
+                2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
+                2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:http://security.freebsd.org/>.
+
+I.   Background
+
+The FreeBSD virtual memory system allows growing stack by mapping anonymous
+memory region on top of a stack via mmap(2) system call with MAP_STACK bit
+enabled in flags parameter.
+
+II.  Problem Description
+
+The FreeBSD virtual memory system tries to coalesce adjacent memory regions
+into one single object when possible.  When growing the stack via mmap(2), it
+will also try to coalesce the newly allocated memory into the existing object.
+This would result in a failed assertion later in vm_map_stack(), which expects
+that a new object is returned.
+
+III. Impact
+
+The system will panic when this happens.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/EN-14:02/mmap.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:02/mmap.patch.asc
+# gpg --verify mmap.patch.asc
+
+b) Apply the patch.
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+3) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r260645
+releng/8.3/                                                       r260647
+releng/8.4/                                                       r260647
+stable/9/                                                         r260082
+releng/9.1/                                                       r260647
+releng/9.2/                                                       r260647
+stable/10/                                                        r260081
+releng/10.0/                                                      r260122
+- -------------------------------------------------------------------------
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+http://security.FreeBSD.org/advisories/FreeBSD-EN-14:02.mmap.asc
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJS1ZSuAAoJEO1n7NZdz2rnsPoQAIFs/URebviZjkMpYJBTahwe
+Lr50uJSZIlW2nMvi+urLJAB15fJm/WHDdHqp6+WHh5jjCozb45CoIxDFnP5UB4q8
+oclsQtKrt4R1dBDEa3RZQoJEm6DIk1YhfAfUtJMhDpROlvWCbBMzZWJbVQec5j3E
+iyhY1FIl/BD4KWFw/hDhJX5j4HQWA/oZDagx5WZFMsFapq5rOXkC/fq3YHkTJBeW
+7YEvAyTuZoj9zBVJ28cEYr7+ULtJMphBdTEzAhFZSEegsM+qyMafTf2c54MdtWR0
+pSgoh9i+cSXj444e4eeqLp6LwapW5YGIrKpAmBUwTECBg5F5915i2h8ddCnmJJSM
+4Wq7bXJU6PGzFXTDUsAw9HB2HcCMU2EvVNhtM3wp7dSzojLpvrgEoRZKwanu32r1
+cuN/awHUGA1fzoUkxMygzT5B44IX+9gyT8lJ4N+PfKGnSO00WY41XkLheDmpgf2b
+euDrzTSwbupEp70lT45CW6DUlqPXpw0Fn5vyNYBvoaAXineqyvwMkQ6YZwoNmfiU
+xv2zjY40RkOR8EJKi8L1moBQsfh/i6rtVQhDIHmAU/1VaYBE4zVXS5BYAlUaUJgw
+3rc5ho+F2BB+YV+HeaWszjW+NVhiIswpccw4Js7O2HQUA9M2KEq2+DXRtNdEa8/j
+miG/hWqsuoWjAcrQKjKw
+=rOvi
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-14:01.bsnmpd.asc b/share/security/advisories/FreeBSD-SA-14:01.bsnmpd.asc
new file mode 100644
index 0000000000..b7ec76cf6f
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-14:01.bsnmpd.asc
@@ -0,0 +1,141 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:01.bsnmpd                                     Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          bsnmpd remote denial of service vulnerability
+
+Category:       contrib
+Module:         bsnmp
+Announced:      2014-01-14
+Credits:        Dirk Meyer
+Affects:        All supported versions of FreeBSD.
+Corrected:      2014-01-14 19:02:14 UTC (stable/10, 10.0-PRERELEASE)
+                2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RELEASE)
+                2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC5-p1)
+                2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC4-p1)
+                2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC3-p1)
+                2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC2-p1)
+                2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC1-p1)
+                2014-01-14 19:17:20 UTC (stable/9, 9.2-STABLE)
+                2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
+                2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
+                2014-01-14 19:17:20 UTC (stable/8, 8.4-STABLE)
+                2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
+                2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
+CVE Name:       CVE-2014-1452
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+The bsnmpd is a simple and extensible SNMP daemon serves the Internet SNMP
+(Simple Network Management Protocol).
+
+II.  Problem Description
+
+The bsnmpd(8) daemon is prone to a stack-based buffer-overflow when it
+has received a specifically crafted GETBULK PDU request.
+
+III. Impact
+
+This issue could be exploited to execute arbitrary code in the context of
+the service daemon, or crash the service daemon, causing a denial-of-service.
+
+IV.  Workaround
+
+No workaround is available, but systems not running bsnmpd(8) are not
+vulnerable.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-14:01/bsnmpd.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:01/bsnmpd.patch.asc
+# gpg --verify bsnmpd.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the bsnmpd(8) daemons, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r260642
+releng/8.3/                                                       r260647
+releng/8.4/                                                       r260647
+stable/9/                                                         r260642
+releng/9.1/                                                       r260647
+releng/9.2/                                                       r260647
+stable/10/                                                        r260638
+releng/10.0/                                                      r260640
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<other info on vulnerability>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1452>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:01.bsnmpd.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJS1ZS6AAoJEO1n7NZdz2rnDXwP/1iQmuO8VLjZoD3LMpiHyA/i
+YgwjX5x9XT2MyVrRmu+nHaCG3ZDC4/IV72/jCzV8udQJ1RF6Aswhuk6mXI7oatol
+OYF27JnRVAJQjAvXw3zMsp4hLv631TvgO1Az1vK7f1pX8bDC/eBTaiCH7I6QBYGS
+E4Fsi2MwOWIRyglTjlFSL8Wb2yQmzkKCx/EVFF/6mRC7l3a9pkHf5VKQtut1KYFu
+5QF5cG5anur4daP4w45yWsl0qkRDO5mJdpD+S3NtzydluWzz/Dk/0laS5wB+LLzV
+cXC5/GR/acQhO+MvDIDT4Emra2OXzsheEahOJhLKHsBF8pHBi5IldkVwQmme76/g
+aR1gLSFJ5LYcpAgBQgeWKXXCAol5zNRCR8v8IBnV2+rYRSrIdl5lstgVmla++xJD
++bC7PbTqcLlyFGrMEvd/mAvX1PVa9BVYtaxXA5QZq5EHP7nsKotcAk7/kouVfmao
+Gdxlt7YjRic6D/WqF8RFiQv9ezpbEnMQ1BwOCSUEJasXlyxJXYA6vva7tyM3OmyD
+c2I9JLeV8aCUgIf3s+HoGcZhz01kmu9REQ/OEDtiN8kX94WOzpectf8V5g+JnxRd
+HoOfcvrChohL4nla+3RvG1LJo5KD5N09yHnV2y3LjxTdKu9Hw4ATzFwmPmEUqUfG
+eF12aO4PVp42wYWNHtGe
+=xZTc
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-14:02.ntpd.asc b/share/security/advisories/FreeBSD-SA-14:02.ntpd.asc
new file mode 100644
index 0000000000..30b6038cf0
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-14:02.ntpd.asc
@@ -0,0 +1,167 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:02.ntpd                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          ntpd distributed reflection Denial of Service vulnerability
+
+Category:       contrib
+Module:         ntpd
+Announced:      2014-01-14
+Affects:        All supported versions of FreeBSD.
