14 files changed, 1019 insertions, 0 deletions

diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index fb54b5d5e6..103be4c068 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -2,6 +2,10 @@
 # $FreeBSD$
 
 [[advisories]]
+name = "FreeBSD-SA-25:06.xz"
+date = "2025-07-02"
+
+[[advisories]]
 name = "FreeBSD-SA-25:05.openssh"
 date = "2025-02-21"
 
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index bd86e232cc..c58cf02825 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -2,6 +2,18 @@
 # $FreeBSD$
 
 [[notices]]
+name = "FreeBSD-EN-25:11.ena"
+date = "2025-07-02"
+
+[[notices]]
+name = "FreeBSD-EN-25:10.zfs"
+date = "2025-07-02"
+
+[[notices]]
+name = "FreeBSD-EN-25:09.libc"
+date = "2025-07-02"
+
+[[notices]]
 name = "FreeBSD-EN-25:08.caroot"
 date = "2025-04-10"
 
diff --git a/website/static/security/advisories/FreeBSD-EN-25:09.libc.asc b/website/static/security/advisories/FreeBSD-EN-25:09.libc.asc
new file mode 100644
index 0000000000..5153f41871
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-25:09.libc.asc
@@ -0,0 +1,140 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-25:09.libc                                           Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Dynamically-loaded C++ libraries crashing at exit
+
+Category:       core
+Module:         libc
+Announced:      2025-07-02
+Affects:        FreeBSD 13.5 and FreeBSD 14.2
+Corrected:      2025-04-17 01:01:36 UTC (stable/14, 14.2-STABLE)
+                2025-07-02 18:28:08 UTC (releng/14.2, 14.2-RELEASE-p4)
+                2025-04-17 01:02:12 UTC (stable/13, 13.5-STABLE)
+                2025-07-02 18:28:28 UTC (releng/13.5, 13.5-RELEASE-p2)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+In C++, global objects' destructors are called at unload or exit time.
+Global objects may be created either as objects in a global scope, or as
+objects in a function scope declared with the `static` keyword.
+
+II.  Problem Description
+
+Object destructors can create further global objects through the second
+mechanism described above, function-scoped objects with the `static` keyword.
+
+Creation of these objects adds more destructors that should be called at
+unload or exit time while the application is already in the middle of
+processing those destructors in reverse order from when they're added.  As a
+result, these newly added destructors are not called at unload time when the
+C++ library has been loaded dynamically via dlopen() and subsequently
+unloaded with dlclose().
+
+III. Impact
+
+The destructors that are not called at unload time are later attempted to be
+called when the program exits, which may result in a crash as the library's
+code has already been unmapped from the program's address space.
+
+IV.  Workaround
+
+No workaround is available.  C++ libraries that do not create more objects in
+destructors are not affected.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and restart any affected
+services, or reboot the system.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-25:09/libc.patch
+# fetch https://security.FreeBSD.org/patches/EN-25:09/libc.patch.asc
+# gpg --verify libc.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI.  Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/14/                              c43ae65b4b89    stable/14-n271080
+releng/14.2/                            89a2823e17e5  releng/14.2-n269525
+stable/13/                              04f7496f89e2    stable/13-n259249
+releng/13.5/                            f936833911d7  releng/13.5-n259167
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=285870>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:09.libc.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfSIACgkQbljekB8A
+Gu8InA/6A0/ctlk0xDhDe7kMcu3NzV8lFmBz2d1577WU8E+A8F9KAEEGEHS1wPeK
+qZL4YtcVQ4hGDKot5yg9Cvdmvqsvuv0sP7RmG2xyQKnx6THHezlzxXcKC+UYRgtg
+9mDWB8/1zC/L8XYcBdJtog0HZnRRjQ8fVVJKVySItCz9rGCmc0XKX1PhKqR4ZQDL
+ErfrUlymDCB8CW0NCeRUO5sPniT+dCf8Bv/OJdB3NFvuVYA6XqIlo397dDPGkltV
+K4bDEbjuRi4ELuTlybEtzMDWrDb+YOAuFF8cWCzyJpkRiSZQAarIwBhxoqVdw6+p
+9JN6i2p5RIis1DNCXomyip8JrgH8iDzUbGgehwEjhMbDi4YY6FK9ZQ5nTve5X/oX
+o4q+oMIoCItAl4x1GqUNlZ/TP6Zk1fk9pObNb9IuM9W9kQJIWI/DQ3XMlYN57cTC
+oS47PlJR+h09N6jA0Zfmek7ciFLGmhRpdc1MVfgTHNkT532HLpzHztckECWD0l7C
+ni92CH7JW2rBI0AKDYGEA/s9fhhlkdyrQjASdSJwDFfpVQyuUWLja7NaFAmtPCEF
+PjY+ZQsAQlZiusvHXDGNxlUE27LxFR44AdR4UhVGvkPfbjuQNPuxV+vsxZa743zt
+GsVUwI4FmwaUf1IygAd9akFikRcS0s57wOHqcWh/B+iv/OW+MA4=
+=VsbO
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-25:10.zfs.asc b/website/static/security/advisories/FreeBSD-EN-25:10.zfs.asc
new file mode 100644
index 0000000000..61bd74761c
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-25:10.zfs.asc
@@ -0,0 +1,145 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-25:10.zfs                                            Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Corruption in ZFS replication streams from encrypted datasets
+
+Category:       contrib
+Module:         zfs
+Announced:      2025-07-02
+Credits:        Klara, Inc.
