From 849c3ecca0621139ff6494ab61adb46889b6e570 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 12 Dec 2023 13:55:55 +0100
Subject: [PATCH] fix links (and code responsible for generating)

---
 collect_changelogs.py        |  5 ++---
 source/releases/BE_20.1.rst  | 10 ++++-----
 source/releases/BE_20.7.rst  | 36 ++++++++++++++++----------------
 source/releases/BE_21.10.rst | 16 +++++++--------
 source/releases/BE_21.4.rst  | 36 ++++++++++++++++----------------
 source/releases/BE_22.10.rst | 40 ++++++++++++++++++------------------
 source/releases/BE_22.4.rst  | 16 +++++++--------
 source/releases/BE_23.10.rst |  8 ++++----
 source/releases/BE_23.4.rst  |  8 ++++----
 source/releases/CE_20.1.rst  | 10 ++++-----
 source/releases/CE_20.7.rst  | 36 ++++++++++++++++----------------
 source/releases/CE_21.1.rst  | 38 +++++++++++++++++-----------------
 source/releases/CE_21.7.rst  | 26 +++++++++++------------
 source/releases/CE_22.1.rst  | 16 +++++++--------
 source/releases/CE_22.7.rst  | 30 +++++++++++++--------------
 source/releases/CE_23.1.rst  | 18 ++++++++--------
 source/releases/CE_23.7.rst  | 24 +++++++++++-----------
 17 files changed, 186 insertions(+), 187 deletions(-)

diff --git a/collect_changelogs.py b/collect_changelogs.py
index 09731c1b..acdaf39a 100755
--- a/collect_changelogs.py
+++ b/collect_changelogs.py
@@ -57,7 +57,6 @@ def parse_change_log(payload, this_version, links):
     all_token_links = dict()
     first_line = False
     prelude_line = this_version.count(".") == 1
-    rst_content = list()
     lines = payload.split("\n")
     for idx, line in enumerate(lines):
         content_line = None
@@ -109,7 +108,7 @@ def parse_change_log(payload, this_version, links):
     for section in ['content', 'prelude']:
         for token in all_token_links:
             target_uri = all_token_links[token]
-            tmp = all_token_links[token].split(':')
+            tmp = all_token_links[token].split(':', 1)
             if tmp[0] in links and len(tmp) == 2:
                 target_uri = links[tmp[0]]['url']
                 version = tmp[1]
@@ -120,8 +119,8 @@ def parse_change_log(payload, this_version, links):
                         version = re.sub(match.group(1), match.group(2), tmp[1], count=count)
                 if target_uri.find('%s') > -1:
                     target_uri = target_uri % version
-
             result[section] = result[section].replace(token, " `%s <%s>`__ " % (token, target_uri))
+
     return result
 
 
diff --git a/source/releases/BE_20.1.rst b/source/releases/BE_20.1.rst
index f3f660ce..9b3ad262 100644
--- a/source/releases/BE_20.1.rst
+++ b/source/releases/BE_20.1.rst
@@ -153,11 +153,11 @@ Here are the full patch notes:
 * src: added Novatel Wireless MiFi 8800/8000 support (contributed by rootless4real)
 * src: fix pf shared forwarding on non-existing interfaces
 * src: patch in tty 3wire autologin support
-* src: fix insufficient packet length validation in libalias `[1] <FREEBSD:FreeBSD-SA-20:12.libalias>`__ 
-* src: fix memory disclosure vulnerability in libalias `[2] <FREEBSD:FreeBSD-SA-20:13.libalias>`__ 
-* src: fix improper checking in SCTP-AUTH shared key update `[3] <FREEBSD:FreeBSD-SA-20:14.sctp>`__ 
-* src: fix use after free in cryptodev module `[4] <FREEBSD:FreeBSD-SA-20:15.cryptodev>`__ 
-* src: update to tzdata 2020a `[5] <FREEBSD:FreeBSD-EN-20:08.tzdata>`__ 
+* src: fix insufficient packet length validation in libalias `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:12.libalias.asc>`__ 
+* src: fix memory disclosure vulnerability in libalias `[2] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:13.libalias.asc>`__ 
+* src: fix improper checking in SCTP-AUTH shared key update `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:14.sctp.asc>`__ 
+* src: fix use after free in cryptodev module `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:15.cryptodev.asc>`__ 
+* src: update to tzdata 2020a `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:08.tzdata.asc>`__ 
 * ports: ca_root_nss 3.52
 * ports: curl 7.70.0 `[6] <https://curl.se/changes.html#7_70_0>`__ 
 * ports: dhcp6c v20200512
diff --git a/source/releases/BE_20.7.rst b/source/releases/BE_20.7.rst
index 68fe678f..f388d158 100644
--- a/source/releases/BE_20.7.rst
+++ b/source/releases/BE_20.7.rst
@@ -81,7 +81,7 @@ Here are the full patch notes:
 * plugins: os-maltrail fixes sensor start without server (contributed by Julio Camargo)
 * plugins: os-nginx 1.20 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/www/nginx/pkg-descr>`__ 
 * plugins: os-tinc fixes for latest version (contributed by vnxme)
-* src: fix OpenSSL NULL pointer de-reference `[3] <FREEBSD:FreeBSD-SA-20:33.openssl>`__ 
+* src: fix OpenSSL NULL pointer de-reference `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:33.openssl.asc>`__ 
 * src: fix partial scrub of multicast packages
 * src: free full mbuf chains in iflib when draining transmit queues
 * src: initialize oifp to avoid bogus results/panics in edge cases
@@ -173,12 +173,12 @@ Here are the full patch notes:
 * src: improve netmap(4) and vale(4) man pages
 * src: IPV6_PKTINFO support for v4-mapped IPv6 sockets
 * src: zero-initialize variables in HBSD PaX SEGVGUARD