+Corrected:      2014-01-14 19:04:33 UTC (stable/10, 10.0-PRERELEASE)
+                2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RELEASE)
+                2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC5-p1)
+                2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC4-p1)
+                2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC3-p1)
+                2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC2-p1)
+                2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC1-p1)
+                2014-01-14 19:20:41 UTC (stable/9, 9.2-STABLE)
+                2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
+                2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
+                2014-01-14 19:20:41 UTC (stable/8, 8.4-STABLE)
+                2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
+                2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
+CVE Name:       CVE-2013-5211
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
+used to synchronize the time of a computer system to a reference time
+source.
+
+II.  Problem Description
+
+The ntpd(8) daemon supports a query 'monlist' which provides a history of
+recent NTP clients without any authentication.
+
+III. Impact
+
+An attacker can send 'monlist' queries and use that as an amplification of
+a reflection attack.
+
+IV.  Workaround
+
+The administrator can implement one of the following possible workarounds
+to mitigate the attack:
+
+1) Restrict access to ntpd(8).  This can be done by adding the following
+lines to /etc/ntp.conf:
+
+restrict -4 default nomodify nopeer noquery notrap
+restrict -6 default nomodify nopeer noquery notrap
+restrict 127.0.0.1
+restrict -6 ::1
+restrict 127.127.1.0
+
+And restart the ntpd(8) daemon.  Time service is not affected and the
+administrator can still perform queries from local host.
+
+2) Use IP based restrictions in ntpd(8) itself or in IP firewalls to
+restrict which systems can access ntpd(8).
+
+3) Replace the base system ntpd(8) with net/ntp-devel (version 4.2.7p76 or
+newer)
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch.asc
+# gpg --verify ntpd.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the ntpd(8) daemon, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Note that the patch would disable monitoring features of ntpd(8) daemon
+by default.  If the feature is desirable, the administrator can choose
+to enable it and firewall access to ntpd(8) service.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r260641
+releng/8.3/                                                       r260647
+releng/8.4/                                                       r260647
+stable/9/                                                         r260641
+releng/9.1/                                                       r260647
+releng/9.2/                                                       r260647
+stable/10/                                                        r260639
+releng/10.0/                                                      r260641
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks>
+
+<URL:https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks>
+
+<URL:http://bugs.ntp.org/show_bug.cgi?id=1532>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:02.ntpd.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJS1ZTLAAoJEO1n7NZdz2rnn7YP/2DcBtR4LAlMLqa9t8WsFVrD
+zrfmitYv5xZ6TUGURfQ3mhF4Xv+vSaYt5AWphBjo/Um+dZLTrX3NXJyjLWenCFZ1
+vUgoeT4czdh/sWXBO+BdahswttJ6uPO0ZPeW/TpczHMrfG++r6FZtcavYj1gWUPX
+rQUEh3IRT5MzzcdiIdQFOpi6OeOP7hem5pNOqYwjyy4L4wrgIUetaMpvqXgi2Wa+
+R2vqQNpFAPxKkMkbohLEPRmEK9dXGXejQ7EHFK5jzxInyg32WGFPkJ46bLw3bEsB
+sIoh+sxQ3J9mxyaykhX6T7U7PUkzBaNSs62bQE5H8695E30obnZqtfon6qBP5UCT
+/kF1+42RIQIPJUFS22NXaUJVOkpd2zyVhwLxgCHg96PHwd1VAC0bnuB4CQt8lN2C
+vcOsFcq6CUpMuteURBeiETb0OGWTTT3gyX4T7N4kRKptvmEVUKxZPnmfJCwNHM2I
+TzM2HbHaBv9CMIy5X4iDQxLH3w3tSh+IHU6m9cN5rd6JDTa5DQEuRkhaeVbCGHRt
+EcSHvUCr+llacITA2rkm1/KPcP97nGgbbM2QbbUVZ/vkdEcImPfrBzrBbaoBzf5p
+FTplhJ/4bfF0/Kgt5GTNgQXqtIuEQOs+ljNu2HW+cAfX2Hizlo7jjfMxS0y7/fY2
+hBdg8zuXs/rBI2LKUcP6
+=7q6W
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-14:03.openssl.asc b/share/security/advisories/FreeBSD-SA-14:03.openssl.asc
new file mode 100644
index 0000000000..6c61df8754
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-14:03.openssl.asc
@@ -0,0 +1,135 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:03.openssl                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          OpenSSL multiple vulnerabilities
+
+Category:       contrib
+Module:         openssl
+Announced:      2014-01-14
+Affects:        FreeBSD 10.0 prior to 10.0-RC5
+Corrected:      2014-01-07 20:04:41 UTC (stable/10, 10.0-PRERELEASE)
+                2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC5)
+                2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC4-p1)
+                2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC3-p1)
+                2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC2-p1)
+                2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC1-p1)
+CVE Name:       CVE-2013-4353, CVE-2013-6449, CVE-2013-6450
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is
+a collaborative effort to develop a robust, commercial-grade, full-featured
+Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
+and Transport Layer Security (TLS v1) protocols as well as a full-strength
+general purpose cryptography library.