+Affects:        All supported versions of FreeBSD.
+Corrected:      2025-06-21 22:05:40 UTC (stable/14, 14.3-STABLE)
+                2025-07-02 18:27:44 UTC (releng/14.3, 14.3-RELEASE-p1)
+                2025-07-02 18:28:09 UTC (releng/14.2, 14.2-RELEASE-p4)
+                2025-06-27 20:07:48 UTC (stable/13, 13.5-STABLE)
+                2025-07-02 18:28:29 UTC (releng/13.5, 13.5-RELEASE-p2)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+ZFS is an advanced and scalable file system originally developed by Sun
+Microsystems for its Solaris operating system. ZFS was integrated as part of
+the FreeBSD starting with FreeBSD 7.0, and it has since become a prominent
+and preferred choice for storage management.
+
+II.  Problem Description
+
+ZFS has built-in replication and backup functionality, which serializes a
+filesystem for transport to another system, known as "ZFS send".  ZFS send
+also supports incremental updates between a pair of snapshots.  When sending
+an encrypted dataset, the dataset can either be left encrypted for
+transit/receipt (raw mode), or decrypted.  During a decrypting (normal) send,
+a bug in the code caused some metadata (key mappings) in the snapshots to be
+decrypted in memory, but not properly released.  As a result, the key mappings
+used for decryption were not freed from the in-memory table.
+
+III. Impact
+
+The leaked mappings can cause two problems.  The first is that they can result
+in spurious checksum errors when they are incorrectly used to access data
+later.  In the second case, in order to export a pool, ZFS requires that all
+the mappings be freed.  These leaked mappings were never cleaned up, resulting
+in any attempt to export the pool causing the command to hang.
+
+IV.  Workaround
+
+No workaround is available.  Systems not using ZFS, or not using ZFS native
+encryption are unaffected.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.  A reboot is required following the
+upgrade.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# reboot
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-25:10/zfs.patch
+# fetch https://security.FreeBSD.org/patches/EN-25:10/zfs.patch.asc
+# gpg --verify zfs.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/14/                              6abe6a8a0d54    stable/14-n271756
+releng/14.3/                            cb24a62cd75b  releng/14.3-n271433
+releng/14.2/                            c5feebf38389  releng/14.2-n269526
+stable/13/                              eae830109571    stable/13-n259318
+releng/13.5/                            4d9c4ecf6a48  releng/13.5-n259168
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://github.com/openzfs/zfs/pull/17340>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:10.zfs.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfSMACgkQbljekB8A
+Gu8z2hAAzcl0BfP5P3suB3ywY8dbh8LZ/MbKrN+VOgdrP00plRFhVMpL8W+v7MjX
+t3fDU3wEg+1PNEJ3j20vTCH4qdwuRQiuWo/MRz/7/kF21PufMx34pLGQd7ghG6q/
+1PGqxgs4C4snSJsgixzgxyedTZsO5D4ZKL3o8s5DPfvHR7bnSI7MdHFg7DynvpU6
+pcYZ7bZL1WhzTG4lL32oDFZqmLGac5iwiJPekVzJwlkSmoYlc8ScMV43FpDdGCfD
+5jbalhD0T/r4+Uzc+dTPulHjR8Q4YQ5XTZJvo5am9JV4HoQztASDsGw2Av9SpMKz
+TAehn5A48J+E3hcKncKivoRlSAA3EF/LTfCH/9ZLLEaEl3qbmp/iSPwuC9KWH8u/
+4E44tlTWDXfnr1UTnqqYwrq+SoY/UDQ0DWOXPEanS2BTSxzu3I/MI9OWzR0eZaow
+KDw7P4NFTnGLZ1ZWeGj2vrqrDDjb5SHqj8y0T1oyCqASph/t5e5AAsRzNp2Zr+YL
+nKAJAr5TEFIpYEjAsTj8WY+fu+KUOgh4sQpXe9xrD++aIRR64VbIJE6XSNo1TOtu
+TzXS7ysRZmZygoJOqCldsti7jUdlX5Pn31x4IRCaJAcQzfngZYyIQDLwkxg4b6LQ
+VLgtP7hmulByj7XBkCpekGb6kYoudIDqPP+vR+LSWgbzEyZ1LIo=
+=rdcw
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-25:11.ena.asc b/website/static/security/advisories/FreeBSD-EN-25:11.ena.asc
new file mode 100644
index 0000000000..5ff789182e
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-25:11.ena.asc
@@ -0,0 +1,155 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-25:11.ena                                            Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          ena resets and kernel panic on Nitro v4 or newer instances
+
+Category:       core
+Module:         ena
+Announced:      2025-07-02
+Credits:        Arthur Kiyanovski
+Affects:        FreeBSD 13.5 and FreeBSD 14.2
+Corrected:      2025-05-01 17:56:11 UTC (stable/14, 14.3-STABLE)
+                2025-07-02 18:28:12 UTC (releng/14.2, 14.2-RELEASE-p4)
+                2025-05-01 18:15:18 UTC (stable/13, 13.5-STABLE)
+                2025-07-02 18:28:31 UTC (releng/13.5, 13.5-RELEASE-p2)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The ena(4) driver is used to access the Elastic Network Adapter network
+interface on recent Amazon Elastic Compute Cloud (EC2) instances.  It is
+designed to make full use of the EC2 cloud architecture for optimal network
+performance.
+
+ENA Express is a feature that allows increased bandwidth and reduced latency
+in the AWS cloud.  For optimal performance of the ENA Express feature, it is
+necessary to reduce LLQ width to 128.