-* src: fix execve/fexecve system call auditing `[3] <FREEBSD:FreeBSD-EN-20:19.audit>`__ 
-* src: fix uninitialized variable in ipfw `[4] <FREEBSD:FreeBSD-EN-20:21.ipfw>`__ 
-* src: fix race condition in callout CPU migration `[5] <FREEBSD:FreeBSD-EN-20:22.callout>`__ 
-* src: fix ICMPv6 use-after-free in error message handling `[6] <FREEBSD:FreeBSD-SA-20:31.icmp6>`__ 
-* src: fix multiple vulnerabilities in rtsold `[7] <FREEBSD:FreeBSD-SA-20:32.rtsold>`__ 
-* src: update timezone database information `[8] <FREEBSD:FreeBSD-EN-20:20.tzdata>`__ 
+* src: fix execve/fexecve system call auditing `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:19.audit.asc>`__ 
+* src: fix uninitialized variable in ipfw `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:21.ipfw.asc>`__ 
+* src: fix race condition in callout CPU migration `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:22.callout.asc>`__ 
+* src: fix ICMPv6 use-after-free in error message handling `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:31.icmp6.asc>`__ 
+* src: fix multiple vulnerabilities in rtsold `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:32.rtsold.asc>`__ 
+* src: update timezone database information `[8] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:20.tzdata.asc>`__ 
 * ports: krb5 1.18.3 `[9] <https://web.mit.edu/kerberos/krb5-1.18/>`__ 
 * ports: nss 3.59 `[10] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_59.html>`__ 
 * ports: openldap 2.4.56 `[11] <https://www.openldap.org/software/release/changes.html>`__ 
@@ -321,13 +321,13 @@ Here are the full patch notes:
 * plugins: os-theme-vicuna 1.1 (contributed by Team Rebellion)
 * plugins: os-wireguard 1.3 `[4] <https://github.com/opnsense/plugins/blob/stable/20.7/net/wireguard/pkg-descr>`__ 
 * plugins: os-zabbix-agent 1.8 `[5] <https://github.com/opnsense/plugins/blob/stable/20.7/net-mgmt/zabbix-agent/pkg-descr>`__ 
-* src: fix FreeBSD Linux ABI kernel panic `[6] <FREEBSD:FreeBSD-EN-20:17.linuxthread>`__ 
-* src: fix SCTP socket use-after-free `[7] <FREEBSD:FreeBSD-SA-20:25.sctp>`__ 
-* src: fix dhclient heap overflow `[8] <FREEBSD:FreeBSD-SA-20:26.dhclient>`__ 
-* src: fix ure device driver susceptible to packet-in-packet attack `[9] <FREEBSD:FreeBSD-SA-20:27.ure>`__ 
-* src: fix bhyve privilege escalation via VMCS access `[10] <FREEBSD:FreeBSD-SA-20:28.bhyve_vmcs>`__ 
-* src: fix bhyve SVM guest escape `[11] <FREEBSD:FreeBSD-SA-20:29.bhyve_svm>`__ 
-* src: fix ftpd privilege escalation via ftpchroot `[12] <FREEBSD:FreeBSD-SA-20:30.ftpd>`__ 
+* src: fix FreeBSD Linux ABI kernel panic `[6] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:17.linuxthread.asc>`__ 
+* src: fix SCTP socket use-after-free `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:25.sctp.asc>`__ 
+* src: fix dhclient heap overflow `[8] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc>`__ 
+* src: fix ure device driver susceptible to packet-in-packet attack `[9] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:27.ure.asc>`__ 
+* src: fix bhyve privilege escalation via VMCS access `[10] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc>`__ 
+* src: fix bhyve SVM guest escape `[11] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc>`__ 
+* src: fix ftpd privilege escalation via ftpchroot `[12] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:30.ftpd.asc>`__ 
 * src: set PAX_HARDENING_NOSHLIBRANDOM in the RTLD by default
 * src: fix kernel panic while trying to read multicast stream
 * ports: mpd 5.9 `[13] <http://mpd.sourceforge.net/doc5/mpd4.html#4>`__ 
@@ -429,10 +429,10 @@ Here are the full patch notes:
 * plugins: os-udpbroadcastrelay 1.0 (contributed by Team Rebellion)
 * src: set the current VNET before calling netisr_dispatch() in ng_iface(4)
 * src: assorted multicast group join/leave corrections
-* src: fix vmx driver packet loss and degraded performance `[4] <FREEBSD:FreeBSD-EN-20:16.vmx>`__ 
-* src: fix memory corruption in USB network device driver `[5] <FREEBSD:FreeBSD-SA-20:21.usb_net>`__ 
-* src: fix multiple vulnerabilities in sqlite `[6] <FREEBSD:FreeBSD-SA-20:22.sqlite>`__ 
-* src: fix sendmsg(2) privilege escalation `[7] <FREEBSD:FreeBSD-SA-20:23.sendmsg>`__ 
+* src: fix vmx driver packet loss and degraded performance `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:16.vmx.asc>`__ 
+* src: fix memory corruption in USB network device driver `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:21.usb_net.asc>`__ 
+* src: fix multiple vulnerabilities in sqlite `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:22.sqlite.asc>`__ 
+* src: fix sendmsg(2) privilege escalation `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:23.sendmsg.asc>`__ 
 * ports: perl 5.32.0 `[8] <https://perldoc.perl.org/5.32.0/perldelta>`__ 
 * ports: squid 4.12 `[9] <http://www.squid-cache.org/Versions/v4/squid-4.12-RELEASENOTES.html>`__ 
 
diff --git a/source/releases/BE_21.10.rst b/source/releases/BE_21.10.rst
index 7307409e..28d4e04b 100644
--- a/source/releases/BE_21.10.rst
+++ b/source/releases/BE_21.10.rst
@@ -46,9 +46,9 @@ Here are the full patch notes:
 * plugins: os-telegraf 1.12.4 `[5] <https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/telegraf/pkg-descr>`__ 
