Add EN-22:09 to EN-22:12 and SA-22:02 to SA-22:03.

Approved by: so
author: Gordon Tetlow <gordon@FreeBSD.org> 2022-03-15 19:18:42 +0000
committer: Gordon Tetlow <gordon@FreeBSD.org> 2022-03-15 19:21:16 +0000
commit: ba3b824455f82aeca72ef6cd34cabf09672a2640 (patch)
tree: b14a0a467de12d1eb28be67d60aef47d59aa699a /website
parent: 00f6c1be842bbf1b20a91c10d250ae082f1fd826 (diff)
download: doc-ba3b824455f82aeca72ef6cd34cabf09672a2640.tar.gz
doc-ba3b824455f82aeca72ef6cd34cabf09672a2640.zip
22 files changed, 2135 insertions, 0 deletions
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index bfacfbf277..6a60b5b67b 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -2,6 +2,14 @@
 # $FreeBSD$
 
 [[advisories]]
+name = "FreeBSD-SA-22:03.openssl"
+date = "2022-03-15"
+
+[[advisories]]
+name = "FreeBSD-SA-22:02.wifi"
+date = "2022-03-15"
+
+[[advisories]]
 name = "FreeBSD-SA-22:01.vt"
 date = "2022-01-11"
 
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index 3ab79b1502..b246718740 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -2,6 +2,22 @@
 # $FreeBSD$
 
 [[notices]]
+name = "FreeBSD-EN-22:12.zfs"
+date = "2022-03-15"
+
+[[notices]]
+name = "FreeBSD-EN-22:11.zfs"
+date = "2022-03-15"
+
+[[notices]]
+name = "FreeBSD-EN-22:10.zfs"
+date = "2022-03-15"
+
+[[notices]]
+name = "FreeBSD-EN-22:09.freebsd-update"
+date = "2022-03-15"
+
+[[notices]]
 name = "FreeBSD-EN-22:08.i386"
 date = "2022-02-01"
 
diff --git a/website/static/security/advisories/FreeBSD-EN-22:09.freebsd-update.asc b/website/static/security/advisories/FreeBSD-EN-22:09.freebsd-update.asc
new file mode 100644
index 0000000000..a85ee4d0cf
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-22:09.freebsd-update.asc
@@ -0,0 +1,125 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-22:09.freebsd-update                                 Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          freebsd-update creating erroneous boot environments
+
+Category:       core
+Module:         freebsd-update
+Announced:      2022-03-15
+Affects:        FreeBSD 12.3
+Corrected:      2022-02-15 06:09:41 UTC (stable/12, 12.3-STABLE)
+                2022-03-15 18:17:55 UTC (releng/12.3, 12.3-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+By default, freebsd-update(8) is configured to create new ZFS boot environments
+on systems that are compatible with bectl(8).
+
+II.  Problem Description
+
+When updating a jail or another root that isn't the system root using -b,
+freebsd-update(8) will create a spurious boot environment despite the updated
+root not causing a change in the boot environment.
+
+III. Impact
+
+Users that have used freebsd-update(8) with the -b or -j flags may have some
+extra boot environments present on the system that did not meaningfully impact
+the boot environment.
+
+IV.  Workaround
+
+No workaround is available.  Systems with "CreateBootEnv" set to "no" in their
+/etc/freebsd-update.conf are not affected.  Systems that do not use ZFS are also
+not affected.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.  No reboot is required.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.3]
+# fetch https://security.FreeBSD.org/patches/EN-22:09/freebsd-update.patch
+# fetch https://security.FreeBSD.org/patches/EN-22:09/freebsd-update.patch.asc
+# gpg --verify freebsd-update.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI.  Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r371637
+releng/12.3/                                                      r371743
+- -------------------------------------------------------------------------
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261446>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:09.freebsd-update.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44sACgkQ05eS9J6n
+5cLudhAAmVnJH5dbgVkjuaiGI2fvdoKCZKlMIwvA+kUqgio6MaoiXIygWXgzbLmV
+M3BSzEvyrB/pBen/Af3R+3hljjhiOId/3RCKP596fT53bpmWQh4TyAryDX9SmY/+
+mXfARp4MgkAi7bDjKQQMpDlyA5Lp3i/Hqyq6IjIZnk2O1PxhAAer+yoqnjBsDQUl
+1SzM+T802NbclKx0nsM6ODFk8IvKmBjK1d6esApihDRzFX4qCXjuP+QMFSKAYEb4
+shZx6pGeDfqMhn8TkIydVhsjO16f7rUSxYoM1i93QZecVfxpWdQhh2OMG91G6ELu
+9aQ+CsYPcQoWgkLqsnTuJXVpKQ+PmzIwfD/DHahFvXvkXhL7cXFNgctp/2kb/lPW
+mgwPvguUzSJBu3tOs2RyVQTOTSzB+7Cf6hadhuBlzI4p/ZSViSIhI4hsE0Wln2TK
+3k+WCCfhEoGZRt6pR1YEjqvjeSin9Rcjd5nSS0vE137pXpjzheXxGQFVtPDtjq28
+mkr4HM6XUafvCs8oqoitpzFRMRwYODEah+z5PXWSpvguhFfehihFBW82e/3YZhLF
+2Ub4WkTFXhGx98lH5ofjnWS3kuqy7stG/5fk5gNHayCzPZjH2O6ecSGbBh4IZ9Xw
+5vFR0Tfbzo+N/eTiyTq0pj0QK2JTE4cns+xxfEczfLYiGGyFmPE=
+=Uh7O
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-22:10.zfs.asc b/website/static/security/advisories/FreeBSD-EN-22:10.zfs.asc
new file mode 100644
index 0000000000..83b00d4553
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-22:10.zfs.asc
@@ -0,0 +1,134 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-22:10.zfs                                            Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          ZFS writes fail to update file size
+
+Category:       contrib
+Module:         zfs
+Announced:      2022-03-15
+Affects:        FreeBSD 13.0
+Corrected:      2022-02-21 14:59:58 UTC (stable/13, 13.0-STABLE)
+                2022-03-15 18:09:52 UTC (releng/13.0, 13.0-RELEASE-p8)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+ZFS is one of several filesystems available on FreeBSD.  ZFS supports
+many advanced features, including checksumming, transparent compression,
+and snapshots.
+
+FreeBSD's virtual filesystem layer includes a deadlock-avoidance
+mechanism to handle situations where a read(2) or write(2) system call
+is invoked and the user-supplied buffer lies within a mmap(2)-created
+mapping of the target file.  Individual filesystems, such as ZFS, must
+implement a portion of the deadlock avoidance protocol.
+
+II.  Problem Description
+
+The implementation of the deadlock avoidance protocol in ZFS's
+implementation of write(2) was incorrect and could, in certain
+circumstances, cause an appending write to a file to fail to update the
+file size despite returning success to the caller.
+
+III. Impact
+
+The bug may cause application misbehavior; the precise effects depend
+on the nature of the application triggering the bug.
+
+IV.  Workaround
+
+No workaround is available, but systems not using ZFS are not affected.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-22:10/zfs.patch
+# fetch https://security.FreeBSD.org/patches/EN-22:10/zfs.patch.asc
+# gpg --verify zfs.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/13/                              b55a7f3422d7    stable/13-n249621
+releng/13.0/                            9dc74c5a4b3d  releng/13.0-n244783
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260453>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:10.zfs.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44sACgkQ05eS9J6n
+5cJP2Q//fDLZ876IGCxtcyCc5eNrOgI7V4P/ajQ2Jz3VYvd3NAag4bbfV8OQKTy8
+dn62/bhjmKEDGjLAs2oHrlT+G0gEEYLnxZGzgcHo0UFo9FIEmCV18zEFXGipFMeH
+b9pCexvy1a7EH97voS7Mr6V+Bktj3Vcq3B0yIXRxoGxcRvTFTpc5rpYzs8RZWHiu
+tzUij2bmtrtXh7oJgmF83roujwNEJele9IY2+AMJ/URtGmxuJ54KN1hNTkeGknMd
+WtEarFz7HDoXuy7WDysgwUSdq6s+o+rWm/+knflCFXvYqetjm3Kwl35wBr0hch6f
+rb59AIZ1RVN8LsZZT6UNaxsQINEPb4RF9T132nYlMlQPdulEBjWiKI7Y4VSMUSXr
+Xtz54FMouRXi/WdgJL7P7CxY3+t+1zWorBvI25jnkEp5mhEhd7DVTgy2Sw0sNI4F
+iAYGBmpFyE6pGmJOaz6WLGV96sK9m0/RmmZXwPah5cwBMy4qUFnuPgoT91h8LRIr
+5SKLm010lyPxsThcb1NRrqsd4LIUhYb6bZNgOmCd5OcSC03+aUjxEyrmM90Hjtb4
+yhANSTVExJB9bXNnb1rWtdO1inrjb3YAUpd6CpuK3vct/LWw9b0ehuRdJKFDgLtC
+dVPQZYc89dcjZNnDWFJ94D2Inoae7oT0o2+nULURXyLABWSDYs0=
+=+FRE
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-22:11.zfs.asc b/website/static/security/advisories/FreeBSD-EN-22:11.zfs.asc
new file mode 100644
index 0000000000..60462a6f36
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-22:11.zfs.asc
@@ -0,0 +1,133 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-22:11.zfs                                            Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          ZFS lseek(2) inconsistencies
+
+Category:       contrib
+Module:         zfs
+Announced:      2022-03-15
+Affects:        FreeBSD 13.0
+Corrected:      2021-12-19 15:25:26 UTC (stable/13, 13.0-STABLE)
+                2022-03-15 18:09:52 UTC (releng/13.0, 13.0-RELEASE-p8)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+ZFS is one of several filesystems available on FreeBSD.  ZFS supports
+many advanced features, including checksumming, transparent compression,
+and snapshots.
+
+File "holes" are used by filesystems to limit the amount of storage
+space occupied by a file containing long runs of zero bytes.  Rather
+than filling disk blocks with zeroes, file metadata can indicate the
+extent of such a run and the filesystem hides the distinction from user
+applications.
+
+II.  Problem Description
+
+When a file containing holes is mapped using mmap(2), mapped regions
+of the file may be ignored by lseek(2) when SEEK_HOLE or SEEK_DATA are
+passed as the "whence" parameter.
+
+III. Impact
+
+The bug may cause application misbehavior; the precise effects depend
+on the nature of the application triggering the bug.
