1 files changed, 243 insertions, 6 deletions

diff --git a/website/content/en/releases/15.0R/relnotes.adoc b/website/content/en/releases/15.0R/relnotes.adoc
index 0b0aba0e48..3afbb125f3 100644
--- a/website/content/en/releases/15.0R/relnotes.adoc
+++ b/website/content/en/releases/15.0R/relnotes.adoc
@@ -87,10 +87,29 @@ This section lists the various Security Advisories and Errata Notices since {rel
 | Date
 | Topic
 
-|No advisories.
-|
-|
+|https://www.freebsd.org/security/advisories/FreeBSD-SA-23:17.pf.asc[FreeBSD-SA-23:17.pf]
+|05 December 2023
+|TCP spoofing vulnerability in man:pf[4]
 
+|https://www.freebsd.org/security/advisories/FreeBSD-SA-23:18.nfsclient.asc[FreeBSD-SA-23:18.nfsclient]
+|12 December 2023
+|NFS client data corruption and kernel memory disclosure
+
+|https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc[FreeBSD-SA-23:19.openssh]
+|19 December 2023
+|Prefix Truncation Attack in the SSH protocol
+
+|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:01.bhyveload.asc[FreeBSD-SA-24:01.bhyveload]
+|14 February 2024
+|man:bhyveload[8] host file access
+
+|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:02.tty.asc[FreeBSD-SA-24:02.tty]
+|14 February 2024
+|man:jail[2] information leak
+
+|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:03.unbound.asc[FreeBSD-SA-24:03.unbound]
+|28 March 2024
+|Multiple vulnerabilities in unbound
 |===
 
 [[errata]]
@@ -103,11 +122,73 @@ This section lists the various Security Advisories and Errata Notices since {rel
 | Date
 | Topic
 
-|No notices.
-|
-|
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-23:15.sanitizer.asc[FreeBSDS-EN-23:15:sanitizer]
+|01 December 2023
+|Clang sanitizer failure with ASLR enabled
+
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-23:16.openzfs.asc[FreeBSDS-EN-23:16:openzfs]
+|01 December 2023
+|OpenZFS data corruption
+
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-23:17.ossl.asc[FreeBSDS-EN-23:17:ossl]
+|05 December 2023
+|man:ossl[4]'s AES-GCM implementation may give incorrect results
+
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-23:18.openzfs.asc[FreeBSDS-EN-23:18:openzfs]
+|05 December 2023
+|High CPU usage by ZFS kernel threads
+
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-23:19.pkgbase.asc[FreeBSDS-EN-23:19:pkgbase]
+|05 December 2023
+|Incorrect pkgbase version number for FreeBSD {releasePrev}.
+
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-23:20.vm.asc[FreeBSDS-EN-23:20:vm]
+|05 December 2023
+|Incorrect results from the kernel physical memory allocator
+
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-23:21.tty.asc[FreeBSDS-EN-23:21:tty]
+|24 November 2023
+|man:tty[4] IUTF8 causes a kernel panic
+
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-23:22.vfs.asc[FreeBSDS-EN-23:22:vfs]
+|05 December 2023
+|ZFS snapshot directories not accessible over NFS
+
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:01.tzdata.asc[FreeBSDS-EN-24:01:tzdata]
+|14 February 2024
+|Timezone database information update
+
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:02.libutil.asc[FreeBSDS-EN-24:02:libutil]
+|14 February 2024
+|Login class resource limits and CPU mask bypass
+
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:03.kqueue.asc[FreeBSDS-EN-24:03:kqueue]
+|14 February 2024
+|man:kqueue_close[2] page fault on exit using man:rfork[2]
+
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:04.ip.asc[FreeBSDS-EN-24:04:ip]
+|14 February 2024
+|Kernel panic triggered by man:bind[2]
+
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:05.tty.asc[FreeBSDS-EN-24:05:tty]
+|28 March 2024
+|TTY Kernel Panic
 