 * plugins: os-wireguard 1.10 `[6] <https://github.com/opnsense/plugins/blob/stable/21.7/net/wireguard/pkg-descr>`__ 
 * src: axgbe: validate contents of gpio expander
-* src: incorrect XSAVE state size `[7] <FREEBSD:FreeBSD-EN-22:02.xsave>`__ 
-* src: vPCI compatibility improvements with certain Hyper-V releases `[8] <FREEBSD:FreeBSD-EN-22:03.hyperv>`__ 
-* src: vt console buffer overflow `[9] <FREEBSD:FreeBSD-SA-22:01.vt>`__ 
+* src: incorrect XSAVE state size `[7] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:02.xsave.asc>`__ 
+* src: vPCI compatibility improvements with certain Hyper-V releases `[8] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:03.hyperv.asc>`__ 
+* src: vt console buffer overflow `[9] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:01.vt.asc>`__ 
 * ports: expat 2.4.2 `[10] <https://github.com/libexpat/libexpat/blob/R_2_4_2/expat/Changes>`__ 
 * ports: filterlog 0.6 `[11] <https://github.com/opnsense/ports/commit/2e27655d84>`__ 
 * ports: flock 2.37.2
@@ -233,8 +233,8 @@ Here are the full patch notes:
 * src: aesni: avoid a potential out-of-bounds load in aes_encrypt_icm()
 * src: axgbe: correctly enable RSS driver support by default
 * src: ixgbe: prevent subsequent I2C bus read timeouts
-* src: fix kernel panic in vmci driver initialization `[16] <FREEBSD:FreeBSD-EN-21:28.vmci>`__ 
-* src: timezone database information update `[17] <FREEBSD:FreeBSD-EN-21:29.tzdata>`__ 
+* src: fix kernel panic in vmci driver initialization `[16] <https://www.freebsd.org/security/advisories/FreeBSD-EN-21:28.vmci.asc>`__ 
+* src: timezone database information update `[17] <https://www.freebsd.org/security/advisories/FreeBSD-EN-21:29.tzdata.asc>`__ 
 * ports: dnspython 2.1.0 `[18] <https://dnspython.readthedocs.io/en/stable/whatsnew.html>`__ 
 * ports: jinja 3.0.1 `[19] <https://jinja.palletsprojects.com/en/3.0.x/changes/#version-3-0-1>`__ 
 * ports: lighttpd 1.4.61 `[20] <https://www.lighttpd.net/2021/10/28/1.4.61/>`__ 
@@ -386,9 +386,9 @@ Here are the full patch notes:
 * src: compatibility shim for upcoming rtsold "-M" command line option
 * src: dhclient support for VLAN 0 decapsulation
 * src: dhclient: skip_to_semi() consumes semicolon already
-* src: fix libfetch out of bounds read `[15] <FREEBSD:FreeBSD-SA-21:15.libfetch>`__ 
-* src: fix missing error handling in bhyve(8) device models `[16] <FREEBSD:FreeBSD-SA-21:13.bhyve>`__ 
-* src: fix remote code execution in ggatec(8) `[17] <FREEBSD:FreeBSD-SA-21:14.ggatec>`__ 
+* src: fix libfetch out of bounds read `[15] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:15.libfetch.asc>`__ 
+* src: fix missing error handling in bhyve(8) device models `[16] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:13.bhyve.asc>`__ 
+* src: fix remote code execution in ggatec(8) `[17] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:14.ggatec.asc>`__ 
 * src: iflib: fix partial length accounting error in netmap mode
 * src: lib: add libnetmap and related patches
 * src: rtsold: slightly change address read
diff --git a/source/releases/BE_21.4.rst b/source/releases/BE_21.4.rst
index f065d995..de24c3d4 100644
--- a/source/releases/BE_21.4.rst
+++ b/source/releases/BE_21.4.rst
@@ -193,11 +193,11 @@ Here are the full patch notes:
 * plugins: os-telegraf 1.10.1 `[7] <https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/telegraf/pkg-descr>`__ 
 * plugins: os-zabbix4-proxy 1.3 `[8] <https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/zabbix4-proxy/pkg-descr>`__ 
 * plugins: os-zabbix5-proxy 1.5 `[9] <https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/zabbix5-proxy/pkg-descr>`__ 
-* src: SMAP bypass `[10] <FREEBSD:FreeBSD-SA-21:11.smap>`__ 
-* src: missing message validation in libradius `[11] <FREEBSD:FreeBSD-SA-21:12.libradius>`__  `[12] <FREEBSD:FreeBSD-EN-21:17.libradius>`__ 
-* src: pms data corruption `[13] <FREEBSD:FreeBSD-EN-21:14.pms>`__ 
-* src: libcasper: fix descriptors numbers `[14] <FREEBSD:EN-21:19.libcasper>`__ 
-* src: linux: prevent integer overflow in futex_requeue `[15] <FREEBSD:EN-21:22.linux_futex>`__ 
+* src: SMAP bypass `[10] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:11.smap.asc>`__ 
+* src: missing message validation in libradius `[11] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:12.libradius.asc>`__  `[12] <https://www.freebsd.org/security/advisories/FreeBSD-EN-21:17.libradius.asc>`__ 
+* src: pms data corruption `[13] <https://www.freebsd.org/security/advisories/FreeBSD-EN-21:14.pms.asc>`__ 
+* src: libcasper: fix descriptors numbers `[14] <https://www.freebsd.org/security/advisories/EN-21:19.libcasper.asc>`__ 
+* src: linux: prevent integer overflow in futex_requeue `[15] <https://www.freebsd.org/security/advisories/EN-21:22.linux_futex.asc>`__ 
 * ports: filterlog 0.4 adds label support to output if applicable
 * ports: libxml fix for CVE-2021-3541
 * ports: nss 3.65 `[16] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_65.html>`__ 
@@ -272,13 +272,13 @@ Here are the full patch notes:
 * plugins: os-zabbix5-proxy 1.4 `[10] <https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/zabbix5-proxy/pkg-descr>`__ 
 * src: axgbe: check for IFCAP_VLAN_HWTAGGING when reading descriptor
 * src: axgbe: add 1000BASE-BX SFP support