+
+IV.  Workaround
+
+No workaround is available, but systems not using ZFS are not affected.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-22:11/zfs.patch
+# fetch https://security.FreeBSD.org/patches/EN-22:11/zfs.patch.asc
+# gpg --verify zfs.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/13/                              3aa1cabca37d    stable/13-n248633
+releng/13.0/                            f5be20afc356  releng/13.0-n244785
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256205>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:11.zfs.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44wACgkQ05eS9J6n
+5cIYqA/9HFBfFjdHnU6exTxpeSC3Rf2EcNqkPd/nbT3jP1TGUXHMHCO72rNOuUZB
+xVWT7+js4zRkJCAKkqkW9Xww5N3nzrIISFzYKHK5rgzIDA/tlKvcau8WLiRDe8JD
+HC1vOVn44tdS9UorxG01lNhSuoNkqoTf1I7ReOzt2L305rzlqVX61T5JzOHMhnFh
+enPXcrrVUdw99TgYjUBXrD7qOjDEGP2ZdsUUwnRPLJ6slQQDzE2R2mNRd6tIM8In
+RgAZUxkHZ+QDhGYJs7d7uRXDkvXAOgOtzZt/EO+3vOmLvth8b9DzN5TSSv6oZ8le
+wWLBPbW8SMBzBAJ6pBbg+AZGg1qMlO8rGyGKyeGOF9hk78SunbdPQ116DYDZS2Yj
+jzIu9JXyLLonpXLIIzhQ2alo8xm5vvDN4Hqay92xKJvGJdq+M1hTQ7sVYioxBYP/
+l6gGSgKEJuMukW0qryGvcm5a4qpfpcJYnCMegwDGHwLY+jHkA+Rl54kYKFQQ6OlO
+P7/PW+JytcLiD6vuQ+9++6ccM3l2/otyGYhEyLvBmeTnxfy8S3L409NEeYQJrsXW
+tjnfXP18rHReI01nBpCU88+HalxDH+Ge1iwY+RkoLpbd2g/VQF1py73mJkjTY8He
+N+3Gvx77vmuGzPoGFWo6WNsBt2WQIEGowpTm9Z6i4RIUF9c7LOo=
+=X7kd
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-22:12.zfs.asc b/website/static/security/advisories/FreeBSD-EN-22:12.zfs.asc
new file mode 100644
index 0000000000..dcb85ca049
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-22:12.zfs.asc
@@ -0,0 +1,128 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-22:12.zfs                                            Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          ZFS panic upon concurrent 'zfs list' calls
+
+Category:       contrib
+Module:         zfs
+Announced:      2022-03-15
+Affects:        FreeBSD 13.0
+Corrected:      2021-04-04 13:18:45 UTC (stable/13, 13.0-STABLE)
+                2022-03-15 18:09:52 UTC (releng/13.0, 13.0-RELEASE-p8)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+ZFS is one of several filesystems available on FreeBSD.  ZFS supports
+many advanced features, including checksumming, transparent compression,
+and snapshots.
+
+II.  Problem Description
+
+A race condition due to incorrect locking can cause a panic when multiple
+invocations of 'zfs list' occur in rapid succession.
+
+III. Impact
+
+An unprivileged user can trigger the race condition, resulting in a
+panic and denial of service.
+
+IV.  Workaround
+
+No workaround is available, but systems not using ZFS are not affected.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-22:12/zfs.patch
+# fetch https://security.FreeBSD.org/patches/EN-22:12/zfs.patch.asc
+# gpg --verify zfs.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/13/                              cf2a72643460    stable/13-n245102
+releng/13.0/                            0abaf7f63023  releng/13.0-n244784
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260884>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:12.zfs.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44wACgkQ05eS9J6n
+5cLz+Q/9FTU5djSE02eqK6IKqWOZDre30OF8KFnBZz9CwnCagyTlxWFvZNscZe30
+a4vm01GyPhKXzWcCgkze5kc8h0E4hGD2zFU0N+oYRGRBQyl3B+DEpKKMZ+SUlYdo
+fRAhW4j1btD/zUhK9F5xshtMsbswMyN9wWu8iuK7QDReEgTnQj21Ca4r/Qwn+Y2z
+5vMfjeUdBxfMZNomESBTfFtI6FYgpAQmjmdaT0nfJzOjm+uf+Xe5qTzka+XMjj6/
+7mveWg7qv2OsTa9Wj0isbydGooVH65RBdtFacabWfh8MsNVZaFztHsfxGhyDAIwA
+A4YhD8fkFdQk7KpB8R1i2TTWJF+zt0tMQwBVMsv41rUDytINmwVF+y18XGLzKggY
+rb0YRsIGLjI6V35ESiepUPYqgNLrhQiYG/uGOX5cs+5vwsm1ecbq3gHB7TL3ZiDR
+RimxtHfrXM3wMsFacgcKpYZ+lYlF8QS/xcc+p8FrBztPjnRxco7Pxw7ZAm5jJqlk
+AbAN0gMCwyeX4kBX99NKYVrYOiTO6XsE/DDuyO/UCTiLnxh1onKUJZiolgpbatz/
+z1hnBvA6BrXtWuRA5+9SM3zNKNjHh6pmsSCrG/3XAQhOXzI7gwhzKIlunccA8yaJ
+4ytPNW16OO+mhpewszXvBU/3OG937W3XmFpgNjzkCtVRGBfUUts=
+=YnFH
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-22:02.wifi.asc b/website/static/security/advisories/FreeBSD-SA-22:02.wifi.asc
new file mode 100644
index 0000000000..f2ae1d0acf
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-22:02.wifi.asc
@@ -0,0 +1,165 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-22:02.wifi                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Multiple WiFi issues
+
+Category:       core
+Module:         net80211
+Announced:      2022-03-15
+Affects:        FreeBSD 12.x and FreeBSD 13.0
+Corrected:      2021-11-19 00:01:25 UTC (stable/13, 13.0-STABLE)
+                2022-03-15 17:45:36 UTC (releng/13.0, 13.0-RELEASE-p8)
+                2022-02-15 16:05:49 UTC (stable/12, 12.3-STABLE)
+                2022-03-15 18:18:08 UTC (releng/12.3, 12.3-RELEASE-p3)
+                2022-03-15 18:17:30 UTC (releng/12.2, 12.2-RELEASE-p14)
+CVE Name:       CVE-2020-26147, CVE-2020-24588, CVE-2020-26144
+
+Note: This issue is already fixed in FreeBSD 13.1-BETA1.
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+FreeBSD's net80211 kernel subsystem provides infrastructure and drivers
+for IEEE 802.11 wireless (Wi-Fi) communications.
+
+II.  Problem Description
+
+The paper "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and
+Fragmentation" reported a number of security vulnerabilities in 802.11
+specificaiton related to frame aggregation and fragmentation.
+
+Additionally, FreeBSD 12.x missed length validation of SSIDs and Information
+Elements (IEs).
+
+III. Impact
+
+As reported on the FragAttacks website, the "design flaws are hard to abuse
+because doing so requires user interaction or is only possible when using
+uncommon network settings."  Under suitable conditions an attacker may be
+able to extract sensitive data or inject data.
+
+IV.  Workaround
+
+No workaround is available, but the ability to extract or inject data is
+mitigated by the use of application (e.g. HTTPS) or transport (e.g. TLS,
+IPSEC) layer encryption.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.0]
+# fetch https://security.FreeBSD.org/patches/SA-22:02/wifi.13.patch
+# fetch https://security.FreeBSD.org/patches/SA-22:02/wifi.13.patch.asc
+# gpg --verify wifi.13.patch.asc
+
+[FreeBSD 12.x]
+# fetch https://security.FreeBSD.org/patches/SA-22:02/wifi.12.patch
+# fetch https://security.FreeBSD.org/patches/SA-22:02/wifi.12.patch.asc
+# gpg --verify wifi.12.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/13/                              6acb9d5f955b    stable/13-n248098
+releng/13.0/                            0d1db5c3257e  releng/13.0-n244782
+stable/12/                                                        r371640
+releng/12.3/                                                      r371748
+releng/12.2/                                                      r371740
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26147>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24588>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26144>
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254737>
+<URL:https://www.fragattacks.com/>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:02.wifi.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw5aoACgkQ05eS9J6n
+5cLuYw/+OtkGeEYFTmwoZrFn105OOhi1MHjopUmW3B3FDeIMP2BnULkCodLKpDqx
+WNROwaLBZ/FSHdX+rwcFhZVKksGuXafRY2bywDfJNCRmSIRjSEiSozIkJbihmKYq
+SAWxUwbZxkg+MPtgoiUNocXZhFplN4E1VmfZl6XDfcd9jrFTuNiMKPKWzW8haI7R
+H3Tovh6GgRLFfP5nnY2X8xZSSrxqkzXj4iRHJDedu6nmBFtsB34kjhW42fpycM/c
+irhHBApfgl9XW31sLSFP2lwhq36AVD27SaYKDWxAv4ywp6PiwPTTNr8lwk05Z0jp
+z76f3ZIBDhz3M3qzphMQ5wj6CB7SqTrgSD0WDZchdgDk904BdNum3vNRTO4x9iSB
+czlXk/utMbupW8AU9rjdKWeMz0DBpDGckjZq1Ot8+fSwbiLkPCjpYTDsxqiLZs6i
+xp/qjDW8rUKbgQSztSq3svF58dY74TLZ34rN0cqVPgvfpG1/fbM4W63vR0b4YG/5
+mv4OKXe5whJmh1OVrrVSX/ttyTFm6JpNFRxpXCkRKOgNICevw9yHlvx8uE6rVKde
+P7PXAdRT48gcmN9gIscFuRwt2glvChYuH6ncF1jMQmfoAMTlDGRATQUuDy81fIw9
+va3fiGDy2FsenAQYa4UwaA/iCodjaC0cNjNnf2cc9nZEnuq86l8=
+=Cjzd
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-22:03.openssl.asc b/website/static/security/advisories/FreeBSD-SA-22:03.openssl.asc
new file mode 100644
index 0000000000..79aa990d28
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-22:03.openssl.asc
@@ -0,0 +1,153 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-22:03.openssl                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          OpenSSL certificate parsing infinite loop
+
+Category:       contrib
+Module:         openssl
+Announced:      2022-03-15
+Credits:        Tavis Ormandy from Google
+Affects:        All supported versions of FreeBSD.
+Corrected:      2022-03-15 16:51:46 UTC (stable/13, 13.1-STABLE)
+                2022-03-15 17:42:48 UTC (releng/13.1, 13.1-BETA1-p1)
+                2022-03-15 17:43:02 UTC (releng/13.0, 13.0-RELEASE-p8)
+                2022-03-15 16:56:09 UTC (stable/12, 12.3-STABLE)
+                2022-03-15 18:17:50 UTC (releng/12.3, 12.3-RELEASE-p3)
+                2022-03-15 18:17:16 UTC (releng/12.2, 12.2-RELEASE-p14)
+CVE Name:       CVE-2022-0778
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is a
+collaborative effort to develop a robust, commercial-grade, full-featured
+Open Source toolkit for the Transport Layer Security (TLS) protocol.  It is
+also a general-purpose cryptography library.
+
+II.  Problem Description
+
+The BN_mod_sqrt() function, which computes a modular square root, contains
+a bug that can cause it to loop forever for non-prime moduli. This function
+is used when parsing certificates that contain certain forms of elliptic
+curves.