+
+AWS instances that use Nitro card v4 or newer have a maximum tx burst size
+when sending tx packets.  The driver is responsible to adhere to this maximum
+burst size by sending a doorbell to the device with no more than this burst
+size packets.  If the burst size is exceeded a device reset happens.
+
+Since driver 2.8.0 it is possible to change the width of the tx queue LLQ
+(Low Latency Queues) entries. There are 2 possible widths: 128 and 256 bytes.
+The default is 256, however in some cases, i.e. when using the ENA Express
+feature, it is recommended to use a width of 128.
+
+II.  Problem Description
+
+When running on instances that have a max tx burst size and the ENA device
+supports 256-byte wide LLQ entries, if 128-byte wide entries are selected,
+either by setting hw.ena.force_large_llq_header = 0 via sysctl or by turning
+on ENA Express for the interface, the ena(4) driver does not initialize a
+stack variable which is later used to setup the maximum tx burst size.
+
+III. Impact
+
+Due to the uninitialized stack variable, the ena(4) driver will exceed the
+maximum tx burst size, leading to device resets, making the device unusable.
+
+Additionally, the calculation of the tx burst size includes division by the
+uninitialized stack variable. If the stack variable is 0, this will cause
+division by 0 in the kernel, leading to a kernel panic.
+
+IV.  Workaround
+
+It is possible to force the LLQ width to 256 by setting
+hw.ena.force_large_llq_header=1 via sysctl, however this causes peformance
+degredation when using the ENA Express feature.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for erratum update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-25:11/ena.patch
+# fetch https://security.FreeBSD.org/patches/EN-25:11/ena.patch.asc
+# gpg --verify ena.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/14/                              3f4a674a8ee4    stable/14-n271320
+releng/14.2/                            ca1f7650a80d  releng/14.2-n269528
+stable/13/                              162b5bbb4048    stable/13-n259268
+releng/13.5/                            575644144d5c  releng/13.5-n259170
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ena-express.html>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:11.ena.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfSUACgkQbljekB8A
+Gu9/qBAAsP6QA+6kpRo94XBr7mRIvrsxK76sGMDcoTX+7WhQpVOQ3NP7VteNfTJc
+L0NF/PPhxxjJsYzz+o5SmW7RMgLlqL/Ofi4/VWqwwW8KTAjc4nAzKn5QNWb0fdWM
+gBYHGWrxYb8jt8twzIZ5HCOL47mN7obbEhi/y+WN+TehjJso2GiyM7gD+haaPlBa
+uAjSHYh+gf2tO7o9uSvIWYHP/qqjOphShJAwyX73ePZ9DLdra4FknWzryOU4Y3LP
+H4ToBZHkYJV/1P/GHSGYr5hqDuqxmxoCrzr+57IyfQiKPRiRvYsRMhAzlsrMp3aJ
+TQucgS5wN/TbHcSIXWLkO/DZ3poKjx73pBdayR2sS1ue3zz6FktNxMSub786jtPw
+icqPc24nsQt3PZI6wKViZAWJgDn4U/WfJhzWTR3mix3s8oal+Y8xYviYa9GQbo9p
+bzld/8Of6HVcbEhg+Ayq1WI3Cez3ahvek74/KnJc9EHX+20lI3OEpIzKWw/Q6wNy
+L+C1s4vG6dMY8Hr7OSUVJADiVCcvX+/7WGMppqua07jbuBpGSpZyAKBUlEoiGyyu
+aFob0xHlcYb/ongNzyDkmGufAGl+TpqJYcajvy/jDVXQpG3zlmAqizP2IfDlzcF5
+ojgxw7B9KaccauMDdASM7nGDR/Q1s8O1MMWGnwptjcmpEuC2D7s=
+=nJXg
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-25:06.xz.asc b/website/static/security/advisories/FreeBSD-SA-25:06.xz.asc
new file mode 100644
index 0000000000..d7a8a32d1d
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-25:06.xz.asc
@@ -0,0 +1,136 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-25:06.xz                                         Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Use-after-free in multi-threaded xz decoder
+
+Category:       contrib
+Module:         xz
+Announced:      2025-07-02
+Affects:        FreeBSD 13.5 and FreeBSD 14.2
+Corrected:      2025-05-07 21:26:00 UTC (stable/14, 14.2-STABLE)
+                2025-07-02 18:28:13 UTC (releng/14.2, 14.2-RELEASE-p4)
+                2025-05-07 21:25:59 UTC (stable/13, 13.4-STABLE)
+                2025-07-02 18:28:32 UTC (releng/13.5, 13.5-RELEASE-p2)
+CVE Name:       CVE-2025-31115
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+XZ Utils is a set of free software command-line lossless data compressors,
+including the programs lzma and xz.
+
+II.  Problem Description
+
+A worker thread could free its input buffer after decoding, while the
+main thread might still be writing to it. This leads to an use-after-free
+condition on heap memory.
+
+III. Impact
+
+An attacker may use specifically crafted .xz file to cause multi-threaded
+xz decoder to crash, or potentially run arbitrary code under the credential
+the decoder was executed.
+
+IV.  Workaround
+
+No workaround is available, but systems where xz decoding was not used in
+multi-threaded mode are not affected.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+Unless the decoder is running as a daemon, no reboot is required.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-25:06/xz.patch
+# fetch https://security.FreeBSD.org/patches/SA-25:06/xz.patch.asc
+# gpg --verify xz.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the liblzma library, or reboot the system.