-* src: accept_filter: fix filter parameter handling `[11] <FREEBSD:FreeBSD-SA-21:09.accept_filter>`__ 
-* src: vm_fault: shoot down multiply mapped COW source page mappings `[12] <FREEBSD:FreeBSD-SA-21:08.vm>`__ 
-* src: mount: disallow mounting over a jail root `[13] <FREEBSD:FreeBSD-SA-21:10.jail_mount>`__ 
+* src: accept_filter: fix filter parameter handling `[11] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:09.accept_filter.asc>`__ 
+* src: vm_fault: shoot down multiply mapped COW source page mappings `[12] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:08.vm.asc>`__ 
+* src: mount: disallow mounting over a jail root `[13] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:10.jail_mount.asc>`__ 
 * src: em: add support for Intel I219 V10 device
 * src: em: fix a null de-reference in em_free_pci_resources
 * src: bsdinstall: switch to OPNsense branding
-* src: race condition in aesni(4) encrypt-then-auth operations `[14] <FREEBSD:FreeBSD-EN-21:11.aesni>`__ 
+* src: race condition in aesni(4) encrypt-then-auth operations `[14] <https://www.freebsd.org/security/advisories/FreeBSD-EN-21:11.aesni.asc>`__ 
 * ports: curl 7.77.0 `[15] <https://curl.se/changes.html#7_77_0>`__ 
 * ports: dnsmasq 2.85 `[16] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__ 
 * ports: expat 2.4.1
@@ -496,19 +496,19 @@ Here are the full patch notes:
 * src: netmap tun(4) support adds pseudo addresses to ethernet header emulation (contributed by Sunny Valley Networks)
 * src: add a manual page for axp(4) / AMD 10G Ethernet driver
 * src: fix traffic graph not showing bandwidth when IPS is enabled
-* src: panic when destroying VNET and epair simultaneously `[16] <FREEBSD:FreeBSD-EN-21:03.vnet>`__ 
-* src: uninitialized file system kernel stack leaks `[17] <FREEBSD:FreeBSD-SA-21:01.fsdisclosure>`__ 
-* src: Xen guest-triggered out of memory `[18] <FREEBSD:FreeBSD-SA-21:02.xenoom>`__ 
-* src: update timezone database information `[19] <FREEBSD:FreeBSD-EN-21:01.tzdata>`__ 
-* src: jail: Handle a possible race between jail_remove(2) and fork(2) `[20] <FREEBSD:FreeBSD-SA-21:04.jail_remove>`__ 
-* src: jail: Change both root and working directories in jail_attach(2) `[21] <FREEBSD:FreeBSD-SA-21:05.jail_chdir>`__ 
-* src: x86: free microcode memory later `[22] <FREEBSD:FreeBSD-EN-21:06.microcode>`__ 
-* src: xen-blkback: fix leak of grant maps on ring setup failure `[23] <FREEBSD:FreeBSD-SA-21:06.xen>`__ 
+* src: panic when destroying VNET and epair simultaneously `[16] <https://www.freebsd.org/security/advisories/FreeBSD-EN-21:03.vnet.asc>`__ 
+* src: uninitialized file system kernel stack leaks `[17] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:01.fsdisclosure.asc>`__ 
+* src: Xen guest-triggered out of memory `[18] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:02.xenoom.asc>`__ 
+* src: update timezone database information `[19] <https://www.freebsd.org/security/advisories/FreeBSD-EN-21:01.tzdata.asc>`__ 
+* src: jail: Handle a possible race between jail_remove(2) and fork(2) `[20] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:04.jail_remove.asc>`__ 
+* src: jail: Change both root and working directories in jail_attach(2) `[21] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc>`__ 
+* src: x86: free microcode memory later `[22] <https://www.freebsd.org/security/advisories/FreeBSD-EN-21:06.microcode.asc>`__ 
+* src: xen-blkback: fix leak of grant maps on ring setup failure `[23] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:06.xen.asc>`__ 
 * src: rtsold: auto-probe point to point interfaces
 * src: growfs: update check-hash when doing large filesystem expansions
 * src: axgbe: change default parameters to prevent manual tunable settings
 * src: arp: avoid segfaulting due to out-of-bounds memory access
-* src: fix multiple OpenSSL vulnerabilities `[24] <FREEBSD:FreeBSD-SA-21:07.openssl>`__ 
+* src: fix multiple OpenSSL vulnerabilities `[24] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:07.openssl.asc>`__ 
 * src: axgbe: enable receive all mode to bypass the MAC filter to avoid dropping CARP MAC addresses
 * ports: ca_root_nss / nss 3.63 `[25] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_63.html>`__ 
 * ports: curl 7.75.0 `[26] <https://curl.se/changes.html#7_75_0>`__ 
diff --git a/source/releases/BE_22.10.rst b/source/releases/BE_22.10.rst
index 02c8ab9c..9039d8b8 100644
--- a/source/releases/BE_22.10.rst
+++ b/source/releases/BE_22.10.rst
@@ -30,11 +30,11 @@ Here are the full patch notes:
 * intrusion detection: properly reset metadata response when no metadata is found
 * unbound: missing global so that cache is never flushed when requested
 * mvc: cleanse $record input in searchRecordsetBase() before usage
-* src: fix multiple OpenSSL vulnerabilities `[1] <FREEBSD:FreeBSD-SA-23:03.openssl>`__ 
-* src: geli: split the initalization of HMAC `[2] <FREEBSD:FreeBSD-SA-23:01.geli>`__ 
-* src: fix ena driver crash after reset in 7th gen AWS instance types `[3] <FREEBSD:FreeBSD-EN-23:03.ena>`__ 
-* src: fix sdhci broken write-protect settings `[4] <FREEBSD:FreeBSD-EN-23:02.sdhci>`__ 
-* src: import tzdata 2022g `[5] <FREEBSD:FreeBSD-EN-23:01.tzdata>`__ 