+
+III. Impact
+
+A specially crafted certificate with invalid explicit curve parameters may
+trigger an infinite loop, leading to a denial of service. Since certificate
+parsing happens prior to verification of the certificate signature, any
+process that parses an externally supplied certificate may be affected.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-22:03/openssl.patch
+# fetch https://security.FreeBSD.org/patches/SA-22:03/openssl.patch.asc
+# gpg --verify openssl.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI.  Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/13/                              5f3d952f6e6b    stable/13-n250020
+releng/13.1/                            942b5e156d41  releng/13.1-n249979
+releng/13.0/                            3847c17aa23a  releng/13.0-n244777
+stable/12/                                                        r371734
+releng/12.3/                                                      r371742
+releng/12.2/                                                      r371735
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:03.openssl.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw5a0ACgkQ05eS9J6n
+5cKZqQ/8D7qHRsnXGENtJqjN9Nt2VRiBeO5GKrhBJFVS8/cgVvlgDPFIrWOA/b7v
+p386eSIRPA3BGpEzP6cQddM/pogHFjSuskSznkNvfsUeZ7B9avODNvHykiODMajU
+ACv/JZ8IU9rWR2C3DqtlnVqKt3N8Pa8ZpxUCpYDeBEMIaYn/UOUZ9PmZZtaCJ1jz
+ZSsel99VvA7RdSd58ahb9Mga6KLDdp4bVVftfpepihTOu7pfmxZqrG7W+1pld/wd
+R88yGEDxyDD9/qDToA13i8+gAU5P5ASmzfNNqVwzJ4QLlkk2OrJBFKCLl+1BrR2p
+w6r3eZzx9SexCSJ9jLw54rezpXgLyJ/+fURHtKVOu39ELqZmftBgBYS0gxWiQ6jH
+Wx3lrPjjskFBp4MO5uBChnF8BIpGZN2guLpQkPtHCiaa469OI/NI5zarvXYvGPJL
+j4BMZtQQWGj2WIFWmMu7fvkhYOgVWmyjS4SWEwom7UGLq1EJKb9Rau9e4TOr8bYw
+EQV5c71Wn7IV9Oga1rPVRUe2hHAX1VkvhVm49G47V2gyvmPwXwwbVe7byW8Mz46j
+znkTSmAzHNbXFcJV+aPXejGRDvg0H+wfDyQFlN32IXdyVrbphRjekOu2Ftn8eWS9
+SkEdbvYP5x192NpBgfpHo5tc2CJHcM4xKg7WAIUk0vrK7aSgPoc=
+=TDUh
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-22:09/freebsd-update.patch b/website/static/security/patches/EN-22:09/freebsd-update.patch
new file mode 100644
index 0000000000..abd72d631c
--- /dev/null
+++ b/website/static/security/patches/EN-22:09/freebsd-update.patch
@@ -0,0 +1,25 @@
+--- usr.sbin/freebsd-update/freebsd-update.sh.orig
++++ usr.sbin/freebsd-update/freebsd-update.sh
+@@ -890,7 +890,12 @@
+ install_create_be () {
+ 	# Figure out if we're running in a jail and return if we are
+ 	if [ `sysctl -n security.jail.jailed` = 1 ]; then
+-	    return 1
++		return 1
++	fi
++	# Operating on roots that aren't located at / will, more often than not,
++	# not touch the boot environment.
++	if [ "$BASEDIR" != "/" ]; then
++		return 1
+ 	fi
+ 	# Create a boot environment if enabled
+ 	if [ ${BOOTENV} = yes ]; then
+@@ -911,7 +916,7 @@
+ 		esac
+ 		if [ ${CREATEBE} = yes ]; then
+ 			echo -n "Creating snapshot of existing boot environment... "
+-			VERSION=`freebsd-version -k`
++			VERSION=`freebsd-version -ku | sort -V | tail -n 1`
+ 			TIMESTAMP=`date +"%Y-%m-%d_%H%M%S"`
+ 			bectl create ${VERSION}_${TIMESTAMP}
+ 			if [ $? -eq 0 ]; then
diff --git a/website/static/security/patches/EN-22:09/freebsd-update.patch.asc b/website/static/security/patches/EN-22:09/freebsd-update.patch.asc
new file mode 100644
index 0000000000..e5e8a302c3
--- /dev/null
+++ b/website/static/security/patches/EN-22:09/freebsd-update.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44sACgkQ05eS9J6n
+5cK0lg//Y2zqHowl0ZrlpKS681iwY4KNFdXYMAWBr9A/eSgLU4Or6HoliEZ/LKKG
+IF5uCJx5+Ao29aAPhiuSKG4qc8ZxHkQqEzflhFTNRulrBHQFqvGdfmQ+FneNs8wZ
+VK/SZ1/5MVUIM91Mc97svoKfb4OOrokgM2pVsEJT3QisP/9/NrWoAyTMuR59jxh5
+WsU4mdK6gzwFc0pQucb6ZKR7FUQTXH9Tw2blgVftD6t4hdHl68DrgiY9UejsRlXQ
+vwbVv/ku/pbEywSyNFqK/lXbiU1itUgduJ91ykLQDdGXcm0n2WZD9Y3lasWoAUre
+dscBJWLDQWXzejgo5KUzl9BYW3kfJlwW76bdSgPTHKKYkJzZyWYJkEHzqHsO2KZZ
+wwjtTfvdE/0aXzIMLgVrElPNazlVjcmhDZf3RKGVVCYkSJl2JcSuhmoVPQG6DUed
+7YpZ8KnoU4IVpmzj9+3QGkAcXm1ljCEdAUX1fWLFKqTR9v5ETQVo9cLqvaa04hZx
+QvHNG/hSdOXNZKMeRvYRPM3ndRttDdtK7wOrdBbGbLPnanAncHzi80rwd+fYULf8
+/Xik0c7OrKaMQ7nTRplKoTBHaUGzHxeRR88UsorB84UrjhKFe/HnzLy91dX700qR
+GgH6juctdKK637GMysM0ha+tDFBTtKZT/i/RigpKio8/hX99H8o=
+=6+my
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-22:10/zfs.patch b/website/static/security/patches/EN-22:10/zfs.patch
new file mode 100644
index 0000000000..1432597c30
--- /dev/null
+++ b/website/static/security/patches/EN-22:10/zfs.patch
@@ -0,0 +1,45 @@
+--- sys/contrib/openzfs/module/zfs/zfs_vnops.c.orig
++++ sys/contrib/openzfs/module/zfs/zfs_vnops.c
+@@ -316,7 +316,7 @@
+ int
+ zfs_write(znode_t *zp, uio_t *uio, int ioflag, cred_t *cr)
+ {
+-	int error = 0;
++	int error = 0, error1;
+ 	ssize_t start_resid = uio->uio_resid;
+ 
+ 	/*
+@@ -551,7 +551,11 @@
+ 				continue;
+ 			}
+ #endif
+-			if (error != 0) {
++			/*
++			 * On FreeBSD, EFAULT should be propagated back to the
++			 * VFS, which will handle faulting and will retry.
++			 */
++			if (error != 0 && error != EFAULT) {
+ 				dmu_tx_commit(tx);
+ 				break;
+ 			}
+@@ -635,7 +639,7 @@
+ 		while ((end_size = zp->z_size) < uio->uio_loffset) {
+ 			(void) atomic_cas_64(&zp->z_size, end_size,
+ 			    uio->uio_loffset);
+-			ASSERT(error == 0);
++			ASSERT(error == 0 || error == EFAULT);
+ 		}
+ 		/*
+ 		 * If we are replaying and eof is non zero then force
+@@ -645,7 +649,10 @@
+ 		if (zfsvfs->z_replay && zfsvfs->z_replay_eof != 0)
+ 			zp->z_size = zfsvfs->z_replay_eof;
+ 
+-		error = sa_bulk_update(zp->z_sa_hdl, bulk, count, tx);
++		error1 = sa_bulk_update(zp->z_sa_hdl, bulk, count, tx);
++		if (error1 != 0)
++			/* Avoid clobbering EFAULT. */
++			error = error1;
+ 
+ 		zfs_log_write(zilog, tx, TX_WRITE, zp, woff, tx_bytes, ioflag,
+ 		    NULL, NULL);
diff --git a/website/static/security/patches/EN-22:10/zfs.patch.asc b/website/static/security/patches/EN-22:10/zfs.patch.asc
new file mode 100644
index 0000000000..c0c2ba9cd4
--- /dev/null
+++ b/website/static/security/patches/EN-22:10/zfs.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44wACgkQ05eS9J6n
+5cILlQ//ROC7MYZZuTF8voZ4IDWxnDTrkD/xhBCFPbBIOViwnXM9fOkR77c8Cqv4
+vZ2qtxcoDepdwaMVfb5GqBiLjJ3532zmqZUtHBspVoh3is8jQdA7KOL9G1nfJyZE
+MkWYuIBLtjpdeADBMtIxlJ60ORMQwNA+pFqo3zUTOKM78DWqG8GY/i8+URIbo+sL
+NcHQ3YXg+zsHWRpewOOQ4vFK+aWCmiCiRtcw1brG/K9go0cOD0a5AKs8Hc5exsLI
+ZurIn1XaXj657GSSbYW4bJlEyPeai3105Zk/uXF9BDJ2bkVFsRTKLM1d2H/gNECq
++KOzhYc5QZDFHCVvnenvcOs0t5EWWG3vC47DmPPCtbOMrrBptSf3gebDSOL0P1Xc
+U+yzReqQS2JNN7rYeTZLjU0rmrv+5/ggcLvTwI8FSQUHnIYkMapd80GYVJH47yI1
+eT4GO4nGq/bE/dJBMNSe7goyVBR1SpFU3shlUTaeX35XDvRSU5+AuJ2JI1yVKYq5
++wSYODMkRQbIjfGtOG05uTDO05fb6Dgw1xj2Aolxfc6Nx2F1y47DF6H6iH4fc5ZC
+t/VZIIHSfh/ytYko2M1m8aVJ3UwFGQ6K0WW/tzVAYYCLrMalbafFfqQjFqtK6Upd
+WVH1efsSjfgeonNgfaguJPCY4aS6Xy8YtQ+7yw9GoWFPAlpKEVU=
+=zvGp
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-22:11/zfs.patch b/website/static/security/patches/EN-22:11/zfs.patch
new file mode 100644
index 0000000000..b4859e1fa5
--- /dev/null
+++ b/website/static/security/patches/EN-22:11/zfs.patch
@@ -0,0 +1,199 @@
+--- sys/contrib/openzfs/include/os/freebsd/spl/sys/vnode.h.orig
++++ sys/contrib/openzfs/include/os/freebsd/spl/sys/vnode.h
+@@ -59,6 +59,8 @@
+ #include <sys/file.h>
+ #include <sys/filedesc.h>
+ #include <sys/syscallsubr.h>
++#include <sys/vm.h>
++#include <vm/vm_object.h>
+ 
+ typedef	struct vop_vector	vnodeops_t;
+ #define	VOP_FID		VOP_VPTOFH
+@@ -88,6 +90,24 @@
+ #define	vn_has_cached_data(vp)	\
+ 	((vp)->v_object != NULL && \
+ 	(vp)->v_object->resident_page_count > 0)
++
++#ifndef IN_BASE
++static __inline void
++vn_flush_cached_data(vnode_t *vp, boolean_t sync)
++{
++#if __FreeBSD_version > 1300054
++	if (vm_object_mightbedirty(vp->v_object)) {
++#else
++	if (vp->v_object->flags & OBJ_MIGHTBEDIRTY) {
++#endif
++		int flags = sync ? OBJPC_SYNC : 0;
++		zfs_vmobject_wlock(vp->v_object);
++		vm_object_page_clean(vp->v_object, 0, 0, flags);
++		zfs_vmobject_wunlock(vp->v_object);
++	}
++}
++#endif
++
+ #define	vn_exists(vp)		do { } while (0)
+ #define	vn_invalid(vp)		do { } while (0)
+ #define	vn_renamepath(tdvp, svp, tnm, lentnm)	do { } while (0)
+--- sys/contrib/openzfs/include/os/freebsd/zfs/sys/zfs_znode_impl.h.orig
++++ sys/contrib/openzfs/include/os/freebsd/zfs/sys/zfs_znode_impl.h
+@@ -117,7 +117,8 @@
+ #define	Z_ISLNK(type) ((type) == VLNK)
+ #define	Z_ISDIR(type) ((type) == VDIR)
+ 
+-#define	zn_has_cached_data(zp)	vn_has_cached_data(ZTOV(zp))
++#define	zn_has_cached_data(zp)		vn_has_cached_data(ZTOV(zp))
++#define	zn_flush_cached_data(zp, sync)	vn_flush_cached_data(ZTOV(zp), sync)
+ #define	zn_rlimit_fsize(zp, uio, td)	vn_rlimit_fsize(ZTOV(zp), (uio), (td))
+ 
+ /* Called on entry to each ZFS vnode and vfs operation  */
+--- sys/contrib/openzfs/include/os/linux/zfs/sys/zfs_znode_impl.h.orig
++++ sys/contrib/openzfs/include/os/linux/zfs/sys/zfs_znode_impl.h
+@@ -70,7 +70,7 @@
+ #define	Z_ISDEV(type)	(S_ISCHR(type) || S_ISBLK(type) || S_ISFIFO(type))
+ #define	Z_ISDIR(type)	S_ISDIR(type)
+ 
+-#define	zn_has_cached_data(zp)	((zp)->z_is_mapped)
++#define	zn_flush_cached_data(zp, sync)	write_inode_now(ZTOI(zp), sync)
+ #define	zn_rlimit_fsize(zp, uio, td)	(0)
+ 
+ #define	zhold(zp)	igrab(ZTOI((zp)))
+--- sys/contrib/openzfs/include/sys/dnode.h.orig
++++ sys/contrib/openzfs/include/sys/dnode.h
+@@ -425,6 +425,7 @@
+ void dnode_rele(dnode_t *dn, void *ref);
+ void dnode_rele_and_unlock(dnode_t *dn, void *tag, boolean_t evicting);
+ int dnode_try_claim(objset_t *os, uint64_t object, int slots);
++boolean_t dnode_is_dirty(dnode_t *dn);
+ void dnode_setdirty(dnode_t *dn, dmu_tx_t *tx);
+ void dnode_set_dirtyctx(dnode_t *dn, dmu_tx_t *tx, void *tag);
+ void dnode_sync(dnode_t *dn, dmu_tx_t *tx);
+--- sys/contrib/openzfs/module/zfs/dmu.c.orig
++++ sys/contrib/openzfs/module/zfs/dmu.c
+@@ -2082,42 +2082,41 @@
+ dmu_offset_next(objset_t *os, uint64_t object, boolean_t hole, uint64_t *off)
+ {
+ 	dnode_t *dn;
+-	int i, err;
+-	boolean_t clean = B_TRUE;
++	int err;
+ 
++restart:
+ 	err = dnode_hold(os, object, FTAG, &dn);
+ 	if (err)
+ 		return (err);
+ 
+-	/*
+-	 * Check if dnode is dirty
+-	 */
+-	for (i = 0; i < TXG_SIZE; i++) {
+-		if (multilist_link_active(&dn->dn_dirty_link[i])) {
+-			clean = B_FALSE;
+-			break;
+-		}
+-	}
++	rw_enter(&dn->dn_struct_rwlock, RW_READER);
+ 
+-	/*
+-	 * If compatibility option is on, sync any current changes before
+-	 * we go trundling through the block pointers.