+
+II.  Problem Description
+
+A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL
+pointer exception. [CVE-2013-4353]
+
+A flaw in DTLS handling can cause an application using OpenSSL and DTLS to
+crash. [CVE-2013-6450]
+
+A flaw in OpenSSL can cause an application using OpenSSL to crash when using
+TLS version 1.2. [CVE-2013-6449]
+
+III. Impact
+
+An attacker can send a specifically crafted packet that could cause an OpenSSL
+enabled application to crash, resulting in a Denial of Service.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-14:03/openssl.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:03/openssl.patch.asc
+# gpg --verify openssl.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all deamons using the library, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r260404
+releng/10.0/                                                      r260405
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4353>
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6449>
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6450>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:03.openssl.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJS1ZTSAAoJEO1n7NZdz2rnHboP/Ryb4a9ENJ7J/S00E8V1YToh
+hihrCKssMl6GVltS4oeyAmAW+mDx3DZy+RmAEhgjyAX4gpAxcY/g665j5BMtWAtV
+LLJTI9D6ynO7+2y8CeD3W7tk28hNtBPWSV+cGi7USQMKijs6euPocgTU7TnAuF/e
+/jcDTn8Sx/Sq0d3ecTWFBOcPHiq5sm/3pW5B1RVxY9DL+zhQ7T/Rb6pgfp6trssM
+p8dklzoBReHqs1iPUC4RyhWXOoQoq5VX500b9SHh2X/7eBSq1ab76VF3x+9VOpjj
+VRxL9sdkmp+iaVfMHxms3vCLSDlmpgYpq5SftL3jgkequPCpU6NFQGFQKw2crdL0
+NY7dDPjMuvDzzdG7BZtt1mjpRMMMGmZ7fK0myP0+a3YbXEEZeAGT6k07er/xkGCr
+uTWyPNM4g3Ulwkfnz60TbFrdMdiCJbRVC9xxOkGEALe882v0WWGPhx9IVbT3dGVw
+KGFOXM+IqF55JuaHQ0u/B4wrjBfgBSgOt90TDyMJ5rPjiKG9wyUWnn7QziAVJQ0M
+0H/82/2cxNX5+efWNi7xhss2fs1zcU3kiyr135mqamgOQyPG8jFOF7RhdpeGfzVk
+ollQG+y1uwVTAWhmVb4MSaAuJw8ixVuap73Rbyug+MuKRLgR2jSxHFiBeiHLA1eG
+1+DWJPX0+/zoNakLiw+r
+=YOCY
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-14:04.bind.asc b/share/security/advisories/FreeBSD-SA-14:04.bind.asc
new file mode 100644
index 0000000000..a0071db1e8
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-14:04.bind.asc
@@ -0,0 +1,140 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:04.bind                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          BIND remote denial of service vulnerability
+
+Category:       contrib
+Module:         bind
+Announced:      2014-01-14
+Credits:        ISC
+Affects:        FreeBSD 8.x and FreeBSD 9.x
+Corrected:      2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE)
+                2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
+                2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
+                2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE)
+                2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
+                2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
+CVE Name:       CVE-2014-0591
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server.
+
+II.  Problem Description
+
+Because of a defect in handling queries for NSEC3-signed zones, BIND can
+crash with an "INSIST" failure in name.c when processing queries possessing
+certain properties.  This issue only affects authoritative nameservers with
+at least one NSEC3-signed zone.  Recursive-only servers are not at risk.
+
+III. Impact
+
+An attacker who can send a specially crafted query could cause named(8)
+to crash, resulting in a denial of service.
+
+IV.  Workaround
+
+No workaround is available, but systems not running authoritative DNS service
+with at least one NSEC3-signed zone using named(8) are not vulnerable.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE]
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc
+# gpg --verify bind-release.patch.asc
+
+[FreeBSD 9.2-STABLE]
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc
+# gpg --verify bind-stable-9.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r260646
+releng/8.3/                                                       r260647
+releng/8.4/                                                       r260647
+stable/9/                                                         r260646
+releng/9.1/                                                       r260647
+releng/9.2/                                                       r260647
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://kb.isc.org/article/AA-01078>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:04.bind.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG
+ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO
+XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg
+ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG
+9DT58EQcYxIS8WfkHRbbXKh9I1nSfZ7/Hky/kTafRdRMrjAgbqFgHkYTYsBZeav5
+fYWKGQRJulYfeZQ90yMTvlpF42DjCC3uJYamJnwDIu8OhS1WRBI8fQfr9DRzmRua
+OK3BK9hUiScDZOJB6OqeVzUTfe7MAA4/UwrDtTYQ+PqAenv1PK8DZqwXyxA9ThHb
+zKO3OwuKOVHJnKvpOcr+eNwo7jbnHlis0oBksj/mrq2P9m2ueF9gzCiq5Ri5Syag
+Wssb1HUoMGwqU0roS8+pRpNC8YgsWpsttvUWSZ8u6Vj/FLeHpiV3mYXPVMaKRhVm
+067BA2uj4Th1JKtGleox+Em0R7OFbCc/9aWC67wiqI6KRyit9pYiF3npph+7D5Eq
+7zPsUdDd+qc+UTiLp3liCRp5w6484wWdhZO6wRtmUgxGjNkxFoNnX8CitzF8AaqO
+UWWemqWuz3lAZuORQ9KX
+=OQzQ
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-14:01/random-8.3.patch b/share/security/patches/EN-14:01/random-8.3.patch
new file mode 100644
index 0000000000..af1cd1c60d
--- /dev/null
+++ b/share/security/patches/EN-14:01/random-8.3.patch
@@ -0,0 +1,27 @@
+Index: sys/dev/random/probe.c
+===================================================================
+--- sys/dev/random/probe.c	(revision 260523)
++++ sys/dev/random/probe.c	(working copy)
+@@ -30,6 +30,8 @@ __FBSDID("$FreeBSD$");
+ 
+ #include <sys/types.h>
+ #include <sys/param.h>
++#include <sys/systm.h>
++#include <sys/kernel.h>
+ #include <sys/malloc.h>
+ #include <sys/random.h>
+ #include <sys/selinfo.h>
+@@ -57,7 +59,12 @@ random_ident_hardware(struct random_systat *systat
+ 	/* Then go looking for hardware */
+ #if defined(__i386__) && !defined(PC98)
+ 	if (via_feature_rng & VIA_HAS_RNG) {