+* src: fix multiple OpenSSL vulnerabilities `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:03.openssl.asc>`__ 
+* src: geli: split the initalization of HMAC `[2] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:01.geli.asc>`__ 
+* src: fix ena driver crash after reset in 7th gen AWS instance types `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:03.ena.asc>`__ 
+* src: fix sdhci broken write-protect settings `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:02.sdhci.asc>`__ 
+* src: import tzdata 2022g `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:01.tzdata.asc>`__ 
 * src: x86: ignore stepping for APL30 errata
 * ports: openssl 1.1.1t `[6] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__ 
 
@@ -416,17 +416,17 @@ Here are the full patch notes:
 * src: pf: ensure that pfiio_name is always nul terminated
 * src: pf: make sure that pfi_update_status() always zeros counters
 * src: igc: change default duplex setting
-* src: lib9p: remove potential buffer overwrite in l9p_puqids() `[22] <FREEBSD:FreeBSD-SA-22:12.lib9p>`__ 
-* src: vm_fault: shoot down shared mappings in vm_fault_copy_entry() `[23] <FREEBSD:FreeBSD-SA-22:11.vm>`__ 
-* src: elf_note_prpsinfo: handle more failures from proc_getargv() `[24] <FREEBSD:FreeBSD-SA-22:09.elf>`__ 
-* src: pam_exec: fix segfault when authtok is null `[25] <FREEBSD:FreeBSD-EN-22:19.pam_exec>`__ 
-* src: kevent: fix an off-by-one in filt_timerexpire_l() `[26] <FREEBSD:FreeBSD-EN-22:16.kqueue>`__ 
-* src: cam: leep periph_links when restoring CCB in camperiphdone() `[27] <FREEBSD:FreeBSD-EN-22:17.cam>`__ 
+* src: lib9p: remove potential buffer overwrite in l9p_puqids() `[22] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:12.lib9p.asc>`__ 
+* src: vm_fault: shoot down shared mappings in vm_fault_copy_entry() `[23] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:11.vm.asc>`__ 
+* src: elf_note_prpsinfo: handle more failures from proc_getargv() `[24] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:09.elf.asc>`__ 
+* src: pam_exec: fix segfault when authtok is null `[25] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:19.pam_exec.asc>`__ 
+* src: kevent: fix an off-by-one in filt_timerexpire_l() `[26] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:16.kqueue.asc>`__ 
+* src: cam: leep periph_links when restoring CCB in camperiphdone() `[27] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:17.cam.asc>`__ 
 * src: pfctl: fix FOM_ICMP/POM_STICKYADDRESS clash
 * src: restrict default /root permissions to 750
 * src: rc: add ${name}_setup script support
-* src: zlib: fix a bug when getting a gzip header extra field with inflate() `[28] <FREEBSD:FreeBSD-SA-22:13.zlib>`__ 
-* src: tzdata: import tzdata 2022b and 2022c `[29] <FREEBSD:FreeBSD-EN-22:20.tzdata>`__ 
+* src: zlib: fix a bug when getting a gzip header extra field with inflate() `[28] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:13.zlib.asc>`__ 
+* src: tzdata: import tzdata 2022b and 2022c `[29] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:20.tzdata.asc>`__ 
 * src: FreeBSD 13.1-RELEASE `[30] <https://www.freebsd.org/releases/13.1R/relnotes/>`__ 
 * src: ifconfig: print interface name on SIOCIFCREATE2 error
 * src: igc: do not start in promiscuous mode by default
@@ -459,19 +459,19 @@ Here are the full patch notes:
 The following operating system hotfix was issued:
 
 * src: vxlan: check the size of data available in mbuf before using them
-* src: vm_page: fix a logic error in the handling of PQ_ACTIVE operations `[51] <FREEBSD:FreeBSD-EN-22:23.vm>`__ 
-* src: cam: provide compatibility for CAMGETPASSTHRU for periph drivers `[52] <FREEBSD:FreeBSD-EN-22:26.cam>`__ 
-* src: loader: fix elf lookup_symbol type filtering `[53] <FREEBSD:FreeBSD-EN-22:27.loader>`__ 
-* src: zfs: fix a pair of bugs in zfs_fhtovp() `[54] <FREEBSD:FreeBSD-EN-22:24.zfs>`__ 
-* src: zfs: fix use-after-free in btree code `[55] <FREEBSD:FreeBSD-EN-22:21.zfs>`__ 
-* src: tcp: finish SACK loss recovery on sudden lack of SACK blocks `[56] <FREEBSD:FreeBSD-EN-22:25.tcp>`__ 
+* src: vm_page: fix a logic error in the handling of PQ_ACTIVE operations `[51] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:23.vm.asc>`__ 
+* src: cam: provide compatibility for CAMGETPASSTHRU for periph drivers `[52] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:26.cam.asc>`__ 
+* src: loader: fix elf lookup_symbol type filtering `[53] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:27.loader.asc>`__ 
+* src: zfs: fix a pair of bugs in zfs_fhtovp() `[54] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:24.zfs.asc>`__ 
+* src: zfs: fix use-after-free in btree code `[55] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:21.zfs.asc>`__ 
+* src: tcp: finish SACK loss recovery on sudden lack of SACK blocks `[56] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:25.tcp.asc>`__ 
 * src: igc: remove unnecessary PHY ID checks
 * src: ixl: add support for I710 devices and remove non-inclusive language
 * src: ixl: fix SR-IOV panics
 * src: u3g: add more USB IDs
 * src: ixgbe: workaround errata about UDP frames with zero checksum
 * src: hpet: Allow a MMIO window smaller than 1K
-* src: ping: fix handling of IP packet sizes `[57] <FREEBSD:FreeBSD-SA-22:15.ping>`__ 