+-	 */
+-	if (!clean && zfs_dmu_offset_next_sync) {
+-		clean = B_TRUE;
+-		dnode_rele(dn, FTAG);
+-		txg_wait_synced(dmu_objset_pool(os), 0);
+-		err = dnode_hold(os, object, FTAG, &dn);
+-		if (err)
+-			return (err);
+-	}
++	if (dnode_is_dirty(dn)) {
++		/*
++		 * If the zfs_dmu_offset_next_sync module option is enabled
++		 * then strict hole reporting has been requested.  Dirty
++		 * dnodes must be synced to disk to accurately report all
++		 * holes.  When disabled (the default) dirty dnodes are
++		 * reported to not have any holes which is always safe.
++		 *
++		 * When called by zfs_holey_common() the zp->z_rangelock
++		 * is held to prevent zfs_write() and mmap writeback from
++		 * re-dirtying the dnode after txg_wait_synced().
++		 */
++		if (zfs_dmu_offset_next_sync) {
++			rw_exit(&dn->dn_struct_rwlock);
++			dnode_rele(dn, FTAG);
++			txg_wait_synced(dmu_objset_pool(os), 0);
++			goto restart;
++		}
+ 
+-	if (clean)
+-		err = dnode_next_offset(dn,
+-		    (hole ? DNODE_FIND_HOLE : 0), off, 1, 1, 0);
+-	else
+ 		err = SET_ERROR(EBUSY);
++	} else {
++		err = dnode_next_offset(dn, DNODE_FIND_HAVELOCK |
++		    (hole ? DNODE_FIND_HOLE : 0), off, 1, 1, 0);
++	}
+ 
++	rw_exit(&dn->dn_struct_rwlock);
+ 	dnode_rele(dn, FTAG);
+ 
+ 	return (err);
+--- sys/contrib/openzfs/module/zfs/dnode.c.orig
++++ sys/contrib/openzfs/module/zfs/dnode.c
+@@ -1652,6 +1652,26 @@
+ 	    slots, NULL, NULL));
+ }
+ 
++/*
++ * Checks if the dnode contains any uncommitted dirty records.
++ */
++boolean_t
++dnode_is_dirty(dnode_t *dn)
++{
++	mutex_enter(&dn->dn_mtx);
++
++	for (int i = 0; i < TXG_SIZE; i++) {
++		if (list_head(&dn->dn_dirty_records[i]) != NULL) {
++			mutex_exit(&dn->dn_mtx);
++			return (B_TRUE);
++		}
++	}
++
++	mutex_exit(&dn->dn_mtx);
++
++	return (B_FALSE);
++}
++
+ void
+ dnode_setdirty(dnode_t *dn, dmu_tx_t *tx)
+ {
+--- sys/contrib/openzfs/module/zfs/zfs_vnops.c.orig
++++ sys/contrib/openzfs/module/zfs/zfs_vnops.c
+@@ -85,6 +85,7 @@
+ static int
+ zfs_holey_common(znode_t *zp, ulong_t cmd, loff_t *off)
+ {
++	zfs_locked_range_t *lr;
+ 	uint64_t noff = (uint64_t)*off; /* new offset */
+ 	uint64_t file_sz;
+ 	int error;
+@@ -100,12 +101,18 @@
+ 	else
+ 		hole = B_FALSE;
+ 
++	/* Flush any mmap()'d data to disk */
++	if (zn_has_cached_data(zp))
++		zn_flush_cached_data(zp, B_FALSE);
++
++	lr = zfs_rangelock_enter(&zp->z_rangelock, 0, file_sz, RL_READER);
+ 	error = dmu_offset_next(ZTOZSB(zp)->z_os, zp->z_id, hole, &noff);
++	zfs_rangelock_exit(lr);
+ 
+ 	if (error == ESRCH)
+ 		return (SET_ERROR(ENXIO));
+ 
+-	/* file was dirty, so fall back to using generic logic */
++	/* File was dirty, so fall back to using generic logic */
+ 	if (error == EBUSY) {
+ 		if (hole)
+ 			*off = file_sz;
diff --git a/website/static/security/patches/EN-22:11/zfs.patch.asc b/website/static/security/patches/EN-22:11/zfs.patch.asc
new file mode 100644
index 0000000000..a0c100c447
--- /dev/null
+++ b/website/static/security/patches/EN-22:11/zfs.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44wACgkQ05eS9J6n
+5cJPVg//a9BgIzkBvfiRp9y1QijbwE4K2tR4CAmgKWyRh1uGxuEErceD57OH/aD0
+4KSuZ3Cs2JPrCkVQGuFQBLwU418udr9/AqLfJtb9zNvZJWr/vSmXM5606Gw58qeI
+W6xcQHqeUHt3+MZBfyQIR+XeEMfAQBCvxVRYBER8aZUFQbLpyEfUXRH4yuQbSwBo
+N8Rf4S6PHV+YmjYiSmEMeyuIE6oLNS2GyEcGulKXn7LRDZELiKpos48iAxEf5j2S
+BH2jvs7GyW+jl1heblQRkH4zWh7I7xxOvypsXXuxvWMZ3h3Hxi8Md9mvejR1ocLZ
+qSXlzZ0Ziri3ViiCnUfgRwA2deZd5UXd24P7V+uWOceiZtUwb+cQ4GeGIsAhK9wo
+ZarhKcExWHjX5XaAQ6IVmGDlODtJvylbwl8UKosP8gfyn2b/r0pfYZSn3g0V0Rxd
+sH2QzW2vITJDaY7r7kujBgV7aw7UPdW+w00nN9B0RNXkhyj0hr/N9V2uGeH83ttJ
+CweRfhRGLh2jIWiHo5OsWdPUM70Fr9zzqcMOtnH3q1thSVUSJNp1rKyFvz9MJMwH
+uLrj7F52cC8v4QRs2dm21/Q8n6rJxKqayjzlh7VWGh4NR+6OivIzrCx1fyNMftu4
+AJ0u7mAfHcJTVSQo6vRbswW8f0gBppu/6Svf1F7KKTibUo0hmTc=
+=yIfG
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-22:12/zfs.patch b/website/static/security/patches/EN-22:12/zfs.patch
new file mode 100644
index 0000000000..cbcb488e34
--- /dev/null
+++ b/website/static/security/patches/EN-22:12/zfs.patch
@@ -0,0 +1,44 @@
+--- sys/contrib/openzfs/include/sys/zfs_ioctl.h.orig
++++ sys/contrib/openzfs/include/sys/zfs_ioctl.h
+@@ -525,7 +525,6 @@
+ } zfs_useracct_t;
+ 
+ #define	ZFSDEV_MAX_MINOR	(1 << 16)
+-#define	ZFS_MIN_MINOR	(ZFSDEV_MAX_MINOR + 1)
+ 
+ #define	ZPOOL_EXPORT_AFTER_SPLIT 0x1
+ 
+--- sys/contrib/openzfs/module/os/freebsd/zfs/kmod_core.c.orig
++++ sys/contrib/openzfs/module/os/freebsd/zfs/kmod_core.c
+@@ -182,23 +182,21 @@
+ static void
+ zfsdev_close(void *data)
+ {
+-	zfsdev_state_t *zs, *zsp = data;
++	zfsdev_state_t *zs = data;
++
++	ASSERT(zs != NULL);
+ 
+ 	mutex_enter(&zfsdev_state_lock);
+-	for (zs = zfsdev_state_list; zs != NULL; zs = zs->zs_next) {
+-		if (zs == zsp)
+-			break;
+-	}
+-	if (zs == NULL || zs->zs_minor <= 0) {
+-		mutex_exit(&zfsdev_state_lock);
+-		return;
+-	}
++
++	ASSERT(zs->zs_minor != 0);
++
+ 	zs->zs_minor = -1;
+ 	zfs_onexit_destroy(zs->zs_onexit);
+ 	zfs_zevent_destroy(zs->zs_zevent);
+-	mutex_exit(&zfsdev_state_lock);
+ 	zs->zs_onexit = NULL;
+ 	zs->zs_zevent = NULL;
++
++	mutex_exit(&zfsdev_state_lock);
+ }
+ 
+ static int
diff --git a/website/static/security/patches/EN-22:12/zfs.patch.asc b/website/static/security/patches/EN-22:12/zfs.patch.asc
new file mode 100644
index 0000000000..e14867c307
--- /dev/null
+++ b/website/static/security/patches/EN-22:12/zfs.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44wACgkQ05eS9J6n
+5cJQAA//TJMTHBl2ZQIKJH+Sk1LuBeLo2XMMRNW3jDKB2AMUCzdbzOu+1zvQi2y1
+Gcxy7bIKgn50vjBenet8tDvpvxmDEBzUWo2btFvVQRe8JM7NH488Sa5O4tYFPApk
+OispxRz05YknIHWTSX4O2kBwfHIkTPydpuPkazol5ooH0bXCGsNa/W6RXSeCy7UI
+SuvD7tfYpjn2YqsSMXKe3djkbenXkIwHucE9NaupJqbomOyhE9slSFYAA1AgxcLW
+S2dnQ+LDLwIBeRbszW+HUwJOapKl4SC1xFImFPpxEWrk3L+2sEFtPnjxIChg0uCw
+2AfkirVFEYV/B5bM45llrMQSoKn1ZRazEg20jmS+enbCETw15vIlngSmJVM0yP5D
+PeBM2b7rYp+Q+YPACzrKHoNUDgFcRbot6157UYKOfT4CA1N6BKGC26HsBaUxTLeL
+XVvmIkMe3mR4OIzcvCqg+ybFnEhHh3COjIGebj3lNOXFQZDh1TqmdZc+ZNanFKM+
+BsVxTC0/50WdONwgUfqxOVe8i2yksqZx5QgtWmW85KuW86y2stmMOjXpm/42sE84
+LI9qV8YKkNWZTKoFwdSY5DLjEJv7ejYlWG2jROdkeOoXXwUrx4tD7IpsiwG76Ik2
+NloS1cLEwRgOynwdOzk8hhwT448O/9vFZOY3qILo56vYB0SWNuc=
+=HnrQ
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-22:02/wifi.12.patch b/website/static/security/patches/SA-22:02/wifi.12.patch
new file mode 100644
index 0000000000..afa9b07d9a
--- /dev/null
+++ b/website/static/security/patches/SA-22:02/wifi.12.patch
@@ -0,0 +1,389 @@
+--- sys/net80211/ieee80211_adhoc.c.orig
++++ sys/net80211/ieee80211_adhoc.c
+@@ -531,7 +531,7 @@
+ 		 * Next up, any fragmentation.