+-		*systat = random_nehemiah;
++		int enable;
++
++		enable = 0;
++		TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable);
++		if (enable)
++			*systat = random_nehemiah;
+ 	}
+ #endif
+ }
diff --git a/share/security/patches/EN-14:01/random-8.3.patch.asc b/share/security/patches/EN-14:01/random-8.3.patch.asc
new file mode 100644
index 0000000000..da72b4fc15
--- /dev/null
+++ b/share/security/patches/EN-14:01/random-8.3.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnCokP/16qEQ9ziJdRpMQ8YMbr19AC
+GcUpad5oEXoUu7qvOykIFj1ATcXE71jE48ypyeVwpme/szQMUvWAjPp9P+lYb78l
+ByVukT7Ajs7fcO8uq5f4T0MPN/zG00qNsSpGtlcM68mm4aYLnlfvYjv8Da6GPALy
+dd5FE1YxZDnTT5aBpjsGVoj864I6PwehXhbH3FmehOK/vnpUYrgHKTzY9zaUZ5+t
+AGw/fzRsOHislwC8rw0AyC6Ky7Du2tQKjur73PaUXz329EZzFoK8J2eHcRExVWvJ
+A2zgwI7Y6gZUyJFhX8qcQs4JWxxPBoBQp+aKLkJXhW9U/GsEAVD3KaFAwZfjhOVm
+l/fg5XUMPpifGSsQKnoOFGjO0597JBOD5oznwQIg+b780JpsZ4Hmk7XJhXq9+s2G
+qBKIogXJG6mKBnx3qt0nlkd3UjS7QSnPMSmplCOoEUORwCMRfLFM0qb+P1d8ycGL
+mP7f3ivEg/rUQjhBRbCQyi/+CF6qhVHm1AdA081RSEVlPuDIRAywvcfjKnnOuhbG
+yf5AVIpwHwkoLn7qugECH4muTIPiHPFTgWK3qhI3oZfZDOCFZwi9Ognb6eg8qMtP
+aEPmTMujVERBc3FXEnjB5VZZSzOwJLm/NI0jW5y3XY/VQhJSaE1hM9qYywqgviXz
+g36p0LxezweK/mmxttVA
+=jEbX
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-14:01/random-9.1.patch b/share/security/patches/EN-14:01/random-9.1.patch
new file mode 100644
index 0000000000..bb3caba001
--- /dev/null
+++ b/share/security/patches/EN-14:01/random-9.1.patch
@@ -0,0 +1,27 @@
+Index: sys/dev/random/probe.c
+===================================================================
+--- sys/dev/random/probe.c	(revision 260523)
++++ sys/dev/random/probe.c	(working copy)
+@@ -30,6 +30,8 @@ __FBSDID("$FreeBSD$");
+ 
+ #include <sys/types.h>
+ #include <sys/param.h>
++#include <sys/systm.h>
++#include <sys/kernel.h>
+ #include <sys/malloc.h>
+ #include <sys/random.h>
+ #include <sys/selinfo.h>
+@@ -57,7 +59,12 @@ random_ident_hardware(struct random_systat *systat
+ 	/* Then go looking for hardware */
+ #if defined(__amd64__) || (defined(__i386__) && !defined(PC98))
+ 	if (via_feature_rng & VIA_HAS_RNG) {
+-		*systat = random_nehemiah;
++		int enable;
++
++		enable = 0;
++		TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable);
++		if (enable)
++			*systat = random_nehemiah;
+ 	}
+ #endif
+ }
diff --git a/share/security/patches/EN-14:01/random-9.1.patch.asc b/share/security/patches/EN-14:01/random-9.1.patch.asc
new file mode 100644
index 0000000000..fc7999b93f
--- /dev/null
+++ b/share/security/patches/EN-14:01/random-9.1.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnhsAQALF5Gk7QtodIM06xOd0IAcUk
+6y8N6s3gHxYhAyv5Af+y2yFTikfYu/yMYxIDbtgszcS+aB2y9b2+aVKwcNUkpiEr
+mle+RAVGXPBQ9V7ieFLvMn7HC4PW1uPkFsiqOzu3KXACr2onlq1Jbbw4z6FeAyfa
+2PvMTOFZrVNrHmkrjTKBwj+/jYcdHejb7OA0ckbiVgIXBRxftzVjKkVUTw+2ewZy
+l73s1/wPRYlqESDOGVNpO/mm1W0zbcllfgxcbBPk3ukSuatNQVIVXEZRfb7Ti2FK
+2CXTKbmaqrKPPxzpEkgbPXeOQ7kJ4th93gCbJV1i7uxyHvUo1Kodph0vKBKEiZmt
+l+rwmqXD+Zm5JvoBDVXUsYi3DO3+Wi5rLMkzZFFzwsYJbHed+8TD4fLWTti6kLEs
+CBQnUceBy4BKUTBj3STEjBBvFdd6Ri6Vdo0kN6Bjr/DuXqzLNyI/aLu6LmNgC3Fp
+c3/P4Xp1fTYFVEpjKzc6kG2fUDZVwN+XEDFy6BuD/Hgj2MtmJ4JY4iKWu/P/MlBq
+qI9K40rcMx4uMi9ffOC3v6uUHvqmK00FANz8GDIrpqeZEyMThd7yV8gmnBPRp47k
+H1IbOqGB1ovaZS92wgiPKxU6SMjP9z7klGaWN+dr7NkGB3/54MwoqyPOKRpaVMcI
+dYR/h4NDtwDgJqsuq+rH
+=FCsi
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-14:01/random-9.2-8.4.patch b/share/security/patches/EN-14:01/random-9.2-8.4.patch
new file mode 100644
index 0000000000..995ee7aff7
--- /dev/null
+++ b/share/security/patches/EN-14:01/random-9.2-8.4.patch
@@ -0,0 +1,22 @@
+Index: sys/dev/random/probe.c
+===================================================================
+--- sys/dev/random/probe.c	(revision 259661)
++++ sys/dev/random/probe.c	(working copy)
+@@ -73,7 +73,7 @@
+ 	if (via_feature_rng & VIA_HAS_RNG) {
+ 		int enable;
+ 
+-		enable = 1;
++		enable = 0;
+ 		TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable);
+ 		if (enable)
+ 			*systat = random_nehemiah;
+@@ -83,7 +83,7 @@
+ 	if (cpu_feature2 & CPUID2_RDRAND) {
+ 		int enable;
+ 
+-		enable = 1;
++		enable = 0;
+ 		TUNABLE_INT_FETCH("hw.ivy_rng_enable", &enable);
+ 		if (enable)
+ 			*systat = random_ivy;
diff --git a/share/security/patches/EN-14:01/random-9.2-8.4.patch.asc b/share/security/patches/EN-14:01/random-9.2-8.4.patch.asc
new file mode 100644
index 0000000000..7ee07e42fa
--- /dev/null
+++ b/share/security/patches/EN-14:01/random-9.2-8.4.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnODkQANga1UgaW4k2SA8SKLmGtRsO
+DWo/fqJ12DneoN0cxxgqgUFzB90Cdj1Qrece2Oj6lrD/A8wNfHzB78CE/yCqlEwg
+YCK5Ca8ajUS6MgBT9lwRslF6HFp0I11QAe1jb16gC7NpZFG5pCTkLTdj5wWC2qQX
+rHgyVDNj6cveRiBhHt8NsPOLqRTIkxTBjZ6Tzn235erM/0ZCj8M57TYCWpTg9PHY
+YtM71DDjpN6oaZG49ggAK7Gp+6Ny7jKexG/a81PxR0A+KsqPPqd5v8eRfq1VHhKe
+l7MS+R8cTCBeGg195BY65trQdnA1R92tjwJ/ISFrfDMDoOmmm8TazGhP9Wh4JuM4
+bp6ZenKEwyZat0qcJy/omnfwcf4yHf9O/kAtyqzMQikLWG/ucMVHaJBdsoU5uSI4
+enfVxyOI3ASpZUeMwV97k/hLuJiMcPw175hRtOftsLWYK85mb8Ps9gTnuPEWYn6E
+7zEpuFoXathSX4EgcOFgDsDfAvf7EhzSey1Pi6uPe9Lh2uHrptZ+Zzh6OpTOxejS
+jcy9KlYRup20nxT3ofunzJsSe4D1rofa9eyTpTp0uxekQcM8RhfGH5DiBeNizPAs
+Euqups2pp0vN+ywD3/LGgSiYtRQbqOiavJg/uW+dwQT6kPNqcKsuN+qfu4/qGwu3
+zcYx/rLhkJj8s+zip9GU
+=kf47
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-14:02/mmap.patch b/share/security/patches/EN-14:02/mmap.patch
new file mode 100644
index 0000000000..fd4040a881
--- /dev/null
+++ b/share/security/patches/EN-14:02/mmap.patch
@@ -0,0 +1,20 @@
+Index: sys/vm/vm_map.c
+===================================================================
+--- sys/vm/vm_map.c	(revision 259950)
++++ sys/vm/vm_map.c	(revision 259951)
+@@ -1207,6 +1207,7 @@ charged:
+ 	}
+ 	else if ((prev_entry != &map->header) &&
+ 		 (prev_entry->eflags == protoeflags) &&
++		 (cow & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) == 0 &&
+ 		 (prev_entry->end == start) &&
+ 		 (prev_entry->wired_count == 0) &&
+ 		 (prev_entry->cred == cred ||
+@@ -3339,7 +3340,6 @@ vm_map_stack(vm_map_t map, vm_offset_t addrbos, vm
+ 	 * NOTE: We explicitly allow bi-directional stacks.