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:06.wireguard.asc[FreeBSDS-EN-24:06:wireguard]
+|28 March 2024
+|Insufficient barriers in WireGuard man:if_wg[4]
 
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:07.clang.asc[FreeBSDS-EN-24:07:clang]
+|28 March 2024
+|Clang crash when certain optimization is enabled
+
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:08.kerberos.asc[FreeBSDS-EN-24:08:kerberos]
+|28 March 2024
+|Kerberos segfaults when using weak crypto
+
+|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:09.zfs.asc[FreeBSDS-EN-24:09:zfs]
+|24 April 2024
+|High CPU usage by kernel threads related to ZFS
 |===
 
 [[userland]]
@@ -118,18 +199,90 @@ This section covers changes and additions to userland applications, contributed
 [[userland-config]]
 === Userland Configuration Changes
 
+A new `kdc_restart` variable is available that manages man:kdc[8] (or `krb5kdc`) under man:daemon[8].
+Set `kdc_restart="YES"` in man:rc.conf[5] to auto restart kdc on abnormal termination.
+Set `kdc_restart_delay="N"` to the number of seconds to delay before restarting the kdc.
+gitref:abc4b3088941[repository=src]
+
+By default, changes shown in email by the man:periodic[8] facility from the `daily` scripts show less context than before to reduce the size of the output.
+The behavior can be controlled by the `daily_diff_flags` variable in man:periodic.conf[5].
+Similarly, the changes shown by the security scripts show less context than previously, controlled by the `security_status_diff_flags` variable in man:periodic.conf[5].
+gitref:538994626b9f[repository=src], gitref:37dc394170a5[repository=src], gitref:128e78ffb084[repository=src]
+
 [[userland-programs]]
 === Userland Application Changes
 
+The man:adduser[8] utility, used by man:bsdinstall[8], will now create a ZFS dataset for a new user's home directory if the parent directory resides on a ZFS dataset.
+A command-line option is available to disable use of a separate dataset.
+ZFS encryption is also available.
+gitref:516009ce8d38[repository=src]
+
+The man:date[1] program now supports nanoseconds.
+For example: `date -Ins` prints "2024-04-22T12:20:28,763742224+02:00" and `date +%N` prints "415050400".
+gitref:eeb04a736cb9[repository=src]
+
+The man:dtrace[1] utility can now generate machine-readable output in JSON, XML, and HTML using man:libxo[3].
+gitref:aef4504139a4[repository=src] (Sponsored by Innovate UK)
+
+The man:lastcomm[1] utility now displays timestamps with a precision of seconds.
+gitref:692c0a2e80c1[repository=src] (Sponsored by DSS Gmbh)
+
+The man:ldconfig[8] utility now supports hints files of either byte order.
+The default format is the native byte-order of the host.
+gitref:fa7b31166ddb[repository=src]
+
+OpenSSH has been upgraded to version 9.7p1.
+Full release notes are at https://www.openssh.com/txt/release-9.7[] and https://www.openssh.com/txt/release-9.6[] .
+gitref:a25789646d71[repository=src], gitref:464fa66f639b[repository=src] (Sponsored by The FreeBSD Foundation)
+
+The man:usbconfig[8] utility now reads the descriptions of usb vendor and products from [.filename]#/usr/share/misc/usb_vendors# when available, similar to what man:pciconf[8] does.
+gitref:7b9a772f9f64[repository=src]
+
 [[userland-contrib]]
 === Contributed Software
 
+One True Awk (man:awk[1]) has been updated to 2nd Edition, with new -csv support and UTF-8 support.
+gitref:daf917daba9c[repository=src]
+
+Clang/LLVM have been upgraded to version 18.1.5.
+gitref:90a5e985e5f4[repository=src]
+
+The man:libarchive[3] library has been upgraded to version 3.7.4.
+gitref:8774c92e32b2[repository=src]
+
+The man:sendmail[8] suite has been upgraded to version 8.18.1, addressing CVE-2023-51765.
+gitref:58ae50f31e95[repository=src]
+
+The man:unbound[8] resolver has been upgraded to version 1.20.0, and addresses "`The DNSBomb`" vulnerability, CVE-2024-33655.
+gitref:dcde37c4170b[repository=src]
+
 [[userland-deprecated-programs]]
 === Deprecated Applications
 