+ 		 */
+ 		if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
+-			m = ieee80211_defrag(ni, m, hdrspace);
++			m = ieee80211_defrag(ni, m, hdrspace, has_decrypted);
+ 			if (m == NULL) {
+ 				/* Fragment dropped or frame not complete yet */
+ 				goto out;
+@@ -558,7 +558,7 @@
+ 		/*
+ 		 * Finally, strip the 802.11 header.
+ 		 */
+-		m = ieee80211_decap(vap, m, hdrspace);
++		m = ieee80211_decap(vap, m, hdrspace, qos);
+ 		if (m == NULL) {
+ 			/* XXX mask bit to check for both */
+ 			/* don't count Null data frames as errors */
+@@ -571,7 +571,10 @@
+ 			IEEE80211_NODE_STAT(ni, rx_decap);
+ 			goto err;
+ 		}
+-		eh = mtod(m, struct ether_header *);
++		if (!(qos & IEEE80211_QOS_AMSDU))
++			eh = mtod(m, struct ether_header *);
++		else
++			eh = NULL;
+ 		if (!ieee80211_node_is_authorized(ni)) {
+ 			/*
+ 			 * Deny any non-PAE frames received prior to
+@@ -581,11 +584,13 @@
+ 			 * the port is not marked authorized by the
+ 			 * authenticator until the handshake has completed.
+ 			 */
+-			if (eh->ether_type != htons(ETHERTYPE_PAE)) {
++			if (eh == NULL ||
++			    eh->ether_type != htons(ETHERTYPE_PAE)) {
+ 				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
+-				    eh->ether_shost, "data",
+-				    "unauthorized port: ether type 0x%x len %u",
+-				    eh->ether_type, m->m_pkthdr.len);
++				    ni->ni_macaddr, "data", "unauthorized or "
++				    "unknown port: ether type 0x%x len %u",
++				    eh == NULL ? -1 : eh->ether_type,
++				    m->m_pkthdr.len);
+ 				vap->iv_stats.is_rx_unauth++;
+ 				IEEE80211_NODE_STAT(ni, rx_unauth);
+ 				goto err;
+@@ -598,7 +603,8 @@
+ 			if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
+ 			    ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
+ 			    (is_hw_decrypted == 0) &&
+-			    eh->ether_type != htons(ETHERTYPE_PAE)) {
++			    (eh == NULL ||
++			     eh->ether_type != htons(ETHERTYPE_PAE))) {
+ 				/*
+ 				 * Drop unencrypted frames.
+ 				 */
+--- sys/net80211/ieee80211_hostap.c.orig
++++ sys/net80211/ieee80211_hostap.c
+@@ -719,7 +719,7 @@
+ 		 * Next up, any fragmentation.
+ 		 */
+ 		if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
+-			m = ieee80211_defrag(ni, m, hdrspace);
++			m = ieee80211_defrag(ni, m, hdrspace, has_decrypted);
+ 			if (m == NULL) {
+ 				/* Fragment dropped or frame not complete yet */
+ 				goto out;
+@@ -744,7 +744,7 @@
+ 		/*
+ 		 * Finally, strip the 802.11 header.
+ 		 */
+-		m = ieee80211_decap(vap, m, hdrspace);
++		m = ieee80211_decap(vap, m, hdrspace, qos);
+ 		if (m == NULL) {
+ 			/* XXX mask bit to check for both */
+ 			/* don't count Null data frames as errors */
+@@ -757,7 +757,10 @@
+ 			IEEE80211_NODE_STAT(ni, rx_decap);
+ 			goto err;
+ 		}
+-		eh = mtod(m, struct ether_header *);
++		if (!(qos & IEEE80211_QOS_AMSDU))
++			eh = mtod(m, struct ether_header *);
++		else
++			eh = NULL;
+ 		if (!ieee80211_node_is_authorized(ni)) {
+ 			/*
+ 			 * Deny any non-PAE frames received prior to
+@@ -767,11 +770,13 @@
+ 			 * the port is not marked authorized by the
+ 			 * authenticator until the handshake has completed.
+ 			 */
+-			if (eh->ether_type != htons(ETHERTYPE_PAE)) {
++			if (eh == NULL ||
++			    eh->ether_type != htons(ETHERTYPE_PAE)) {
+ 				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
+-				    eh->ether_shost, "data",
+-				    "unauthorized port: ether type 0x%x len %u",
+-				    eh->ether_type, m->m_pkthdr.len);
++				    ni->ni_macaddr, "data", "unauthorized or "
++				    "unknown port: ether type 0x%x len %u",
++				    eh == NULL ? -1 : eh->ether_type,
++				    m->m_pkthdr.len);
+ 				vap->iv_stats.is_rx_unauth++;
+ 				IEEE80211_NODE_STAT(ni, rx_unauth);
+ 				goto err;
+@@ -784,7 +789,8 @@
+ 			if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
+ 			    ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
+ 			    (is_hw_decrypted == 0) &&
+-			    eh->ether_type != htons(ETHERTYPE_PAE)) {
++			    (eh == NULL ||
++			     eh->ether_type != htons(ETHERTYPE_PAE))) {
+ 				/*
+ 				 * Drop unencrypted frames.
+ 				 */
+--- sys/net80211/ieee80211_input.c.orig
++++ sys/net80211/ieee80211_input.c
+@@ -170,7 +170,8 @@
+  * XXX should handle 3 concurrent reassemblies per-spec.
+  */
+ struct mbuf *
+-ieee80211_defrag(struct ieee80211_node *ni, struct mbuf *m, int hdrspace)
++ieee80211_defrag(struct ieee80211_node *ni, struct mbuf *m, int hdrspace,
++	int has_decrypted)
+ {
+ 	struct ieee80211vap *vap = ni->ni_vap;
+ 	struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
+@@ -189,6 +190,11 @@
+ 	if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL)
+ 		return m;
+ 
++	/* Temporarily set flag to remember if fragment was encrypted. */
++	/* XXX use a non-packet altering storage for this in the future. */
++	if (has_decrypted)
++		wh->i_fc[1] |= IEEE80211_FC1_PROTECTED;
++
+ 	/*
+ 	 * Remove frag to insure it doesn't get reaped by timer.
+ 	 */
+@@ -219,10 +225,14 @@
+ 
+ 		lwh = mtod(mfrag, struct ieee80211_frame *);
+ 		last_rxseq = le16toh(*(uint16_t *)lwh->i_seq);
+-		/* NB: check seq # and frag together */
++		/*
++		 * NB: check seq # and frag together. Also check that both
++		 * fragments are plaintext or that both are encrypted.
++		 */
+ 		if (rxseq == last_rxseq+1 &&
+ 		    IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) &&
+-		    IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) {
++		    IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2) &&
++		    !((wh->i_fc[1] ^ lwh->i_fc[1]) & IEEE80211_FC1_PROTECTED)) {
+ 			/* XXX clear MORE_FRAG bit? */
+ 			/* track last seqnum and fragno */
+ 			*(uint16_t *) lwh->i_seq = *(uint16_t *) wh->i_seq;
+@@ -253,6 +263,11 @@
+ 		ni->ni_rxfrag[0] = mfrag;
+ 		mfrag = NULL;
+ 	}
++	/* Remember to clear protected flag that was temporarily set. */
++	if (mfrag != NULL) {
++		wh = mtod(mfrag, struct ieee80211_frame *);
++		wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
++	}
+ 	return mfrag;
+ }
+ 
+@@ -294,7 +309,8 @@
+ }
+ 
+ struct mbuf *
+-ieee80211_decap(struct ieee80211vap *vap, struct mbuf *m, int hdrlen)
++ieee80211_decap(struct ieee80211vap *vap, struct mbuf *m, int hdrlen,
++	uint8_t qos)
+ {
+ 	struct ieee80211_qosframe_addr4 wh;
+ 	struct ether_header *eh;
+@@ -316,7 +332,9 @@
+ 	    llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0 &&
+ 	    /* NB: preserve AppleTalk frames that have a native SNAP hdr */
+ 	    !(llc->llc_snap.ether_type == htons(ETHERTYPE_AARP) ||
+-	      llc->llc_snap.ether_type == htons(ETHERTYPE_IPX))) {
++	      llc->llc_snap.ether_type == htons(ETHERTYPE_IPX)) &&
++	    /* Do not want to touch A-MSDU frames. */
++	    !(qos & IEEE80211_QOS_AMSDU)) {
+ 		m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh));
+ 		llc = NULL;
+ 	} else {
+@@ -364,6 +382,10 @@
+ #define	FF_LLC_SIZE	(sizeof(struct ether_header) + sizeof(struct llc))
+ 	struct ether_header *eh;
+ 	struct llc *llc;
++	const uint8_t llc_hdr_mac[ETHER_ADDR_LEN] = {
++		/* MAC address matching the 802.2 LLC header */
++		LLC_SNAP_LSAP, LLC_SNAP_LSAP, LLC_UI, 0, 0, 0
++	};
+ 
+ 	/*
+ 	 * The frame has an 802.3 header followed by an 802.2
+@@ -376,6 +398,15 @@
+ 	if (m->m_len < FF_LLC_SIZE && (m = m_pullup(m, FF_LLC_SIZE)) == NULL)
+ 		return NULL;
+ 	eh = mtod(m, struct ether_header *);	/* 802.3 header is first */
++
++	/*
++	 * Detect possible attack where a single 802.11 frame is processed
++	 * as an A-MSDU frame due to an adversary setting the A-MSDU present
++	 * bit in the 802.11 QoS header. [FragAttacks]
++	 */
++	if (memcmp(eh->ether_dhost, llc_hdr_mac, ETHER_ADDR_LEN) == 0)
++		return NULL;
++
+ 	llc = (struct llc *)&eh[1];		/* 802.2 header follows */
+ 	*framelen = ntohs(eh->ether_type)	/* encap'd frame size */
+ 		  + sizeof(struct ether_header) - sizeof(struct llc);
+--- sys/net80211/ieee80211_input.h.orig
++++ sys/net80211/ieee80211_input.h
+@@ -309,9 +309,10 @@
+ void	ieee80211_deliver_data(struct ieee80211vap *,
+ 		struct ieee80211_node *, struct mbuf *);
+ struct mbuf *ieee80211_defrag(struct ieee80211_node *,
+-		struct mbuf *, int);
++		struct mbuf *, int, int);
+ struct mbuf *ieee80211_realign(struct ieee80211vap *, struct mbuf *, size_t);
+-struct mbuf *ieee80211_decap(struct ieee80211vap *, struct mbuf *, int);
++struct mbuf *ieee80211_decap(struct ieee80211vap *, struct mbuf *, int,
++		uint8_t);
+ struct mbuf *ieee80211_decap1(struct mbuf *, int *);
+ int	ieee80211_setup_rates(struct ieee80211_node *ni,
+ 		const uint8_t *rates, const uint8_t *xrates, int flags);
+--- sys/net80211/ieee80211_ioctl.c.orig
++++ sys/net80211/ieee80211_ioctl.c
+@@ -1591,7 +1591,7 @@
+ 	    ("expected opmode IBSS or AHDEMO not %s",
+ 	    ieee80211_opmode_name[vap->iv_opmode]));
+ 
+-	if (ssid_len == 0)
++	if (ssid_len == 0 || ssid_len > IEEE80211_NWID_LEN)
+ 		return EINVAL;
+ 
+ 	sr = IEEE80211_MALLOC(sizeof(*sr), M_TEMP,
+--- sys/net80211/ieee80211_mesh.c.orig
++++ sys/net80211/ieee80211_mesh.c
+@@ -1637,7 +1637,7 @@
+ 		 */
+ 		hdrspace = ieee80211_hdrspace(ic, wh);
+ 		if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
+-			m = ieee80211_defrag(ni, m, hdrspace);
++			m = ieee80211_defrag(ni, m, hdrspace, 0);
+ 			if (m == NULL) {
+ 				/* Fragment dropped or frame not complete yet */
+ 				goto out;
+--- sys/net80211/ieee80211_node.c.orig
++++ sys/net80211/ieee80211_node.c
+@@ -1134,7 +1134,7 @@
+ 
+ 	ie = ies->data;
+ 	ielen = ies->len;
+-	while (ielen > 0) {
++	while (ielen > 1) {
+ 		switch (ie[0]) {
+ 		case IEEE80211_ELEMID_VENDOR:
+ 			if (iswpaoui(ie))
+--- sys/net80211/ieee80211_sta.c.orig
++++ sys/net80211/ieee80211_sta.c
+@@ -795,7 +795,7 @@
+ 		 * Next up, any fragmentation.