+* src: ping: fix handling of IP packet sizes `[57] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc>`__ 
 
 Known issues and limitations:
 
diff --git a/source/releases/BE_22.4.rst b/source/releases/BE_22.4.rst
index 441c6d9a..59b30bc9 100644
--- a/source/releases/BE_22.4.rst
+++ b/source/releases/BE_22.4.rst
@@ -474,15 +474,15 @@ Here are the full patch notes:
 * src: hn: disable Hyper-V vSwitch RSC support
 * src: stand: add EFI support for MMIO serial consoles
 * src: apei: make sure event data fit into the buffer
-* src: openssl: fix a bug in BN_mod_sqrt() that can cause it to loop forever `[14] <FREEBSD:FreeBSD-SA-22:03.openssl>`__ 
-* src: zfs: fix handling of errors from dmu_write_uio_dbuf() `[15] <FREEBSD:FreeBSD-EN-22:10.zfs>`__ 
+* src: openssl: fix a bug in BN_mod_sqrt() that can cause it to loop forever `[14] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:03.openssl.asc>`__ 
+* src: zfs: fix handling of errors from dmu_write_uio_dbuf() `[15] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:10.zfs.asc>`__ 
 * src: debugnet: remove spurious message on boot
-* src: pf(4) tables may fail to load `[16] <FREEBSD:FreeBSD-EN-22:15.pf>`__ 
-* src: potential jail escape vulnerabilities in netmap `[17] <FREEBSD:FreeBSD-SA-22:04.netmap>`__ 
-* src: bhyve e82545 device emulation out-of-bounds write `[18] <FREEBSD:FreeBSD-SA-22:05.bhyve>`__ 
-* src: mpr/mps/mpt driver ioctl heap out-of-bounds write `[19] <FREEBSD:FreeBSD-SA-22:06.ioctl>`__ 
-* src: 802.11 heap buffer overflow `[20] <FREEBSD:FreeBSD-SA-22:07.wifi_meshid>`__ 
-* src: zlib compression out-of-bounds write `[21] <FREEBSD:FreeBSD-SA-22:08.zlib>`__ 
+* src: pf(4) tables may fail to load `[16] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:15.pf.asc>`__ 
+* src: potential jail escape vulnerabilities in netmap `[17] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:04.netmap.asc>`__ 
+* src: bhyve e82545 device emulation out-of-bounds write `[18] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:05.bhyve.asc>`__ 
+* src: mpr/mps/mpt driver ioctl heap out-of-bounds write `[19] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:06.ioctl.asc>`__ 
+* src: 802.11 heap buffer overflow `[20] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:07.wifi_meshid.asc>`__ 
+* src: zlib compression out-of-bounds write `[21] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:08.zlib.asc>`__ 
 * ports: ca_root_nss fix for faulty upstream file linking
 * ports: curl 7.81.0 `[22] <https://curl.se/changes.html#7_81_0>`__ 
 * ports: dnspython 2.2.1 `[23] <https://dnspython.readthedocs.io/en/stable/whatsnew.html>`__ 
diff --git a/source/releases/BE_23.10.rst b/source/releases/BE_23.10.rst
index fcee853e..5b56811c 100644
--- a/source/releases/BE_23.10.rst
+++ b/source/releases/BE_23.10.rst
@@ -252,9 +252,9 @@ Here are the full patch notes:
 * src: axgbe: enable RSF to prevent zero-length packets while in Netmap mode
 * src: axgbe: gracefully handle i2c bus failures
 * src: axgbe: only set CSUM_DONE when IFCAP_RXCSUM enabled
-* src: bhyve: fully reset the fwctl state machine if the guest requests a reset `[13] <FREEBSD:FreeBSD-SA-23:07.bhyve>`__ 
+* src: bhyve: fully reset the fwctl state machine if the guest requests a reset `[13] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:07.bhyve.asc>`__ 
 * src: bnxt: do not restart on VLAN changes
-* src: frag6: avoid a possible integer overflow in fragment handling `[14] <FREEBSD:FreeBSD-SA-23:06.ipv6>`__ 
+* src: frag6: avoid a possible integer overflow in fragment handling `[14] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:06.ipv6.asc>`__ 
 * src: gif: revert in{,6}_gif_output() misalignment handling
 * src: ice: do not restart on VLAN changes
 * src: if_vlan: always default to 802.1
@@ -270,10 +270,10 @@ Here are the full patch notes:
 * src: ixl: add link state polling
 * src: ixl: port ice's atomic API to ixl
 * src: libpfctl: ensure the initial allocation is large enough
-* src: net80211: fail for unicast traffic without unicast key `[15] <FREEBSD:FreeBSD-SA-23:11.wifi>`__ 
+* src: net80211: fail for unicast traffic without unicast key `[15] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:11.wifi.asc>`__ 
 * src: net: do not overwrite VLAN PCP
 * src: net: remove VLAN metadata on PCP / VLAN encapsulation
-* src: pcib: allocate the memory BAR with the MSI-X table `[16] <FREEBSD:FreeBSD-EN-23:10.pci>`__ 
+* src: pcib: allocate the memory BAR with the MSI-X table `[16] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:10.pci.asc>`__ 
 * src: pf: handle multiple IPv6 fragment headers
 * src: rss: set pin_default_swi to 0 by default
 * src: rtsol: introduce an 'always' script
diff --git a/source/releases/BE_23.4.rst b/source/releases/BE_23.4.rst
index 3aab3e17..fa843b6f 100644
--- a/source/releases/BE_23.4.rst
+++ b/source/releases/BE_23.4.rst
@@ -88,10 +88,10 @@ Here are the full patch notes:
 * plugins: os-zabbix-proxy plugin variant for Zabbix 6.4
 * src: axgbe: account for 4 SFP ports during GPIO expander check
 * src: ipsec: make algorithm tables read-only
-* src: mpr: fix copying of event_mask `[3] <FREEBSD:FreeBSD-EN-23:07.mpr>`__ 
-* src: pam_krb5: fix spoofing vulnerability `[4] <FREEBSD:FreeBSD-SA-23:04.pam_krb5>`__ 