+
+VI.  Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/14/                              5cf27a49a2de    stable/14-n271423
+releng/14.2/                            49b07b94662b  releng/14.2-n269529
+stable/13/                              346bb5d3fe19    stable/13-n259281
+releng/13.5/                            95e9c54b3961  releng/13.5-n259171
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31115>
+
+<URL:https://tukaani.org/xz/threaded-decoder-early-free.html>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:06.xz.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfTUACgkQbljekB8A
+Gu/LnA//WD66vLyMS5V+GcwJO3+Txq502F7U/HRoq0TRNJoEkSL5u+tpJD/hZUn4
+tkBayhSdJKs6d6UURZdhlEsCF4V7bjMzmudOwUnEwFZNXoUZHe0DHPMzFpGvVrD/
+zlN2QZptcP5IU0mPlSFbhQzrUwLnKhjN0NqDZSdaM+7jWDN2zdQFTwijHLFZV66a
+FYK8Gr+x4OJHn2CtxBz2ST2S4Aaju38D02IdwX/MQFTtVpLHvt2w/j84Ks2c/MXp
+BJxHKcyohEZRd0jO2XKaX1gBANoLNSRcJbeamJ8zYXSygakbqTkgfW8QHi09WSJH
+cLqp/NNi4D5v83j11vKlMHAujLgvgTupF7KTG5FXVYF0KZ0URXGEprC9mCWPbIOo
+5AD1pbDW1G/OO/cmBn63nILu0U5YLqjcIh2UkJxROs8BBCWouh3k6ZEx2mxQZ9Jy
+U2aDrC8TwYf1Sqwr063L+WNo38SUSILNaP17xWpeDToDMYHqnrdMOtj/OFDV1g1U
+ra0CYfp2yWpMZ9UibS6GV+mvtiPe/exxqMNFmkpZ/+uTBbH3vPX/rVbJIJkIsOsA
+Re9OUfhOYTsPV/bK+NRPAqaLTrmifEECYlskmAgvGoVdMldeL47nGt0EyZLKZ75y
+xY4qPHPJEv7TXA8ZOpQ85M491TfwoETZ6CytmwjeXQmOEY8KRtQ=
+=TZId
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-25:09/libc.patch b/website/static/security/patches/EN-25:09/libc.patch
new file mode 100644
index 0000000000..2a5687affd
--- /dev/null
+++ b/website/static/security/patches/EN-25:09/libc.patch
@@ -0,0 +1,93 @@
+--- lib/libc/stdlib/atexit.c.orig
++++ lib/libc/stdlib/atexit.c
+@@ -38,6 +38,7 @@
+ #include "namespace.h"
+ #include <errno.h>
+ #include <link.h>
++#include <stdbool.h>
+ #include <stddef.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+@@ -59,6 +60,8 @@
+ #define	ATEXIT_FN_CXA	2
+ 
+ static pthread_mutex_t atexit_mutex = PTHREAD_MUTEX_INITIALIZER;
++static void *current_finalize_dso = NULL;
++static bool call_finalize_again = false;
+ 
+ #define _MUTEX_LOCK(x)		if (__isthreaded) _pthread_mutex_lock(x)
+ #define _MUTEX_UNLOCK(x)	if (__isthreaded) _pthread_mutex_unlock(x)
+@@ -118,6 +121,9 @@
+ 		__atexit = p;
+ 	}
+ 	p->fns[p->ind++] = *fptr;
++	if (current_finalize_dso != NULL &&
++	    current_finalize_dso == fptr->fn_dso)
++		call_finalize_again = true;
+ 	_MUTEX_UNLOCK(&atexit_mutex);
+ 	return 0;
+ }
+@@ -211,33 +217,38 @@
+ 	}
+ 
+ 	_MUTEX_LOCK(&atexit_mutex);
+-	for (p = __atexit; p; p = p->next) {
+-		for (n = p->ind; --n >= 0;) {
+-			if (p->fns[n].fn_type == ATEXIT_FN_EMPTY)
+-				continue; /* already been called */
+-			fn = p->fns[n];
+-			if (dso != NULL && dso != fn.fn_dso) {
+-				/* wrong DSO ? */
+-				if (!has_phdr || global_exit ||
+-				    !__elf_phdr_match_addr(&phdr_info,
+-				    fn.fn_ptr.cxa_func))
+-					continue;
++	current_finalize_dso = dso;
++	do {
++		call_finalize_again = false;
++		for (p = __atexit; p; p = p->next) {
++			for (n = p->ind; --n >= 0;) {
++				if (p->fns[n].fn_type == ATEXIT_FN_EMPTY)
++					continue; /* already been called */
++				fn = p->fns[n];
++				if (dso != NULL && dso != fn.fn_dso) {
++					/* wrong DSO ? */
++					if (!has_phdr || global_exit ||
++					    !__elf_phdr_match_addr(&phdr_info,
++					    fn.fn_ptr.cxa_func))
++						continue;
++				}
++				/*
++				  Mark entry to indicate that this particular
++				  handler has already been called.
++				*/
++				p->fns[n].fn_type = ATEXIT_FN_EMPTY;
++				_MUTEX_UNLOCK(&atexit_mutex);
++
++				/* Call the function of correct type. */
++				if (fn.fn_type == ATEXIT_FN_CXA)
++					fn.fn_ptr.cxa_func(fn.fn_arg);
++				else if (fn.fn_type == ATEXIT_FN_STD)
++					fn.fn_ptr.std_func();
++				_MUTEX_LOCK(&atexit_mutex);
+ 			}
+-			/*
+-			  Mark entry to indicate that this particular handler
+-			  has already been called.