+ 		 */
+ 		if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
+-			m = ieee80211_defrag(ni, m, hdrspace);
++			m = ieee80211_defrag(ni, m, hdrspace, has_decrypted);
+ 			if (m == NULL) {
+ 				/* Fragment dropped or frame not complete yet */
+ 				goto out;
+@@ -827,7 +827,7 @@
+ 		/*
+ 		 * Finally, strip the 802.11 header.
+ 		 */
+-		m = ieee80211_decap(vap, m, hdrspace);
++		m = ieee80211_decap(vap, m, hdrspace, qos);
+ 		if (m == NULL) {
+ 			/* XXX mask bit to check for both */
+ 			/* don't count Null data frames as errors */
+@@ -840,7 +840,10 @@
+ 			IEEE80211_NODE_STAT(ni, rx_decap);
+ 			goto err;
+ 		}
+-		eh = mtod(m, struct ether_header *);
++		if (!(qos & IEEE80211_QOS_AMSDU))
++			eh = mtod(m, struct ether_header *);
++		else
++			eh = NULL;
+ 		if (!ieee80211_node_is_authorized(ni)) {
+ 			/*
+ 			 * Deny any non-PAE frames received prior to
+@@ -850,11 +853,13 @@
+ 			 * the port is not marked authorized by the
+ 			 * authenticator until the handshake has completed.
+ 			 */
+-			if (eh->ether_type != htons(ETHERTYPE_PAE)) {
++			if (eh == NULL ||
++			    eh->ether_type != htons(ETHERTYPE_PAE)) {
+ 				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
+-				    eh->ether_shost, "data",
+-				    "unauthorized port: ether type 0x%x len %u",
+-				    eh->ether_type, m->m_pkthdr.len);
++				    ni->ni_macaddr, "data", "unauthorized or "
++				    "unknown port: ether type 0x%x len %u",
++				    eh == NULL ? -1 : eh->ether_type,
++				    m->m_pkthdr.len);
+ 				vap->iv_stats.is_rx_unauth++;
+ 				IEEE80211_NODE_STAT(ni, rx_unauth);
+ 				goto err;
+@@ -867,7 +872,8 @@
+ 			if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
+ 			    ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
+ 			    (is_hw_decrypted == 0) &&
+-			    eh->ether_type != htons(ETHERTYPE_PAE)) {
++			    (eh == NULL ||
++			     eh->ether_type != htons(ETHERTYPE_PAE))) {
+ 				/*
+ 				 * Drop unencrypted frames.
+ 				 */
+--- sys/net80211/ieee80211_wds.c.orig
++++ sys/net80211/ieee80211_wds.c
+@@ -592,7 +592,7 @@
+ 		 * Next up, any fragmentation.
+ 		 */
+ 		if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
+-			m = ieee80211_defrag(ni, m, hdrspace);
++			m = ieee80211_defrag(ni, m, hdrspace, has_decrypted);
+ 			if (m == NULL) {
+ 				/* Fragment dropped or frame not complete yet */
+ 				goto out;
+@@ -619,7 +619,7 @@
+ 		/*
+ 		 * Finally, strip the 802.11 header.
+ 		 */
+-		m = ieee80211_decap(vap, m, hdrspace);
++		m = ieee80211_decap(vap, m, hdrspace, qos);
+ 		if (m == NULL) {
+ 			/* XXX mask bit to check for both */
+ 			/* don't count Null data frames as errors */
+@@ -632,7 +632,10 @@
+ 			IEEE80211_NODE_STAT(ni, rx_decap);
+ 			goto err;
+ 		}
+-		eh = mtod(m, struct ether_header *);
++		if (!(qos & IEEE80211_QOS_AMSDU))
++			eh = mtod(m, struct ether_header *);
++		else
++			eh = NULL;
+ 		if (!ieee80211_node_is_authorized(ni)) {
+ 			/*
+ 			 * Deny any non-PAE frames received prior to
+@@ -642,11 +645,13 @@
+ 			 * the port is not marked authorized by the
+ 			 * authenticator until the handshake has completed.
+ 			 */
+-			if (eh->ether_type != htons(ETHERTYPE_PAE)) {
++			if (eh == NULL ||
++			    eh->ether_type != htons(ETHERTYPE_PAE)) {
+ 				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
+-				    eh->ether_shost, "data",
+-				    "unauthorized port: ether type 0x%x len %u",
+-				    eh->ether_type, m->m_pkthdr.len);
++				    ni->ni_macaddr, "data", "unauthorized or "
++				    "unknown port: ether type 0x%x len %u",
++				    eh == NULL ? -1 : eh->ether_type,
++				    m->m_pkthdr.len);
+ 				vap->iv_stats.is_rx_unauth++;
+ 				IEEE80211_NODE_STAT(ni, rx_unauth);
+ 				goto err;
+@@ -659,7 +664,8 @@
+ 			if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
+ 			    ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
+ 			    (is_hw_decrypted == 0) &&
+-			    eh->ether_type != htons(ETHERTYPE_PAE)) {
++			    (eh == NULL ||
++			     eh->ether_type != htons(ETHERTYPE_PAE))) {
+ 				/*
+ 				 * Drop unencrypted frames.
+ 				 */
diff --git a/website/static/security/patches/SA-22:02/wifi.12.patch.asc b/website/static/security/patches/SA-22:02/wifi.12.patch.asc
new file mode 100644
index 0000000000..56d0a6e8dd
--- /dev/null
+++ b/website/static/security/patches/SA-22:02/wifi.12.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw5a0ACgkQ05eS9J6n
+5cLSyw/+IT+IDwgSCMHDrnlHNRQcndm4zen78IJpM6UJqGK4AS5j+rLIPWoGVroT
+P2HxTZnGsZ2nd8I9/ItT61A9Phy2ZUzJXHd+VTmKuFxG/Ln3n0LjUih4Vgvmqp/o
++ZQu4XqVGIsw6bBsCnPd0ajPcsLIWgr2hgI3yT9JBcb1vlybNY+bjJDa4jIDxyRh
+UHx6eLP+QcgBM8dM6f2AmLUDRYSJw/c9dt5YTG/YFjr7HcCh4XMP4N+5kgtGOyd5
+PQ3e3FCrbH8HQ4a/3XCKAGRRMvfRqyY6okAcOgfix0BlGG4pXc57mMMcWUkQogkk
+jl4ybHLeUBvqkwk5mcSoG8agxdVIFQDGLsWu7dOM09N1VJGa5eehUk7L9lODtXZS
+mkSXQYqq8DNQ+EqukFoDUcjzEfLBEpWodArhqJ5hjJNi8SmdbXM2/0hO555xpg/d
+O+lN3eTfr/4sCQPgD9756VHhxsAvh03MbARzaldYhaAgm8CmxLO7HWelRfMFQe+b
+fVNPgW8H5qR5s1TXGd8bHv8KWYYyUNwmThMUlOXd0938KAvyK0VSmlg1nqr1z3BB
+5Q0GDivFYchc0nuC6nXxNQa5Ndq75y7zlvWa4ZA9xYwHd7RucTv9RvF2Cvohk2YX
+2OyzQ2u+co+Wgdvgi4/fN/neGU8RlhSjYPZnJRuz8g1of6b4wmU=
+=vWSs
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-22:02/wifi.13.patch b/website/static/security/patches/SA-22:02/wifi.13.patch
new file mode 100644
index 0000000000..5005da9627
--- /dev/null
+++ b/website/static/security/patches/SA-22:02/wifi.13.patch
@@ -0,0 +1,367 @@
+--- sys/net80211/ieee80211_adhoc.c.orig
++++ sys/net80211/ieee80211_adhoc.c
+@@ -531,7 +531,7 @@
+ 		 * Next up, any fragmentation.
+ 		 */
+ 		if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
+-			m = ieee80211_defrag(ni, m, hdrspace);
++			m = ieee80211_defrag(ni, m, hdrspace, has_decrypted);
+ 			if (m == NULL) {
+ 				/* Fragment dropped or frame not complete yet */
+ 				goto out;
+@@ -558,7 +558,7 @@
+ 		/*
+ 		 * Finally, strip the 802.11 header.
+ 		 */
+-		m = ieee80211_decap(vap, m, hdrspace);
++		m = ieee80211_decap(vap, m, hdrspace, qos);
+ 		if (m == NULL) {
+ 			/* XXX mask bit to check for both */
+ 			/* don't count Null data frames as errors */
+@@ -571,7 +571,10 @@
+ 			IEEE80211_NODE_STAT(ni, rx_decap);
+ 			goto err;
+ 		}
+-		eh = mtod(m, struct ether_header *);
++		if (!(qos & IEEE80211_QOS_AMSDU))
++			eh = mtod(m, struct ether_header *);
++		else
++			eh = NULL;
+ 		if (!ieee80211_node_is_authorized(ni)) {
+ 			/*
+ 			 * Deny any non-PAE frames received prior to
+@@ -581,11 +584,13 @@
+ 			 * the port is not marked authorized by the
+ 			 * authenticator until the handshake has completed.