 [[userland-libraries]]
 === Runtime Libraries and API
 
+The man:setusercontext[3] routine in `libutil` will now set the process priority (nice) from the [.filename]#.login.conf# file from the home directory under appropriate conditions, as well as the system man:login.conf[5].
+The priority can now have the value `inherit`, indicating that the priority should be unchanged from that of the parent process.
+Similarly, the umask can have the value `inherit`.
+gitref:6f6186e19fe5[repository=src], gitref:a8c273b3c97f[repository=src], gitref:d2d66fedc418[repository=src] (Sponsored by Kumacom SAS)
+
+Many string and memory operations in the C library now use SIMD (single instruction multiple data) extensions for improved performance when available on amd64 systems; see man:simd[7].
+(Sponsored by The FreeBSD Foundation)
+
+There is now a much better implementation of the 128-bit `tgammal` function in the math library, man:math[3], on platforms that support it.
+gitref:8df6c930c151[repository=src]
+
+[[cloud]]
+== Cloud Support
+
+This section covers changes in support for cloud environments.
+
+{releaseCurrent} supports cloudinit, including the `nuageinit` startup script and support for a `config-drive` partition.
+It is compatible with OpenStack and many hosting facilities.
+See the https://cloud-init.io[cloud-init] web site and the commit messages,
+gitref:16a6da44e28d[repository=src] gitref:227e7a205edf[repository=src]. (Sponsored by OVHCloud)
+
 [[kernel]]
 == Kernel
 
@@ -138,6 +291,9 @@ This section covers changes to kernel configurations, system tuning, and system
 [[kernel-general]]
 === General Kernel Changes
 
+The `fpu_kern_enter` and `fpu_kern_leave` routines have been implemented for powerpc, allowing the use of man:ossl[4] crypto functions in the kernel that use floating point and vector registers.
+gitref:91e53779b4fc[repository=src]
+
 [[drivers]]
 == Devices and Drivers
 
@@ -146,6 +302,28 @@ This section covers changes and additions to devices and device drivers since {r
 [[drivers-device]]
 === Device Drivers
 
+A driver is available for man:ice[4] Ethernet network controllers in the Intel E800 series, which support 100 Gb/s operation.
+It was upgraded to version 1.39.13-k.
+gitref:71d104536b51[repository=src] gitref:f6de0a7c94e9[repository=src] (Sponsored by Intel Corporation)
+
+Numerous stability improvements have been in the man:iwlwifi[4] driver for Intel Wi-Fi devices.
+(Sponsored by The FreeBSD Foundation)
+
+Multiple PCI MCFG regions are now supported on amd64 and i386, allowing PCI configuration space access for domains (segments) other than 0.
+gitref:4b5f64408804[repository=src]
+
+The man:smsc[4] Ethernet driver can now fetch the value of `smsc95xx.macaddr` passed by some Raspberry Pi models and use it for the MAC address.
+It always uses a stable MAC address even if there is no address in EEPROM.
+gitref:028e4c6548e4[repository=src]
+
+The `snd_clone` framework has been removed from the sound subsystem, including related sysctls, simplifying the system.
+The per-channel nodes ([.filename]#/dev/dspX.Y#) are no longer created, just the primary device ([.filename]#/dev/dspX#).
+gitref:e6c51f6db8d7[repository=src] (Sponsored by The FreeBSD Foundation)
+
+Audio now supports asynchronous device detach.
+This greatly simplifies hot plugging and unplugging of things such as USB headsets, and eases use of PulseAudio in cases that require operating system sleep and wake (suspend and resume).
+gitref:d692c314d29a[repository=src] (Sponsored by The FreeBSD Foundation)
+
 [[drivers-removals]]
 === Deprecated and Removed Drivers
 
@@ -154,6 +332,30 @@ This section covers changes and additions to devices and device drivers since {r
 
 This section covers changes and additions to file systems and other storage subsystems, both local and networked.
 