+-			*/
+-			p->fns[n].fn_type = ATEXIT_FN_EMPTY;
+-		        _MUTEX_UNLOCK(&atexit_mutex);
+-		
+-			/* Call the function of correct type. */
+-			if (fn.fn_type == ATEXIT_FN_CXA)
+-				fn.fn_ptr.cxa_func(fn.fn_arg);
+-			else if (fn.fn_type == ATEXIT_FN_STD)
+-				fn.fn_ptr.std_func();
+-			_MUTEX_LOCK(&atexit_mutex);
+ 		}
+-	}
++	} while (call_finalize_again);
++	current_finalize_dso = NULL;
+ 	_MUTEX_UNLOCK(&atexit_mutex);
+ 	if (dso == NULL)
+ 		_MUTEX_DESTROY(&atexit_mutex);
diff --git a/website/static/security/patches/EN-25:09/libc.patch.asc b/website/static/security/patches/EN-25:09/libc.patch.asc
new file mode 100644
index 0000000000..e4ccc67b7f
--- /dev/null
+++ b/website/static/security/patches/EN-25:09/libc.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfSIACgkQbljekB8A
+Gu+2Mg//VC3nCmbD+MCiqR5fsFXO++U0MfMQ5w/jVkB9DKqZm0xkQoZ74EHhnXAW
+N2u17xLR4vq65YLe4KDhnfCE2JuWmVuMtIqSZ7966co6cddmotxGxPh5rSG/nmfW
+zWdJG6DWdRGK4UHL35wbFPfOlkMj/1JAAvFxGm80LrjvCqzCJo3owOViqzOkmzGa
+tNWZRh+fKhBgx3rLUURCmvuhgWsFDN5kVOilxM51U+iNRMFYsVA5E5wThuFDJUHu
+8uVMte8QlI/r/lWhzr87ROJ/OvpCXmSyNqJCPKlCOl4Y0zCOddJwptD6amAxbiks
+gOWBt2CKgt5W2ZwHe2S5lAr5mbR6C8SFIqy5BRObgmpRAW854IoMeos/1RNk0U4K
+6JLcpAqvUYA5RzZtVBhMVOKrsp1eJj1ZufSkAqWjgNzAY/iyD2GehO/n5AxF5EYe
+NLufX60czw3/qtW7XtS1dxMlmpbPyfyGyPAd5FivVx9akrGlX6nK0EHgQUfhFbga
+CLaQALRFAqZq8BugYb9WbapmvPDOGfpu5WeGHcoWqFYsUApuIeE4oNVcNowtfWwA
+vvpdRGljXoca5tn3FgTr2glJAqFgln2pbAEPiRx4yOjaJddaxteCfT7pTGvX1MVG
+B00sBJW0h5GfYFbJn9cseVgs7Qj5kF3ym/Z3i3MID6O5SGED9Zg=
+=ktxu
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-25:10/zfs.patch b/website/static/security/patches/EN-25:10/zfs.patch
new file mode 100644
index 0000000000..1125c937b9
--- /dev/null
+++ b/website/static/security/patches/EN-25:10/zfs.patch
@@ -0,0 +1,22 @@
+--- sys/contrib/openzfs/module/zfs/dmu_send.c.orig
++++ sys/contrib/openzfs/module/zfs/dmu_send.c
+@@ -2676,8 +2676,8 @@
+ 	}
+ 
+ 	if (fromsnap != 0) {
+-		err = dsl_dataset_hold_obj_flags(dspp.dp, fromsnap, dsflags,
+-		    FTAG, &fromds);
++		err = dsl_dataset_hold_obj(dspp.dp, fromsnap, FTAG, &fromds);
++
+ 		if (err != 0) {
+ 			dsl_dataset_rele_flags(dspp.to_ds, dsflags, FTAG);
+ 			dsl_pool_rele(dspp.dp, FTAG);
+@@ -2729,7 +2729,7 @@
+ 		kmem_free(dspp.fromredactsnaps,
+ 		    dspp.numfromredactsnaps * sizeof (uint64_t));
+ 
+-	dsl_dataset_rele(dspp.to_ds, FTAG);
++	dsl_dataset_rele_flags(dspp.to_ds, dsflags, FTAG);
+ 	return (err);
+ }
+ 
diff --git a/website/static/security/patches/EN-25:10/zfs.patch.asc b/website/static/security/patches/EN-25:10/zfs.patch.asc
new file mode 100644
index 0000000000..76df7de385
--- /dev/null
+++ b/website/static/security/patches/EN-25:10/zfs.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfSQACgkQbljekB8A
+Gu/6Gg/+MnOh5EePCKIEHRjqbpOq+q+tLPuH+Mm66rs2bEnInVRRSeDi6jBX8sld
+mMgLTprKQnDw4UK4JsTJGYNnr09U3dPF/laiXxr//vw6HYZdv2e1pOtLKOq8xLZr
+Vuk6tQX0IprR7DQTVh88jKSeiYjU34tiS9mUT523dZP5Zcwd1vOdmOAnib8x3XE8
+d2e0zKOuMLYHDHokqP5Mh7unyuapjPuRptF6mcdOLxvQ4xGTmwCvalTViDMCzY0X
+DBDD32QDNeDcDf4SgZRHA0+MI3bqp5bcFjpR63Ox/TwUO9sscB3cfA6MCMEVx1nU
+mk3dQEVGBTPjhHixfXq/PBjA4Jim9CboLNJdxiZfDStGaB8HkD24/Ran/FK1eASc
+TjaBvNuRJcaIPKijkzCDP07290iWdWUgBNpxd94lHmoCpHEzJOuh4MTgRLX7xlD8
+uYv9hXX9MPA+AekDs0msCUQHz55jnzG7NExkAiFnMuNe0HyHyEhYr0HMYwK/sBxO
+kbUZ9nL75mYrnxsAl31GmKHbURwWUkLOVk6aJE00qC+CNk/XpIq0gN/235E/6qAu
+C3d8YXuj50bHRZZH8db2sGfGz25KqK//0gbQdU/zSt27XVSd7mZSFEu9aSRHst+s