+ 	 */
+ 	orient = cow & (MAP_STACK_GROWS_DOWN|MAP_STACK_GROWS_UP);
+-	cow &= ~orient;
+ 	KASSERT(orient != 0, ("No stack grow direction"));
+ 
+ 	if (addrbos < vm_map_min(map) ||
diff --git a/share/security/patches/EN-14:02/mmap.patch.asc b/share/security/patches/EN-14:02/mmap.patch.asc
new file mode 100644
index 0000000000..92d66bd6cc
--- /dev/null
+++ b/share/security/patches/EN-14:02/mmap.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnT+4P/ilcGYfPLHfrBH3DNbBJMS8i
+jsYkV0d2PbgWdaxIHJMbAwkAJBkcPIb3aQSL3HiVYehSH9AsMbJgHZPIDpAkJ7gl
+oY3f+WapTRx+jun89a+EbM5tUpZhagX8rgGUunVpJ3emkzC81peHi9OyeSDCNs1M
+1iPeRWYrL4MaAHnt8rFUqGiBzxEk2AEmvvMsfvhbXmS6AmMp8gL7jiuBXDlDx8+6
+eWi86kNcMyWtSb2KRNUQ/2Kf84Wl5H+qgdhhzFx5OkI9jH3XFB2aY2SPiDfUPAC8
+bdpAR8pKwyhm+AyQdv/bdqgVy3gWW6J55Q1hP7pqze2HONZFE9VekC8xVOr5sBxG
+2pvMRiIUdoOOEIXgqcYa3d8y5fApVkRa/9vT27JY5QZu0ypSsu7LuSkS/IADy0o5
+B9Sknl0BZFuGdslm66zOJzEpeCHL9VHPrW96fs3ca8/01/WE7iXDcuKC6cfc8Pjd
+5ZyazZrygwkzjmT4tqB9U9a9zmVqCKkfejg2pJLXBL7ONUnONXEKxkr1jheTyU+1
+PSY4qkY58bi5P0Ef+mDFjmfMCfT0UVdIePFg3R17ALztNahMOUGW7BxIPgTWNFjk
+4+gH9w5RKdscW2UgSC/HPWJHxyBIJfl6nEPmWqnrK+J+behwrdSBZBl2mmgPaDAn
+5siNUmFL9GU4xr/b9xeG
+=sEcV
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-14:01/bsnmpd.patch b/share/security/patches/SA-14:01/bsnmpd.patch
new file mode 100644
index 0000000000..c86b45fe49
--- /dev/null
+++ b/share/security/patches/SA-14:01/bsnmpd.patch
@@ -0,0 +1,16 @@
+Index: contrib/bsnmp/lib/snmpagent.c
+===================================================================
+--- contrib/bsnmp/lib/snmpagent.c	(revision 259661)
++++ contrib/bsnmp/lib/snmpagent.c	(working copy)
+@@ -488,6 +488,11 @@ snmp_getbulk(struct snmp_pdu *pdu, struct asn_buf
+ 	for (cnt = 0; cnt < pdu->error_index; cnt++) {
+ 		eomib = 1;
+ 		for (i = non_rep; i < pdu->nbindings; i++) {
++
++			if (resp->nbindings == SNMP_MAX_BINDINGS)
++				/* PDU is full */
++				goto done;
++
+ 			if (cnt == 0) 
+ 				result = do_getnext(&context, &pdu->bindings[i],
+ 				    &resp->bindings[resp->nbindings], pdu);
diff --git a/share/security/patches/SA-14:01/bsnmpd.patch.asc b/share/security/patches/SA-14:01/bsnmpd.patch.asc
new file mode 100644
index 0000000000..3d12ccc27c
--- /dev/null
+++ b/share/security/patches/SA-14:01/bsnmpd.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnc+4P/2gFudDRO3Cv0HPnOS7OTHY6
+nzGWpoR98r5POLPPP5/iAISn7ADi/W81Y895/XRzYBxzuaaZNhXbu0nB3a+T0VDh
+q5LGtSzO9fZv8t+y87CLIz08zdS7Q+OPZ2Szge/yP184Oqqc7xTmnkm6VyTiRZE1
+W2chmOgv96RM4qqHXRQYinaD57Z8Kl1AlcrP+ZBpH3zP998LHhHP2LN+qQz4jnl9
+7M57krQ733HPBZMQ2JkHFlzyjVGcK/dMjm8ZFiKvWTeDQk2ommXdHHDcYFar2EfG
+T4rFeJmNQJHwcA1k4mqi3rIzvxCoihjoPT9NuZ+gdwtM7WniuEpsbKz+I2iGSBSS
+ADUX6vaSkD22Y2L88txzFcdkqKhDgGPYfg/Uq98zQsio0ceCqIpDU1XNtPs6Kts1
+1CGPTl0ZOQm2/kjmJKHrHhi4otNEydifassxyQLLQTOZ3tH4ggd/NQCAu7/6msbO
+CqpElrmOFPwwffPtAGktL0VsCMyGxRztizzU7+G36zcOeES+mNR2qTDycUYE4/uD
+czx+4ZnYQ5kA6qmuRVuM/1m+p2gwbS+CsuRaVmrMJXnowAV1EI5u+n49rdiuxNth
+1gaTpDN/7pwnkwEyB/6yjGdvoIMiuTkJPVPvekXHqeLH9S9VT79HQYZfGEqA+w5Y
+T/6rSxVCuDXgzmLLbO4W
+=ibna
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-14:02/ntpd.patch b/share/security/patches/SA-14:02/ntpd.patch
new file mode 100644