+[[storage-nfs]]
+=== NFS
+
+The man:mountd[8] server has been modified to use man:strunvis[3] to decode directory names in man:exports[5] file(s).
+This allows special characters, such as blanks, to be embedded in the directory name.
+`vis -M` may be used to encode such directory names; see man:vis[1].
+gitref:2c83f1ada435[repository=src]
+
+New man:sysctl[8] variables have been added under `kern.rpc.unenc` and `kern.rpc.tls`, which allow an NFS server administrator to determine how much NFS-over-TLS is being used.
+A large number of failed handshakes might indicate an NFS configuration problem.
+gitref:b8e137d8d32d[repository=src]
+
+[[storage-ufs]]
+=== UFS
+
+Soft updates are now enabled by default when creating a new UFS file system with man:newfs[8].
+gitref:6b2af2d88ffd[repository=src]
+
+[[storage-zfs]]
+=== ZFS
+
+OpenZFS has been upgraded to version 2.2.4.
+gitref:78c9d8f1ce65[repository=src]
+
 [[storage-general]]
 === General Storage
 
@@ -165,6 +367,28 @@ This section covers the boot loader, boot menu, and other boot-related changes.
 [[boot-loader]]
 === Boot Loader Changes
 
+The man:loader[8] now reads local configuration files listed in the variable `local_loader_conf_files` after other configuration files, defaulting to [.filename]#/boot/loader.conf.local#.
+gitref:a25531db0fc2[repository=src]
+
+The man:loader[8] can now be configured to read specific configuration files based on the planar maker, planar product, system product and uboot m_product variables from the SMBIOS.
+For the moment, the best documentation is the git commit message,
+gitref:3eb3a802a31b[repository=src].
+
+Console detection in man:loader[8] has been improved on EFI systems.
+If there is no ConOut variable, ConIn is checked.
+If multiple devices are found, serial is preferred.
+gitref:20a6f4779ac6[repository=src] (Sponsored by Netflix)
+
+Frame buffer support in man:loader[8] can now use a text-only video driver, resulting in space savings.
+gitref:57ca2848c0aa[repository=src] (Sponsored by Netflix)
+
+The detection of ACPI is now done earlier in man:loader.efi[8] on arm64 systems.
+The copy of [.filename]#loader.efi# on the EFI partition should be updated on arm64 systems using ACPI.
+gitref:05cf4dda599a[repository=src] gitref:16c09de80135[repository=src]
+
+The LinuxBoot loader can be used to boot FreeBSD from Linux on aarch64 systems as well as amd64.
+gitref:46010641267[repository=src] (Sponsored by Netflix)
+
 [[network]]
 == Networking
 
@@ -173,6 +397,16 @@ This section describes changes that affect networking in FreeBSD.
 [[network-general]]
 === General Network
 
+ARP (man:arp[4]) support for 802-standard networks has been restored; it had been accidentally removed with FDDI support.
+(This is different than the Ethernet standard encapsulation.)
+gitref:d776dd5fbd48[repository=src]
+
+It is possible to build a kernel with IPv6 support (INET6) without IPv4 (INET).
+gitref:6df9fa1c6b83[repository=src] and others
+
+The netgraph man:ng_ipfw[4] module no longer truncates cookies to 16 bits, allowing a full 32 bits.
+gitref:dadf64c5586e[repository=src]
+
 [[wireless-networking]]
 === Wireless Networking
 
@@ -196,6 +430,9 @@ This section covers changes to manual (man:man[1]) pages and other documentation
 [[man-pages]]
 === Man Pages
 
+A new man:networking[7] manual page provides a quickstart guide to connecting the system to networks including Wi-Fi, and links to other manual pages and the handbook.
+gitref:39f92a4c4c49[repository=src]
+
 [[ports]]
 == Ports Collection and Package Infrastructure