+ 			 */
+-			if (eh->ether_type != htons(ETHERTYPE_PAE)) {
++			if (eh == NULL ||
++			    eh->ether_type != htons(ETHERTYPE_PAE)) {
+ 				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
+-				    eh->ether_shost, "data",
+-				    "unauthorized port: ether type 0x%x len %u",
+-				    eh->ether_type, m->m_pkthdr.len);
++				    ni->ni_macaddr, "data", "unauthorized or "
++				    "unknown port: ether type 0x%x len %u",
++				    eh == NULL ? -1 : eh->ether_type,
++				    m->m_pkthdr.len);
+ 				vap->iv_stats.is_rx_unauth++;
+ 				IEEE80211_NODE_STAT(ni, rx_unauth);
+ 				goto err;
+@@ -598,7 +603,8 @@
+ 			if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
+ 			    ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
+ 			    (is_hw_decrypted == 0) &&
+-			    eh->ether_type != htons(ETHERTYPE_PAE)) {
++			    (eh == NULL ||
++			     eh->ether_type != htons(ETHERTYPE_PAE))) {
+ 				/*
+ 				 * Drop unencrypted frames.
+ 				 */
+--- sys/net80211/ieee80211_hostap.c.orig
++++ sys/net80211/ieee80211_hostap.c
+@@ -719,7 +719,7 @@
+ 		 * Next up, any fragmentation.
+ 		 */
+ 		if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
+-			m = ieee80211_defrag(ni, m, hdrspace);
++			m = ieee80211_defrag(ni, m, hdrspace, has_decrypted);
+ 			if (m == NULL) {
+ 				/* Fragment dropped or frame not complete yet */
+ 				goto out;
+@@ -744,7 +744,7 @@
+ 		/*
+ 		 * Finally, strip the 802.11 header.
+ 		 */
+-		m = ieee80211_decap(vap, m, hdrspace);
++		m = ieee80211_decap(vap, m, hdrspace, qos);
+ 		if (m == NULL) {
+ 			/* XXX mask bit to check for both */
+ 			/* don't count Null data frames as errors */
+@@ -757,7 +757,10 @@
+ 			IEEE80211_NODE_STAT(ni, rx_decap);
+ 			goto err;
+ 		}
+-		eh = mtod(m, struct ether_header *);
++		if (!(qos & IEEE80211_QOS_AMSDU))
++			eh = mtod(m, struct ether_header *);
++		else
++			eh = NULL;
+ 		if (!ieee80211_node_is_authorized(ni)) {
+ 			/*
+ 			 * Deny any non-PAE frames received prior to
+@@ -767,11 +770,13 @@
+ 			 * the port is not marked authorized by the
+ 			 * authenticator until the handshake has completed.
+ 			 */
+-			if (eh->ether_type != htons(ETHERTYPE_PAE)) {
++			if (eh == NULL ||
++			    eh->ether_type != htons(ETHERTYPE_PAE)) {
+ 				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
+-				    eh->ether_shost, "data",
+-				    "unauthorized port: ether type 0x%x len %u",
+-				    eh->ether_type, m->m_pkthdr.len);
++				    ni->ni_macaddr, "data", "unauthorized or "
++				    "unknown port: ether type 0x%x len %u",
++				    eh == NULL ? -1 : eh->ether_type,
++				    m->m_pkthdr.len);
+ 				vap->iv_stats.is_rx_unauth++;
+ 				IEEE80211_NODE_STAT(ni, rx_unauth);
+ 				goto err;
+@@ -784,7 +789,8 @@
+ 			if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
+ 			    ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
+ 			    (is_hw_decrypted == 0) &&
+-			    eh->ether_type != htons(ETHERTYPE_PAE)) {
++			    (eh == NULL ||
++			     eh->ether_type != htons(ETHERTYPE_PAE))) {
+ 				/*
+ 				 * Drop unencrypted frames.
+ 				 */
+--- sys/net80211/ieee80211_input.c.orig
++++ sys/net80211/ieee80211_input.c
+@@ -170,7 +170,8 @@
+  * XXX should handle 3 concurrent reassemblies per-spec.
+  */
+ struct mbuf *
+-ieee80211_defrag(struct ieee80211_node *ni, struct mbuf *m, int hdrspace)
++ieee80211_defrag(struct ieee80211_node *ni, struct mbuf *m, int hdrspace,
++	int has_decrypted)
+ {
+ 	struct ieee80211vap *vap = ni->ni_vap;
+ 	struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
+@@ -189,6 +190,11 @@
+ 	if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL)
+ 		return m;
+ 
++	/* Temporarily set flag to remember if fragment was encrypted. */
++	/* XXX use a non-packet altering storage for this in the future. */
++	if (has_decrypted)
++		wh->i_fc[1] |= IEEE80211_FC1_PROTECTED;
++
+ 	/*
+ 	 * Remove frag to insure it doesn't get reaped by timer.
+ 	 */
+@@ -219,10 +225,14 @@
+ 
+ 		lwh = mtod(mfrag, struct ieee80211_frame *);
+ 		last_rxseq = le16toh(*(uint16_t *)lwh->i_seq);
+-		/* NB: check seq # and frag together */
++		/*
++		 * NB: check seq # and frag together. Also check that both
++		 * fragments are plaintext or that both are encrypted.
++		 */
+ 		if (rxseq == last_rxseq+1 &&
+ 		    IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) &&
+-		    IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) {
++		    IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2) &&
++		    !((wh->i_fc[1] ^ lwh->i_fc[1]) & IEEE80211_FC1_PROTECTED)) {
+ 			/* XXX clear MORE_FRAG bit? */
+ 			/* track last seqnum and fragno */
+ 			*(uint16_t *) lwh->i_seq = *(uint16_t *) wh->i_seq;
+@@ -253,6 +263,11 @@
+ 		ni->ni_rxfrag[0] = mfrag;
+ 		mfrag = NULL;
+ 	}
++	/* Remember to clear protected flag that was temporarily set. */
++	if (mfrag != NULL) {
++		wh = mtod(mfrag, struct ieee80211_frame *);
++		wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
++	}
+ 	return mfrag;
+ }
+ 
+@@ -294,7 +309,8 @@
+ }
+ 
+ struct mbuf *
+-ieee80211_decap(struct ieee80211vap *vap, struct mbuf *m, int hdrlen)
++ieee80211_decap(struct ieee80211vap *vap, struct mbuf *m, int hdrlen,
++	uint8_t qos)
+ {
+ 	struct ieee80211_qosframe_addr4 wh;
+ 	struct ether_header *eh;
+@@ -316,7 +332,9 @@
+ 	    llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0 &&
+ 	    /* NB: preserve AppleTalk frames that have a native SNAP hdr */
+ 	    !(llc->llc_snap.ether_type == htons(ETHERTYPE_AARP) ||
+-	      llc->llc_snap.ether_type == htons(ETHERTYPE_IPX))) {
++	      llc->llc_snap.ether_type == htons(ETHERTYPE_IPX)) &&
++	    /* Do not want to touch A-MSDU frames. */
++	    !(qos & IEEE80211_QOS_AMSDU)) {
+ 		m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh));
+ 		llc = NULL;
+ 	} else {
+@@ -364,6 +382,10 @@
+ #define	FF_LLC_SIZE	(sizeof(struct ether_header) + sizeof(struct llc))
+ 	struct ether_header *eh;
+ 	struct llc *llc;
++	const uint8_t llc_hdr_mac[ETHER_ADDR_LEN] = {
++		/* MAC address matching the 802.2 LLC header */
++		LLC_SNAP_LSAP, LLC_SNAP_LSAP, LLC_UI, 0, 0, 0
++	};
+ 
+ 	/*
+ 	 * The frame has an 802.3 header followed by an 802.2
+@@ -376,6 +398,15 @@
+ 	if (m->m_len < FF_LLC_SIZE && (m = m_pullup(m, FF_LLC_SIZE)) == NULL)
+ 		return NULL;
+ 	eh = mtod(m, struct ether_header *);	/* 802.3 header is first */
++
++	/*
++	 * Detect possible attack where a single 802.11 frame is processed
++	 * as an A-MSDU frame due to an adversary setting the A-MSDU present
++	 * bit in the 802.11 QoS header. [FragAttacks]
++	 */
++	if (memcmp(eh->ether_dhost, llc_hdr_mac, ETHER_ADDR_LEN) == 0)
++		return NULL;
++
+ 	llc = (struct llc *)&eh[1];		/* 802.2 header follows */
+ 	*framelen = ntohs(eh->ether_type)	/* encap'd frame size */
+ 		  + sizeof(struct ether_header) - sizeof(struct llc);
+--- sys/net80211/ieee80211_input.h.orig
++++ sys/net80211/ieee80211_input.h
+@@ -309,9 +309,10 @@
+ void	ieee80211_deliver_data(struct ieee80211vap *,
+ 		struct ieee80211_node *, struct mbuf *);
+ struct mbuf *ieee80211_defrag(struct ieee80211_node *,
+-		struct mbuf *, int);
++		struct mbuf *, int, int);
+ struct mbuf *ieee80211_realign(struct ieee80211vap *, struct mbuf *, size_t);
+-struct mbuf *ieee80211_decap(struct ieee80211vap *, struct mbuf *, int);
++struct mbuf *ieee80211_decap(struct ieee80211vap *, struct mbuf *, int,
++		uint8_t);
+ struct mbuf *ieee80211_decap1(struct mbuf *, int *);
+ int	ieee80211_setup_rates(struct ieee80211_node *ni,
+ 		const uint8_t *rates, const uint8_t *xrates, int flags);
+--- sys/net80211/ieee80211_mesh.c.orig
++++ sys/net80211/ieee80211_mesh.c
+@@ -1642,7 +1642,7 @@
+ 		 */
+ 		hdrspace = ieee80211_hdrspace(ic, wh);
+ 		if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
+-			m = ieee80211_defrag(ni, m, hdrspace);
++			m = ieee80211_defrag(ni, m, hdrspace, 0);
+ 			if (m == NULL) {
+ 				/* Fragment dropped or frame not complete yet */
+ 				goto out;
+--- sys/net80211/ieee80211_sta.c.orig
++++ sys/net80211/ieee80211_sta.c
+@@ -795,7 +795,7 @@
+ 		 * Next up, any fragmentation.
+ 		 */
+ 		if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
+-			m = ieee80211_defrag(ni, m, hdrspace);
++			m = ieee80211_defrag(ni, m, hdrspace, has_decrypted);
+ 			if (m == NULL) {
+ 				/* Fragment dropped or frame not complete yet */
+ 				goto out;
+@@ -827,7 +827,7 @@
+ 		/*
+ 		 * Finally, strip the 802.11 header.
+ 		 */
+-		m = ieee80211_decap(vap, m, hdrspace);
++		m = ieee80211_decap(vap, m, hdrspace, qos);
+ 		if (m == NULL) {
+ 			/* XXX mask bit to check for both */
+ 			/* don't count Null data frames as errors */
+@@ -840,7 +840,10 @@
+ 			IEEE80211_NODE_STAT(ni, rx_decap);
+ 			goto err;
+ 		}
+-		eh = mtod(m, struct ether_header *);
++		if (!(qos & IEEE80211_QOS_AMSDU))
++			eh = mtod(m, struct ether_header *);
++		else
++			eh = NULL;
+ 		if (!ieee80211_node_is_authorized(ni)) {
+ 			/*
+ 			 * Deny any non-PAE frames received prior to
+@@ -850,11 +853,13 @@
+ 			 * the port is not marked authorized by the
+ 			 * authenticator until the handshake has completed.