index 0000000000..9838361106
--- /dev/null
+++ b/share/security/patches/SA-14:02/ntpd.patch
@@ -0,0 +1,13 @@
+Index: contrib/ntp/ntpd/ntp_config.c
+===================================================================
+--- contrib/ntp/ntpd/ntp_config.c	(revision 259828)
++++ contrib/ntp/ntpd/ntp_config.c	(working copy)
+@@ -597,6 +597,8 @@ getconfig(
+ #endif /* not SYS_WINNT */
+ 	}
+ 
++	proto_config(PROTO_MONITOR, 0, 0., NULL);
++
+ 	for (;;) {
+ 		if (tok == CONFIG_END) 
+ 			break;
diff --git a/share/security/patches/SA-14:02/ntpd.patch.asc b/share/security/patches/SA-14:02/ntpd.patch.asc
new file mode 100644
index 0000000000..0f4f8fd8bb
--- /dev/null
+++ b/share/security/patches/SA-14:02/ntpd.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnJTAP/RBwrD85MJhDpOi5yXWEC44L
+h9aFMeUe56fFSk6IRYycNZTqSwnZYnTQg0qcrpGTy4Qt1C0n+oVzGob24XzkN5P0
+IZwR5msPNbNF4iJgfi16QFLKK1M8UdWrE2hiyjQbWLcCJQPAFl0A8nSKPHdbDGMz
+06ZuLiCuasXs1+AiyIp5D6i8Z3JZthla7Gn5LSBL7MyxRIemIaqKv61CVxHeo/l5
+TypTDpkgq/63tBf3n8q6RPxhR7v07m10DI1PPKI9QE156YhvysO6/GpuvF5ZSWtR
+AX57yDd9HBSYy6wIX7jZSWv0J3X3dAZj8jZHnIFAn41khxV7DlZ1kYGBNFq+hbM+
+JR/zqp6497GpuxKt9Ubbqyn8vHnCop25psH528tPNLN5vXluvOonjM0tBAdWLnpP
+kYybztIA4EMJg/8sKRsrMFfxzY58LyHuQRUqAgR63czo2HDbcuXtAIiMqOrwrfLW
+nP01z8PFco4UN7VXpw/rVZ5XLtnONjJ1i2xR880Z8LOL6bvlc8NwwS+zTCPP/eDv
+QZh3IGTz26oG49cDNsvceS85tbX3BiAJLOg8jEkWOw7jdPBOg7CCQddVO5ccCunM
+QDpl5Ontt8bDqRm7z21MC/07EnQeiaIkQ+C37IVr2ISHMHzrWK3u6C2KNPy1Rgx1
+qBzc4Pl36Yqk1Dp4cSOA
+=wiMs
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-14:03/openssl.patch b/share/security/patches/SA-14:03/openssl.patch
new file mode 100644
index 0000000000..2a681158fa
--- /dev/null
+++ b/share/security/patches/SA-14:03/openssl.patch
@@ -0,0 +1,91 @@
+Index: crypto/openssl/ssl/d1_both.c
+===================================================================
+--- crypto/openssl/ssl/d1_both.c	(revision 260378)
++++ crypto/openssl/ssl/d1_both.c	(working copy)
+@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int
+ static void
+ dtls1_hm_fragment_free(hm_fragment *frag)
+ 	{
++
++	if (frag->msg_header.is_ccs)
++		{
++		EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx);
++		EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);
++		}
+ 	if (frag->fragment) OPENSSL_free(frag->fragment);
+ 	if (frag->reassembly) OPENSSL_free(frag->reassembly);
+ 	OPENSSL_free(frag);
+Index: crypto/openssl/ssl/s3_both.c
+===================================================================
+--- crypto/openssl/ssl/s3_both.c	(revision 260378)
++++ crypto/openssl/ssl/s3_both.c	(working copy)
+@@ -208,7 +208,11 @@ static void ssl3_take_mac(SSL *s)
+ 	{
+ 	const char *sender;
+ 	int slen;
+-
++	/* If no new cipher setup return immediately: other functions will
++	 * set the appropriate error.
++	 */
++	if (s->s3->tmp.new_cipher == NULL)
++		return;
+ 	if (s->state & SSL_ST_CONNECT)
+ 		{
+ 		sender=s->method->ssl3_enc->server_finished_label;
+Index: crypto/openssl/ssl/s3_lib.c
+===================================================================
+--- crypto/openssl/ssl/s3_lib.c	(revision 260378)
++++ crypto/openssl/ssl/s3_lib.c	(working copy)
+@@ -4274,7 +4274,7 @@ need to go to SSL_ST_ACCEPT.