+LKiP67gRX60FaoP+VTgBUFYl8/TAr7gpyV/qMA90c3iOlzhq4M0=
+=xDJw
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-25:11/ena.patch b/website/static/security/patches/EN-25:11/ena.patch
new file mode 100644
index 0000000000..818b244777
--- /dev/null
+++ b/website/static/security/patches/EN-25:11/ena.patch
@@ -0,0 +1,66 @@
+--- sys/dev/ena/ena.c.orig
++++ sys/dev/ena/ena.c
+@@ -2759,22 +2759,41 @@
+ ena_set_llq_configurations(struct ena_llq_configurations *llq_config,
+     struct ena_admin_feature_llq_desc *llq, struct ena_adapter *adapter)
+ {
++	bool use_large_llq;
++
+ 	llq_config->llq_header_location = ENA_ADMIN_INLINE_HEADER;
+ 	llq_config->llq_stride_ctrl = ENA_ADMIN_MULTIPLE_DESCS_PER_ENTRY;
+ 	llq_config->llq_num_decs_before_header =
+ 	    ENA_ADMIN_LLQ_NUM_DESCS_BEFORE_HEADER_2;
+-	if ((llq->entry_size_ctrl_supported & ENA_ADMIN_LIST_ENTRY_SIZE_256B) != 0) {
+-		if ((ena_force_large_llq_header == ENA_LLQ_HEADER_SIZE_POLICY_LARGE) ||
+-		    (ena_force_large_llq_header == ENA_LLQ_HEADER_SIZE_POLICY_DEFAULT &&
+-		    llq->entry_size_recommended == ENA_ADMIN_LIST_ENTRY_SIZE_256B)) {
+-			llq_config->llq_ring_entry_size =
+-			    ENA_ADMIN_LIST_ENTRY_SIZE_256B;
+-			llq_config->llq_ring_entry_size_value = 256;
+-			adapter->llq_policy = ENA_ADMIN_LIST_ENTRY_SIZE_256B;
+-		}
++
++	switch (ena_force_large_llq_header)
++	{
++	case ENA_LLQ_HEADER_SIZE_POLICY_REGULAR:
++		use_large_llq = false;
++		break;
++	case ENA_LLQ_HEADER_SIZE_POLICY_LARGE:
++		use_large_llq = true;
++		break;
++	case ENA_LLQ_HEADER_SIZE_POLICY_DEFAULT:
++		use_large_llq =
++		    (llq->entry_size_recommended == ENA_ADMIN_LIST_ENTRY_SIZE_256B);
++		break;
++	default:
++		use_large_llq = false;
++		ena_log(adapter->pdev, WARN,
++		    "force_large_llq_header should have values [0-2]\n");
++		break;
++	}
++
++	if (!(llq->entry_size_ctrl_supported & ENA_ADMIN_LIST_ENTRY_SIZE_256B))
++		use_large_llq = false;
++
++	if (use_large_llq) {
++		llq_config->llq_ring_entry_size = ENA_ADMIN_LIST_ENTRY_SIZE_256B;
++		llq_config->llq_ring_entry_size_value = 256;
++		adapter->llq_policy = ENA_ADMIN_LIST_ENTRY_SIZE_256B;
+ 	} else {
+-		llq_config->llq_ring_entry_size =
+-		    ENA_ADMIN_LIST_ENTRY_SIZE_128B;
++		llq_config->llq_ring_entry_size = ENA_ADMIN_LIST_ENTRY_SIZE_128B;
+ 		llq_config->llq_ring_entry_size_value = 128;
+ 		adapter->llq_policy = ENA_ADMIN_LIST_ENTRY_SIZE_128B;
+ 	}
+--- sys/dev/ena/ena.h.orig
++++ sys/dev/ena/ena.h
+@@ -39,7 +39,7 @@
+ 
+ #define ENA_DRV_MODULE_VER_MAJOR	2
+ #define ENA_DRV_MODULE_VER_MINOR	8
+-#define ENA_DRV_MODULE_VER_SUBMINOR	0
++#define ENA_DRV_MODULE_VER_SUBMINOR	1
+ 
+ #define ENA_DRV_MODULE_NAME		"ena"
+ 
diff --git a/website/static/security/patches/EN-25:11/ena.patch.asc b/website/static/security/patches/EN-25:11/ena.patch.asc
new file mode 100644
index 0000000000..765b9038aa
--- /dev/null
+++ b/website/static/security/patches/EN-25:11/ena.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfSYACgkQbljekB8A
+Gu+ynA/+LPSLPlJ/k5I41mYxPaS8nuUqvvxOEGWmwsMrRlJRAvLJSP+daZa7QLyb
+QpEUq6Ln+svzIa2EhA44DRg+zP8xPDoHCtvzemXNxo5slWTs2wikpl6DvMuLuQgS
+0N/JLUWw/NX3XdeN9YMpOBy05GM8H7Zkgx6O6WRBHC8G7eeTEq3l6a6Tq4RdrIR8
+9z7xbKzzJ40ZHmzjX7oJo6zRzLH4GRsTszc3eht+IPGEor1YCwmu98hKt4oddWhK
+RaY87zoMXvDF2/T2PN4pH8UzC9Bv3zDmFJKfRvjpvH/3FZupRhNzJqqiIaMM2aMH
+7YapfYmDgoWdfu4Y7IDtBLx758poGNPlocbrdAGCbl6pZ7tSdLemzHrJYHiNlaY/