+ 			 */
+-			if (eh->ether_type != htons(ETHERTYPE_PAE)) {
++			if (eh == NULL ||
++			    eh->ether_type != htons(ETHERTYPE_PAE)) {
+ 				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
+-				    eh->ether_shost, "data",
+-				    "unauthorized port: ether type 0x%x len %u",
+-				    eh->ether_type, m->m_pkthdr.len);
++				    ni->ni_macaddr, "data", "unauthorized or "
++				    "unknown port: ether type 0x%x len %u",
++				    eh == NULL ? -1 : eh->ether_type,
++				    m->m_pkthdr.len);
+ 				vap->iv_stats.is_rx_unauth++;
+ 				IEEE80211_NODE_STAT(ni, rx_unauth);
+ 				goto err;
+@@ -867,7 +872,8 @@
+ 			if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
+ 			    ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
+ 			    (is_hw_decrypted == 0) &&
+-			    eh->ether_type != htons(ETHERTYPE_PAE)) {
++			    (eh == NULL ||
++			     eh->ether_type != htons(ETHERTYPE_PAE))) {
+ 				/*
+ 				 * Drop unencrypted frames.
+ 				 */
+--- sys/net80211/ieee80211_wds.c.orig
++++ sys/net80211/ieee80211_wds.c
+@@ -594,7 +594,7 @@
+ 		 * Next up, any fragmentation.
+ 		 */
+ 		if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
+-			m = ieee80211_defrag(ni, m, hdrspace);
++			m = ieee80211_defrag(ni, m, hdrspace, has_decrypted);
+ 			if (m == NULL) {
+ 				/* Fragment dropped or frame not complete yet */
+ 				goto out;
+@@ -621,7 +621,7 @@
+ 		/*
+ 		 * Finally, strip the 802.11 header.
+ 		 */
+-		m = ieee80211_decap(vap, m, hdrspace);
++		m = ieee80211_decap(vap, m, hdrspace, qos);
+ 		if (m == NULL) {
+ 			/* XXX mask bit to check for both */
+ 			/* don't count Null data frames as errors */
+@@ -634,7 +634,10 @@
+ 			IEEE80211_NODE_STAT(ni, rx_decap);
+ 			goto err;
+ 		}
+-		eh = mtod(m, struct ether_header *);
++		if (!(qos & IEEE80211_QOS_AMSDU))
++			eh = mtod(m, struct ether_header *);
++		else
++			eh = NULL;
+ 		if (!ieee80211_node_is_authorized(ni)) {
+ 			/*
+ 			 * Deny any non-PAE frames received prior to
+@@ -644,11 +647,13 @@
+ 			 * the port is not marked authorized by the
+ 			 * authenticator until the handshake has completed.
+ 			 */
+-			if (eh->ether_type != htons(ETHERTYPE_PAE)) {
++			if (eh == NULL ||
++			    eh->ether_type != htons(ETHERTYPE_PAE)) {
+ 				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
+-				    eh->ether_shost, "data",
+-				    "unauthorized port: ether type 0x%x len %u",
+-				    eh->ether_type, m->m_pkthdr.len);
++				    ni->ni_macaddr, "data", "unauthorized or "
++				    "unknown port: ether type 0x%x len %u",
++				    eh == NULL ? -1 : eh->ether_type,
++				    m->m_pkthdr.len);
+ 				vap->iv_stats.is_rx_unauth++;
+ 				IEEE80211_NODE_STAT(ni, rx_unauth);
+ 				goto err;
+@@ -661,7 +666,8 @@
+ 			if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
+ 			    ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) &&
+ 			    (is_hw_decrypted == 0) &&
+-			    eh->ether_type != htons(ETHERTYPE_PAE)) {
++			    (eh == NULL ||
++			     eh->ether_type != htons(ETHERTYPE_PAE))) {
+ 				/*
+ 				 * Drop unencrypted frames.
+ 				 */
diff --git a/website/static/security/patches/SA-22:02/wifi.13.patch.asc b/website/static/security/patches/SA-22:02/wifi.13.patch.asc
new file mode 100644
index 0000000000..d363dbdb13
--- /dev/null
+++ b/website/static/security/patches/SA-22:02/wifi.13.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw5a0ACgkQ05eS9J6n
+5cJ03RAAi1UkhtAAXdU1ID0qnuX/lABpHkhFgcEymB6VkkPLZ7zJvm93uTaa/nmq
+uOtecNDKfd7cnm0xEOt2F4oSH75FblxXgzKfmPki5esQziUJI7T3JbXSXMmRjCR3
+9Wx1JjSA/+jNkuRyuOUznu36vfFoQSmZBaAG0C8LUpFMNCXj3z4BMnorhwEEPJYE
+ChZgmMvGcl4/HyFvxK9sbt4vn8U2bDSUNdhHXjSizv2bwgphrKGaAu4VZzPIOyWn
+RygzZisfzyWtwXcm8mMZD8SyQlONAS5IPFCiH7VpBWp9aAeJwJNKgF7nMkqFt2uJ
+z28YYLTLLSnnoUbz2NlCCRtxisOqblxwwP4oz1x88ay0ffoV0g3xImlle0fTdwD4
+hYoDhf8DCAwH7M1uxg6GLndYKGfqHI7uqq8zGU06gQ8Vqn5kU6KNQb38frrgRcaN
+bhWKYCZtE165u3jCflp2Hre0TRwiNbnldwp0nzD8AKHtMgRNKDFRdkosAXsWJwgR
+6/JH3C9QXm+I6PRNVsGYFxyAWCI9BjI7bN7uifxExEWMmmKU934irnVhFHbyrzQ9
+nrj8Lu9C6esfev4rMA9L1+Pk7RXXPOrUDEf4nYraAjGWIfNEOZ8AamlMG/+kJRTf
+Rr9BZxfOCR/vtcmqXfp7amABSqmlzFWpGteBj287uYMpqQa+NVc=
+=NQZB
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-22:03/openssl.patch b/website/static/security/patches/SA-22:03/openssl.patch
new file mode 100644
index 0000000000..4b0af80705
--- /dev/null
+++ b/website/static/security/patches/SA-22:03/openssl.patch
@@ -0,0 +1,92 @@
+--- crypto/openssl/crypto/bn/bn_sqrt.c.orig
++++ crypto/openssl/crypto/bn/bn_sqrt.c
+@@ -14,7 +14,8 @@
+ /*
+  * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
+  * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
+- * Theory", algorithm 1.5.1). 'p' must be prime!
++ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
++ * an incorrect "result" will be returned.
+  */
+ {
+     BIGNUM *ret = in;
+@@ -301,18 +302,23 @@
+             goto vrfy;
+         }
+ 
+-        /* find smallest  i  such that  b^(2^i) = 1 */
+-        i = 1;
+-        if (!BN_mod_sqr(t, b, p, ctx))
+-            goto end;
+-        while (!BN_is_one(t)) {
+-            i++;
+-            if (i == e) {
+-                BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+-                goto end;
++        /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
++        for (i = 1; i < e; i++) {
++            if (i == 1) {
++                if (!BN_mod_sqr(t, b, p, ctx))
++                    goto end;
++
++            } else {
++                if (!BN_mod_mul(t, t, t, p, ctx))
++                    goto end;
+             }
+-            if (!BN_mod_mul(t, t, t, p, ctx))
+-                goto end;
++            if (BN_is_one(t))
++                break;
++        }
++        /* If not found, a is not a square or p is not prime. */
++        if (i >= e) {
++            BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
++            goto end;
+         }
+ 
+         /* t := y^2^(e - i - 1) */
+--- crypto/openssl/doc/man3/BN_add.pod.orig
++++ crypto/openssl/doc/man3/BN_add.pod
+@@ -3,7 +3,7 @@
+ =head1 NAME
+ 
+ BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
+-BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd -
++BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd -
+ arithmetic operations on BIGNUMs
+ 
+ =head1 SYNOPSIS
+@@ -36,6 +36,8 @@
+ 
+  int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+ 
++ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
++
+  int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
+ 
+  int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+@@ -87,6 +89,12 @@
+ BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
+ result in I<r>.
+ 
++BN_mod_sqrt() returns the modular square root of I<a> such that
++C<in^2 = a (mod p)>. The modulus I<p> must be a
++prime, otherwise an error or an incorrect "result" will be returned.
++The result is stored into I<in> which can be NULL. The result will be
++newly allocated in that case.
++
+ BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
+ (C<r=a^p>). This function is faster than repeated applications of
+ BN_mul().
+@@ -108,7 +116,10 @@
+ 
+ =head1 RETURN VALUES
+ 
+-For all functions, 1 is returned for success, 0 on error. The return
++The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
++not a prime), or NULL.
++
++For all remaining functions, 1 is returned for success, 0 on error. The return
+ value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
+ The error codes can be obtained by L<ERR_get_error(3)>.
+ 
diff --git a/website/static/security/patches/SA-22:03/openssl.patch.asc b/website/static/security/patches/SA-22:03/openssl.patch.asc
new file mode 100644
index 0000000000..18a1108049
--- /dev/null
+++ b/website/static/security/patches/SA-22:03/openssl.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw5a0ACgkQ05eS9J6n
+5cLAmg//VoGJaH5pbdDV/VlMuxc1p/kBvD90vjgTuAbPZ9T02PUyiVl2xVXUQLm2
+rmTShnR7sA35jPuvaiX6G5L3xbXHuaTHz1sAZnbpVrsBVElVvffob2LlAS0n7TIb
+Kfr5EGwuy8rwz0G0Kx3ClfgXScfJ863834IAKwbbrgV2cgmopnHtzXxl3VixtK03
+h0b/AuRpFuxVoQ+3SdPzB8tXDOIY1gjacY//nGmvrg7dARgJa0k0liL2/MiMMrVP
++GpsArwklPpxVz9HV7TJQT7yEw4DEKxZlsri/4FaMchOndh7SCiiGYhsZ4W+ID8A
+YjVp2sygbiggaeiRIH2Msx1oIpflLb393ynHh+n1PxYlAu627j/H8OfmD67bPtqU
+NFrwjKERd3/3m9mFLl69vZPSSgEZn4E3/ycsf0etLnskxhmY07MRYeEhw9skqhnL
+1TlfEMy7b49VqvBQs0LVzT8qC0tOOgu9rb/lqss4ps+ei6EA1evPan/vW6QApxDQ
+Ft14aXUi7TDkyMNvBhFDNjiO3XmszxHXZP1v4R8gdog0DGIavkVHXNvfNLz2102i
+be0800LLHw1KiiN/uK+QY2hpP7s0sNrvC7sBKz7zMPC1eOl4m6MeY+xhaTp/FcVW
+3F/tQfxbX9z9D1gjcvNi16LfXKBg6wDJfiHuNR4VCU3Yz/QNKnw=
+=ygJX
+-----END PGP SIGNATURE-----
author	Gordon Tetlow <gordon@FreeBSD.org>	2022-03-15 19:18:42 +0000
committer	Gordon Tetlow <gordon@FreeBSD.org>	2022-03-15 19:21:16 +0000
commit	ba3b824455f82aeca72ef6cd34cabf09672a2640 (patch)
tree	b14a0a467de12d1eb28be67d60aef47d59aa699a /website
parent	00f6c1be842bbf1b20a91c10d250ae082f1fd826 (diff)
download	doc-ba3b824455f82aeca72ef6cd34cabf09672a2640.tar.gz doc-ba3b824455f82aeca72ef6cd34cabf09672a2640.zip