+ long ssl_get_algorithm2(SSL *s)
+ 	{
+ 	long alg2 = s->s3->tmp.new_cipher->algorithm2;
+-	if (TLS1_get_version(s) >= TLS1_2_VERSION &&
++	if (s->method->version == TLS1_2_VERSION &&
+ 	    alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
+ 		return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
+ 	return alg2;
+Index: crypto/openssl/ssl/ssl_locl.h
+===================================================================
+--- crypto/openssl/ssl/ssl_locl.h	(revision 260378)
++++ crypto/openssl/ssl/ssl_locl.h	(working copy)
+@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data;
+ extern SSL3_ENC_METHOD SSLv3_enc_data;
+ extern SSL3_ENC_METHOD DTLSv1_enc_data;
+ 
++#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION)
++
+ #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
+ 				s_get_meth) \
+ const SSL_METHOD *func_name(void)  \
+Index: crypto/openssl/ssl/t1_enc.c
+===================================================================
+--- crypto/openssl/ssl/t1_enc.c	(revision 260378)
++++ crypto/openssl/ssl/t1_enc.c	(working copy)
+@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which)
+ 			s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
+ 			else
+ 			s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
+-		if (s->enc_write_ctx != NULL)
++		if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
+ 			reuse_dd = 1;
+-		else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
++		else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
+ 			goto err;
++		dd= s->enc_write_ctx;
++		if (SSL_IS_DTLS(s))
++			{
++			mac_ctx = EVP_MD_CTX_create();
++			if (!mac_ctx)
++				goto err;
++			s->write_hash = mac_ctx;
++			}
+ 		else
+-			/* make sure it's intialized in case we exit later with an error */
+-			EVP_CIPHER_CTX_init(s->enc_write_ctx);
+-		dd= s->enc_write_ctx;
+-		mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
++			mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
+ #ifndef OPENSSL_NO_COMP
+ 		if (s->compress != NULL)
+ 			{
diff --git a/share/security/patches/SA-14:03/openssl.patch.asc b/share/security/patches/SA-14:03/openssl.patch.asc
new file mode 100644
index 0000000000..171a0ff8dc
--- /dev/null
+++ b/share/security/patches/SA-14:03/openssl.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJS1ZUqAAoJEO1n7NZdz2rnQCMP/2eEn3oK3bvXpEIJ4BQUo5ss
+0sDeC4ttld9VvKtGI1Qkqf0wz/lHeEsz3V1ocg6rY44A3qLFQcFrisleh0D6AmyY
+yySV1lwyPTJOJgQOlDeMGule7SveTCZclh05zTHM+482cNlnVIgUF+2qZ4HfRd7B
+bYWTBLWDmzs86bk8TE8wJrZZItVO6QK8V2jwCAuvEp4clgi/ScEHfVSOuiEjr2iq
+3BupUbdX/gi5wamPJphEU9CwE+gDnP86Jj5mlhB4RUhC2UEASKh6sxSYJDBbJ1lA
++zcyAn9sIkCpbczCyxNfROKzBN1QPshpma12wBMxIhF958CMO783PfFKboWAwi/j
+JnxzhmZam9qnkds8rY2MgcsiGl2iErXP3HnrtDk+7YTr3VlSWJucudVBX89NzmhA
+y01SQbX5NlRNr5vzDgNsgEczBCSUWdfYL+Kf/X9uiu4mkQOhicZhRieAcwsinP83
+WxtY59ulMzSQjtmby2MTd/1RdBlu7wbAbJ9eUKZwQzGA/LKuvGK8XaQz8WZ3uHPU
+y9zLG77lpDu9yF+ui1wGl1v5uJEI55MGP4WkgcbiPZGy3g73C5y+92mne5Szq/cM
+5Kf977/11QZamQkUayL1X0cNLY5ohpcuvY/UYwe3BtapaX+XpwG06tpAKzOUiuJR
+Fcpl6iI961auHMtyyNb6
+=KeeT
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-14:04/bind-release.patch b/share/security/patches/SA-14:04/bind-release.patch
new file mode 100644
index 0000000000..0400e47f2b
--- /dev/null
+++ b/share/security/patches/SA-14:04/bind-release.patch
@@ -0,0 +1,54 @@
+Index: contrib/bind9/bin/named/query.c
+===================================================================
+--- contrib/bind9/bin/named/query.c	(revision 260523)
++++ contrib/bind9/bin/named/query.c	(working copy)
+@@ -3622,8 +3622,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t
+ 	dns_fixedname_t fixed;
+ 	dns_hash_t hash;
+ 	dns_name_t name;
+-	int order;
+-	unsigned int count;
++	unsigned int skip = 0, labels;
+ 	dns_rdata_nsec3_t nsec3;
+ 	dns_rdata_t rdata = DNS_RDATA_INIT;
+ 	isc_boolean_t optout;
+@@ -3636,6 +3635,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t
+ 
+ 	dns_name_init(&name, NULL);
+ 	dns_name_clone(qname, &name);
++	labels = dns_name_countlabels(&name);
+ 
+ 	/*
+ 	 * Map unknown algorithm to known value.
+@@ -3667,13 +3667,14 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t
+ 		dns_rdata_reset(&rdata);
+ 		optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
+ 		if (found != NULL && optout &&
+-		    dns_name_fullcompare(&name, dns_db_origin(db), &order,
+-					 &count) == dns_namereln_subdomain) {
++		    dns_name_issubdomain(&name, dns_db_origin(db)))
++		{
+ 			dns_rdataset_disassociate(rdataset);
+ 			if (dns_rdataset_isassociated(sigrdataset))
+ 				dns_rdataset_disassociate(sigrdataset);
+-			count = dns_name_countlabels(&name) - 1;
+-			dns_name_getlabelsequence(&name, 1, count, &name);
++			skip++;
++			dns_name_getlabelsequence(qname, skip, labels - skip,
++						  &name);
+ 			ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
+ 				      NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
+ 				      "looking for closest provable encloser");
+@@ -3691,7 +3692,11 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t
+ 		ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
+ 			      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+ 			      "expected covering NSEC3, got an exact match");
+-	if (found != NULL)
++	if (found == qname) {
++		if (skip != 0U)
++			dns_name_getlabelsequence(qname, skip, labels - skip,
++						  found);
++	} else if (found != NULL)
+ 		dns_name_copy(&name, found, NULL);
+ 	return;
+ }
diff --git a/share/security/patches/SA-14:04/bind-release.patch.asc b/share/security/patches/SA-14:04/bind-release.patch.asc
new file mode 100644