+q0VyTDyUaZc7JemoYTrMcqfAm32u7mo1V9Yh6lk7NZH5V55cEeBvWoUEG649z78Q
+/VHNeVeiKR1GcWagbLqZ+8NgZxpwze79eodUulPR4P1YZ+QpokPon5cbdGF88xTL
+ORIufqEzczmWZElwRaK7+gEnFli/lKEHd07sh2gztY36D3RQGW/xD/O/F/ovpmsr
+1rHKT/NinOPWaN+/O24RCu97ySBuDyQH7IRScJ8Pjk18Mtuhqn+2ip/il7992dDE
+NChDoZmh1GSSdFmO6AfChLYNKtEgKD5Ipi69d6b8fHQev8N8trQ=
+=MVMj
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-25:06/xz.patch b/website/static/security/patches/SA-25:06/xz.patch
new file mode 100644
index 0000000000..9cad7b0f76
--- /dev/null
+++ b/website/static/security/patches/SA-25:06/xz.patch
@@ -0,0 +1,182 @@
+--- contrib/xz/src/liblzma/common/stream_decoder_mt.c.orig
++++ contrib/xz/src/liblzma/common/stream_decoder_mt.c
+@@ -23,15 +23,10 @@
+ 	THR_IDLE,
+ 
+ 	/// Decoding is in progress.
+-	/// Main thread may change this to THR_STOP or THR_EXIT.
++	/// Main thread may change this to THR_IDLE or THR_EXIT.
+ 	/// The worker thread may change this to THR_IDLE.
+ 	THR_RUN,
+ 
+-	/// The main thread wants the thread to stop whatever it was doing
+-	/// but not exit. Main thread may change this to THR_EXIT.
+-	/// The worker thread may change this to THR_IDLE.
+-	THR_STOP,
+-
+ 	/// The main thread wants the thread to exit.
+ 	THR_EXIT,
+ 
+@@ -346,27 +341,6 @@
+ }
+ 
+ 
+-/// Things do to at THR_STOP or when finishing a Block.
+-/// This is called with thr->mutex locked.
+-static void
+-worker_stop(struct worker_thread *thr)
+-{
+-	// Update memory usage counters.
+-	thr->coder->mem_in_use -= thr->in_size;
+-	thr->in_size = 0; // thr->in was freed above.
+-
+-	thr->coder->mem_in_use -= thr->mem_filters;
+-	thr->coder->mem_cached += thr->mem_filters;
+-
+-	// Put this thread to the stack of free threads.
+-	thr->next = thr->coder->threads_free;
+-	thr->coder->threads_free = thr;
+-
+-	mythread_cond_signal(&thr->coder->cond);
+-	return;
+-}
+-
+-
+ static MYTHREAD_RET_TYPE
+ worker_decoder(void *thr_ptr)
+ {
+@@ -397,17 +371,6 @@
+ 		return MYTHREAD_RET_VALUE;
+ 	}
+ 
+-	if (thr->state == THR_STOP) {
+-		thr->state = THR_IDLE;
+-		mythread_mutex_unlock(&thr->mutex);
+-
+-		mythread_sync(thr->coder->mutex) {
+-			worker_stop(thr);
+-		}
+-
+-		goto next_loop_lock;
+-	}
+-
+ 	assert(thr->state == THR_RUN);
+ 
+ 	// Update progress info for get_progress().
+@@ -472,8 +435,7 @@
+ 	}
+ 
+ 	// Either we finished successfully (LZMA_STREAM_END) or an error
+-	// occurred. Both cases are handled almost identically. The error
+-	// case requires updating thr->coder->thread_error.
++	// occurred.
+ 	//
+ 	// The sizes are in the Block Header and the Block decoder
+ 	// checks that they match, thus we know these:
+@@ -481,16 +443,30 @@
+ 	assert(ret != LZMA_STREAM_END
+ 		|| thr->out_pos == thr->block_options.uncompressed_size);
+ 
+-	// Free the input buffer. Don't update in_size as we need
+-	// it later to update thr->coder->mem_in_use.
+-	lzma_free(thr->in, thr->allocator);
+-	thr->in = NULL;
+-
+ 	mythread_sync(thr->mutex) {
++		// Block decoder ensures this, but do a sanity check anyway
++		// because thr->in_filled < thr->in_size means that the main
++		// thread is still writing to thr->in.
++		if (ret == LZMA_STREAM_END && thr->in_filled != thr->in_size) {
++			assert(0);
++			ret = LZMA_PROG_ERROR;
++		}
++
+ 		if (thr->state != THR_EXIT)
+ 			thr->state = THR_IDLE;
+ 	}
+ 
++	// Free the input buffer. Don't update in_size as we need
++	// it later to update thr->coder->mem_in_use.
++	//
++	// This step is skipped if an error occurred because the main thread
++	// might still be writing to thr->in. The memory will be freed after
++	// threads_end() sets thr->state = THR_EXIT.
++	if (ret == LZMA_STREAM_END) {
++		lzma_free(thr->in, thr->allocator);
++		thr->in = NULL;
++	}
++
+ 	mythread_sync(thr->coder->mutex) {
+ 		// Move our progress info to the main thread.
+ 		thr->coder->progress_in += thr->in_pos;
+@@ -510,7 +486,20 @@
+ 				&& thr->coder->thread_error == LZMA_OK)
+ 			thr->coder->thread_error = ret;
+ 
+-		worker_stop(thr);
++		// Return the worker thread to the stack of available
++		// threads only if no errors occurred.
++		if (ret == LZMA_STREAM_END) {
++			// Update memory usage counters.
++			thr->coder->mem_in_use -= thr->in_size;
++			thr->coder->mem_in_use -= thr->mem_filters;
++			thr->coder->mem_cached += thr->mem_filters;
++
++			// Put this thread to the stack of free threads.
++			thr->next = thr->coder->threads_free;
++			thr->coder->threads_free = thr;
++		}
++
++		mythread_cond_signal(&thr->coder->cond);
+ 	}
+ 
+ 	goto next_loop_lock;
+@@ -544,17 +533,22 @@
+ }
+ 
+ 
++/// Tell worker threads to stop without doing any cleaning up.
++/// The clean up will be done when threads_exit() is called;
++/// it's not possible to reuse the threads after threads_stop().
++///
++/// This is called before returning an unrecoverable error code
++/// to the application. It would be waste of processor time
++/// to keep the threads running in such a situation.
+ static void
+ threads_stop(struct lzma_stream_coder *coder)
+ {
+ 	for (uint32_t i = 0; i < coder->threads_initialized; ++i) {
++		// The threads that are in the THR_RUN state will stop
++		// when they check the state the next time. There's no
++		// need to signal coder->threads[i].cond.
+ 		mythread_sync(coder->threads[i].mutex) {
+-			// The state must be changed conditionally because
+-			// THR_IDLE -> THR_STOP is not a valid state change.
+-			if (coder->threads[i].state != THR_IDLE) {
+-				coder->threads[i].state = THR_STOP;
+-				mythread_cond_signal(&coder->threads[i].cond);
+-			}
++			coder->threads[i].state = THR_IDLE;
+ 		}
+ 	}
+ 
+@@ -1561,6 +1555,10 @@
+ 		}
+ 
+ 		// Return if the input didn't contain the whole Block.
++		//
++		// NOTE: When we updated coder->thr->in_filled a few lines
++		// above, the worker thread might by now have finished its
++		// work and returned itself back to the stack of free threads.
+ 		if (coder->thr->in_filled < coder->thr->in_size) {
+ 			assert(*in_pos == in_size);
+ 			return LZMA_OK;
+@@ -1948,7 +1946,7 @@
+ 	// accounting from scratch, too. Changes in filter and block sizes may
+ 	// affect number of threads.
+ 	//
+-	// FIXME? Reusing should be easy but unlike the single-threaded
++	// Reusing threads doesn't seem worth it. Unlike the single-threaded
+ 	// decoder, with some types of input file combinations reusing
+ 	// could leave quite a lot of memory allocated but unused (first
+ 	// file could allocate a lot, the next files could use fewer
diff --git a/website/static/security/patches/SA-25:06/xz.patch.asc b/website/static/security/patches/SA-25:06/xz.patch.asc
new file mode 100644
index 0000000000..effe893efb
--- /dev/null
+++ b/website/static/security/patches/SA-25:06/xz.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfTYACgkQbljekB8A
+Gu9pKRAAnMQ+uzzV6MABz3ohymuHegDQrM2cM0K9JBSFiaja4OTvR3lqcrojCydj
+MpE+iaTfMuDrqZUwjRWAe1zBecRvNWI1RExVupmaEcWCPDx1soHH/NPtgomlf2z6
+osmsA0Vz/4H2Rz0vkAZ7CEQhewI5j3sMYGz4z43g6X4H90Cgy2Pjxfmjwjmcdlun
+1nYD34YFuCqKNeIMKw++ChdmTK+K5ky0u4ZUugH1XOKP999fa7My9fe/g18LApjn
+ZptTKTMBCxiIwmJ/NllLVBvQxp7H16JB2WVzTeveRwphNswbyMKIM04Y4yyuF2MD
+lI8IEpy3Np3erjms7DoZ+AE01UnFHCEI9J9oetxLps2P+MzL8q6o0BqBtCZtxJ+R
+48XXz2gqXPkG67I6eeYHeDWcLlbclYB/sfFEQek62RDB10cm+fyJlVZ3LkztHp/6
+E8TDouzt/vx2XtZNM0Lsp21Za+7oJaSXtwpVxF0cezv/1CvCKdqwugpDbmGU5a7p
+9b3kaTYMPPHJvrs1lf0Evc5OcFhmJsnTurMsNpySPBmg0IussM5B4oW8A0BgwOYi
+yUOE40KjRIu6mIPx/9XSpnGhAa6ZYpng6FxecLLgd8F/S8wZZQvwlTeTJ0uZqA5A
+eEqp2B2zHrmlKONPqsc5rxKfqNEjX0PtDyYHdRL6WWNTpxBPmf0=
+=5HgZ
+-----END PGP SIGNATURE-----