index 0000000000..17313a753e
--- /dev/null
+++ b/share/security/patches/SA-14:04/bind-release.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJS1ZUqAAoJEO1n7NZdz2rnQC8QAM7tQ7OJji9KEwp/+Crv/9Jf
++8PGWOrLa7rz8i4wD7ujUwYGCzOzOUAMuSOO3B0SdCb4YVx9we2+5uLCvxbMAS1/
+tdw5WOhi0nWHPD+4uXhQmczCz+nXBG8LAdMM7eIMLgyfYlFdNvARpuRWeNhicKP2
+vaP1Pxq0TejNYzxekzWGUUiyfTdhM7SWza95mz27WO/eHhwKKPqjxb+hoitA7s5k
+2fS17NvLyYivD2BBVGj61IKpSAVCwtK4Vdo73LKmGe9HDSTCKRUiz52+UIMMprpK
+76cbuUFatyOPJsrDn/YuisqH8M1/HpRZp9MyzR+b2rIf+/f3OuAfLrfzzDt0akA+
+LvHc0SRDDuBr1cDCjv4eMlJXJvFnlBdc/z+PB/Un252kHB5mLFHev9n2vU0HohqS
+Bj5C6svpMoZo3uTnI8dLonByl6n/7144T1uuRTlQ7pS2wrp5LrEd/cySe444Ek+A
+Elxy5KI8ydb6+V0UmADFM3gK9ZK+AqoQqFtfCgYyrBhsOSdissJwVKTeLXlHJRZM
+k6vo9/BLkAk0eo98/KkdHW2IrGaNVCNOucXRntTjNmLF02Ge5Ev2JFcc4XiMtPkM
+HNxfS9t1qmYifjz7++0pFFwYKHCJdaZM+HJl3RxHkYiy0kHpHCIAem4STauDznDj
+HL6Dl570twSTB9lvRGOW
+=yZ2q
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-14:04/bind-stable-9.patch b/share/security/patches/SA-14:04/bind-stable-9.patch
new file mode 100644
index 0000000000..f35fc4c61c
--- /dev/null
+++ b/share/security/patches/SA-14:04/bind-stable-9.patch
@@ -0,0 +1,54 @@
+Index: contrib/bind9/bin/named/query.c
+===================================================================
+--- contrib/bind9/bin/named/query.c	(revision 260523)
++++ contrib/bind9/bin/named/query.c	(working copy)
+@@ -5260,8 +5260,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t
+ 	dns_fixedname_t fixed;
+ 	dns_hash_t hash;
+ 	dns_name_t name;
+-	int order;
+-	unsigned int count;
++	unsigned int skip = 0, labels;
+ 	dns_rdata_nsec3_t nsec3;
+ 	dns_rdata_t rdata = DNS_RDATA_INIT;
+ 	isc_boolean_t optout;
+@@ -5276,6 +5275,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t
+ 
+ 	dns_name_init(&name, NULL);
+ 	dns_name_clone(qname, &name);
++	labels = dns_name_countlabels(&name);
+ 	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+ 	dns_clientinfo_init(&ci, client);
+ 
+@@ -5309,13 +5309,14 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t
+ 		dns_rdata_reset(&rdata);
+ 		optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
+ 		if (found != NULL && optout &&
+-		    dns_name_fullcompare(&name, dns_db_origin(db), &order,
+-					 &count) == dns_namereln_subdomain) {
++		    dns_name_issubdomain(&name, dns_db_origin(db)))
++		{
+ 			dns_rdataset_disassociate(rdataset);
+ 			if (dns_rdataset_isassociated(sigrdataset))
+ 				dns_rdataset_disassociate(sigrdataset);
+-			count = dns_name_countlabels(&name) - 1;
+-			dns_name_getlabelsequence(&name, 1, count, &name);
++			skip++;
++			dns_name_getlabelsequence(qname, skip, labels - skip,
++						  &name);
+ 			ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
+ 				      NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
+ 				      "looking for closest provable encloser");
+@@ -5333,7 +5334,11 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t
+ 		ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
+ 			      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+ 			      "expected covering NSEC3, got an exact match");
+-	if (found != NULL)
++	if (found == qname) {
++		if (skip != 0U)
++			dns_name_getlabelsequence(qname, skip, labels - skip,
++						  found);
++	} else if (found != NULL)
+ 		dns_name_copy(&name, found, NULL);
+ 	return;
+ }
diff --git a/share/security/patches/SA-14:04/bind-stable-9.patch.asc b/share/security/patches/SA-14:04/bind-stable-9.patch.asc
new file mode 100644
index 0000000000..74e22f9fc4
--- /dev/null
+++ b/share/security/patches/SA-14:04/bind-stable-9.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJS1ZUqAAoJEO1n7NZdz2rntyQP/0Eg/BZkY4oj0uyldYOX1mYR
+5H+vBeJ+uuXA122WFXRkEhazJzfKNjitDOiVSOfomaiFqU6EamvAEK72gUCtEHf3
+WncovpXKvtTZGO7SpPuR//p6W8OYBCdJaIc1fBZnbOcVWRGNdMEQ7AZXCs0/dT13
+RtfXHap0EfS1AEvqNitI9ad4O2N9nWkk05eQAEn4/dDcwHZXaaVkVgJZHzOmAqhz
+RjDeGEGGTOQe/298cR0A63uyiQD8W2CHYxtzIytsR3euDnMcUGt+Yp1mkoc85WdS
+LnW5se5+Gr+Rl1auyLtoBOy6J8mIJzQa9hPu6Y0sCgpriwxbt+3aEP+Lhsk1bgUf
+3Ack9MthT1w5hz5lt1J5C4wHIkQZyQR47NNwPsD+t5p9884Gj6zKcDvJnC8NFp3y
+f7R6NoPt7l32oUERV7ulYOoavbxgCMmZRc/as60+lIIrZfHlmjq6/5K8Fsi+6vMC
+AyUBtrZ7iNX/RRC5yF5sBUeB5A3bOKJXAWoVIfQFJMURxN894liXAsaNtj1CWD+3
+tAdpI8GkZGE1cYicHqNoiP1S08O82pbPE4o28ZgoJj/sq8lYNLMXTXUE/3R+GSN/
+sAiv1NSyMNwV4RGv/r6EA1W+hlYOgVVw9dSD+iuawMEWqMxzkp/wwzsdvW/jNAwX
+7go20QVo8mY0Qdb3DU7+
+=huh6
+-----END PGP SIGNATURE-----
diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml
index c448377132..6ce926d40c 100644
--- a/share/xml/advisories.xml
+++ b/share/xml/advisories.xml
@@ -5,6 +5,35 @@
     </cvs:keyword>
 
   <year>
+    <name>2014</name>
+
+    <month>
+      <name>1</name>
+
+      <day>
+	<name>14</name>
+
+	<advisory>
+	  <name>FreeBSD-SA-14:01.bsnmpd</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-14:02.ntpd</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-14:03.openssl</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-14:04.bind</name>
+	</advisory>
+      </day>
+    </month>
+
+  </year>
+
+  <year>
     <name>2013</name>
 
     <month>
diff --git a/share/xml/notices.xml b/share/xml/notices.xml
index b99fe30ace..8f4ddf9c32 100644
--- a/share/xml/notices.xml
+++ b/share/xml/notices.xml
@@ -5,6 +5,26 @@
     </cvs:keyword>
 
   <year>
+    <name>2014</name>
+
+    <month>
+      <name>1</name>
+
+      <day>
+	<name>14</name>
+
+	<notice>
+	  <name>FreeBSD-EN-14:01.random</name>
+	</notice>
+
+	<notice>
+	  <name>FreeBSD-EN-14:02.mmap</name>
+	</notice>
+      </day>
+    </month>
+  </year>
+
+  <year>
     <name>2013</name>
 
     <month>