-* src: loader: comconsole: do not unconditionally wipe out hw.uart.console `[5] <FREEBSD:FreeBSD-EN-23:06.loader>`__ 
-* src: contrib/tzdata: import tzdata 2023c `[6] <FREEBSD:FreeBSD-EN-23:05.tzdata>`__ 
+* src: mpr: fix copying of event_mask `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:07.mpr.asc>`__ 
+* src: pam_krb5: fix spoofing vulnerability `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:04.pam_krb5.asc>`__ 
+* src: loader: comconsole: do not unconditionally wipe out hw.uart.console `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:06.loader.asc>`__ 
+* src: contrib/tzdata: import tzdata 2023c `[6] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:05.tzdata.asc>`__ 
 * src: ixgbe: change if condition for RSS and rxcsum
 * src: pf: fix pf_nv##_array() size check
 * src: e1000: fix VLAN 0
diff --git a/source/releases/CE_20.1.rst b/source/releases/CE_20.1.rst
index f3f660ce..9b3ad262 100644
--- a/source/releases/CE_20.1.rst
+++ b/source/releases/CE_20.1.rst
@@ -153,11 +153,11 @@ Here are the full patch notes:
 * src: added Novatel Wireless MiFi 8800/8000 support (contributed by rootless4real)
 * src: fix pf shared forwarding on non-existing interfaces
 * src: patch in tty 3wire autologin support
-* src: fix insufficient packet length validation in libalias `[1] <FREEBSD:FreeBSD-SA-20:12.libalias>`__ 
-* src: fix memory disclosure vulnerability in libalias `[2] <FREEBSD:FreeBSD-SA-20:13.libalias>`__ 
-* src: fix improper checking in SCTP-AUTH shared key update `[3] <FREEBSD:FreeBSD-SA-20:14.sctp>`__ 
-* src: fix use after free in cryptodev module `[4] <FREEBSD:FreeBSD-SA-20:15.cryptodev>`__ 
-* src: update to tzdata 2020a `[5] <FREEBSD:FreeBSD-EN-20:08.tzdata>`__ 
+* src: fix insufficient packet length validation in libalias `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:12.libalias.asc>`__ 
+* src: fix memory disclosure vulnerability in libalias `[2] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:13.libalias.asc>`__ 
+* src: fix improper checking in SCTP-AUTH shared key update `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:14.sctp.asc>`__ 
+* src: fix use after free in cryptodev module `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:15.cryptodev.asc>`__ 
+* src: update to tzdata 2020a `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:08.tzdata.asc>`__ 
 * ports: ca_root_nss 3.52
 * ports: curl 7.70.0 `[6] <https://curl.se/changes.html#7_70_0>`__ 
 * ports: dhcp6c v20200512
diff --git a/source/releases/CE_20.7.rst b/source/releases/CE_20.7.rst
index 68fe678f..f388d158 100644
--- a/source/releases/CE_20.7.rst
+++ b/source/releases/CE_20.7.rst
@@ -81,7 +81,7 @@ Here are the full patch notes:
 * plugins: os-maltrail fixes sensor start without server (contributed by Julio Camargo)
 * plugins: os-nginx 1.20 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/www/nginx/pkg-descr>`__ 
 * plugins: os-tinc fixes for latest version (contributed by vnxme)
-* src: fix OpenSSL NULL pointer de-reference `[3] <FREEBSD:FreeBSD-SA-20:33.openssl>`__ 
+* src: fix OpenSSL NULL pointer de-reference `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:33.openssl.asc>`__ 
 * src: fix partial scrub of multicast packages
 * src: free full mbuf chains in iflib when draining transmit queues
 * src: initialize oifp to avoid bogus results/panics in edge cases
@@ -173,12 +173,12 @@ Here are the full patch notes:
 * src: improve netmap(4) and vale(4) man pages
 * src: IPV6_PKTINFO support for v4-mapped IPv6 sockets
 * src: zero-initialize variables in HBSD PaX SEGVGUARD
-* src: fix execve/fexecve system call auditing `[3] <FREEBSD:FreeBSD-EN-20:19.audit>`__ 
-* src: fix uninitialized variable in ipfw `[4] <FREEBSD:FreeBSD-EN-20:21.ipfw>`__ 
-* src: fix race condition in callout CPU migration `[5] <FREEBSD:FreeBSD-EN-20:22.callout>`__ 
-* src: fix ICMPv6 use-after-free in error message handling `[6] <FREEBSD:FreeBSD-SA-20:31.icmp6>`__ 
-* src: fix multiple vulnerabilities in rtsold `[7] <FREEBSD:FreeBSD-SA-20:32.rtsold>`__ 
-* src: update timezone database information `[8] <FREEBSD:FreeBSD-EN-20:20.tzdata>`__ 
+* src: fix execve/fexecve system call auditing `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:19.audit.asc>`__ 
+* src: fix uninitialized variable in ipfw `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:21.ipfw.asc>`__ 
+* src: fix race condition in callout CPU migration `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:22.callout.asc>`__ 
+* src: fix ICMPv6 use-after-free in error message handling `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:31.icmp6.asc>`__ 
+* src: fix multiple vulnerabilities in rtsold `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:32.rtsold.asc>`__ 
+* src: update timezone database information `[8] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:20.tzdata.asc>`__ 
 * ports: krb5 1.18.3 `[9] <https://web.mit.edu/kerberos/krb5-1.18/>`__ 
 * ports: nss 3.59 `[10] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_59.html>`__ 
 * ports: openldap 2.4.56 `[11] <https://www.openldap.org/software/release/changes.html>`__ 
@@ -321,13 +321,13 @@ Here are the full patch notes:
 * plugins: os-theme-vicuna 1.1 (contributed by Team Rebellion)
 * plugins: os-wireguard 1.3 `[4] <https://github.com/opnsense/plugins/blob/stable/20.7/net/wireguard/pkg-descr>`__ 
 * plugins: os-zabbix-agent 1.8 `[5] <https://github.com/opnsense/plugins/blob/stable/20.7/net-mgmt/zabbix-agent/pkg-descr>`__ 
-* src: fix FreeBSD Linux ABI kernel panic `[6] <FREEBSD:FreeBSD-EN-20:17.linuxthread>`__ 
-* src: fix SCTP socket use-after-free `[7] <FREEBSD:FreeBSD-SA-20:25.sctp>`__ 
-* src: fix dhclient heap overflow `[8] <FREEBSD:FreeBSD-SA-20:26.dhclient>`__ 
-* src: fix ure device driver susceptible to packet-in-packet attack `[9] <FREEBSD:FreeBSD-SA-20:27.ure>`__ 
-* src: fix bhyve privilege escalation via VMCS access `[10] <FREEBSD:FreeBSD-SA-20:28.bhyve_vmcs>`__ 
-* src: fix bhyve SVM guest escape `[11] <FREEBSD:FreeBSD-SA-20:29.bhyve_svm>`__ 
-* src: fix ftpd privilege escalation via ftpchroot `[12] <FREEBSD:FreeBSD-SA-20:30.ftpd>`__ 
+* src: fix FreeBSD Linux ABI kernel panic `[6] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:17.linuxthread.asc>`__ 
+* src: fix SCTP socket use-after-free `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:25.sctp.asc>`__ 
+* src: fix dhclient heap overflow `[8] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc>`__ 
+* src: fix ure device driver susceptible to packet-in-packet attack `[9] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:27.ure.asc>`__ 
+* src: fix bhyve privilege escalation via VMCS access `[10] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc>`__ 
+* src: fix bhyve SVM guest escape `[11] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc>`__ 
+* src: fix ftpd privilege escalation via ftpchroot `[12] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:30.ftpd.asc>`__ 
 * src: set PAX_HARDENING_NOSHLIBRANDOM in the RTLD by default
 * src: fix kernel panic while trying to read multicast stream
 * ports: mpd 5.9 `[13] <http://mpd.sourceforge.net/doc5/mpd4.html#4>`__ 
@@ -429,10 +429,10 @@ Here are the full patch notes:
 * plugins: os-udpbroadcastrelay 1.0 (contributed by Team Rebellion)
 * src: set the current VNET before calling netisr_dispatch() in ng_iface(4)
 * src: assorted multicast group join/leave corrections
-* src: fix vmx driver packet loss and degraded performance `[4] <FREEBSD:FreeBSD-EN-20:16.vmx>`__ 
-* src: fix memory corruption in USB network device driver `[5] <FREEBSD:FreeBSD-SA-20:21.usb_net>`__ 
-* src: fix multiple vulnerabilities in sqlite `[6] <FREEBSD:FreeBSD-SA-20:22.sqlite>`__ 
-* src: fix sendmsg(2) privilege escalation `[7] <FREEBSD:FreeBSD-SA-20:23.sendmsg>`__ 
+* src: fix vmx driver packet loss and degraded performance `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:16.vmx.asc>`__ 
+* src: fix memory corruption in USB network device driver `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:21.usb_net.asc>`__ 
+* src: fix multiple vulnerabilities in sqlite `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:22.sqlite.asc>`__ 
+* src: fix sendmsg(2) privilege escalation `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:23.sendmsg.asc>`__ 
 * ports: perl 5.32.0 `[8] <https://perldoc.perl.org/5.32.0/perldelta>`__ 
 * ports: squid 4.12 `[9] <http://www.squid-cache.org/Versions/v4/squid-4.12-RELEASENOTES.html>`__ 
 
diff --git a/source/releases/CE_21.1.rst b/source/releases/CE_21.1.rst
index f6169369..119f6751 100644
--- a/source/releases/CE_21.1.rst
+++ b/source/releases/CE_21.1.rst
@@ -122,8 +122,8 @@ Here are the full patch notes:
 * plugins: os-telegraf 1.11.0 `[4] <https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/telegraf/pkg-descr>`__ 
 * plugins: os-tor Phalcon 4 fix
 * plugins: os-zabbix5-proxy is now a plugin variant
-* src: libcasper: fix descriptors numbers `[5] <FREEBSD:EN-21:19.libcasper>`__ 
-* src: linux: prevent integer overflow in futex_requeue `[6] <FREEBSD:EN-21:22.linux_futex>`__ 
+* src: libcasper: fix descriptors numbers `[5] <https://www.freebsd.org/security/advisories/EN-21:19.libcasper.asc>`__ 
+* src: linux: prevent integer overflow in futex_requeue `[6] <https://www.freebsd.org/security/advisories/EN-21:22.linux_futex.asc>`__ 
 * ports: clog 1.0.2 fixes garbage header write on init
 * ports: libxml 2.9.12 `[7] <http://www.xmlsoft.org/news.html>`__ 
 * ports: nettle 3.7.3
@@ -186,9 +186,9 @@ Here are the full patch notes:
 * plugins: os-nginx 1.23 `[1] <https://github.com/opnsense/plugins/blob/stable/21.1/www/nginx/pkg-descr>`__ 
 * plugins: os-wireguard 1.7 `[2] <https://github.com/opnsense/plugins/blob/stable/21.1/net/wireguard/pkg-descr>`__ 
 * plugins: os-zabbix4-proxy is now a plugin variant
-* src: SMAP bypass `[3] <FREEBSD:FreeBSD-SA-21:11.smap>`__ 
-* src: missing message validation in libradius `[4] <FREEBSD:FreeBSD-SA-21:12.libradius>`__  `[5] <FREEBSD:FreeBSD-EN-21:17.libradius>`__ 
-* src: pms data corruption `[6] <FREEBSD:FreeBSD-EN-21:14.pms>`__ 
+* src: SMAP bypass `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:11.smap.asc>`__ 
+* src: missing message validation in libradius `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:12.libradius.asc>`__  `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-21:17.libradius.asc>`__ 
+* src: pms data corruption `[6] <https://www.freebsd.org/security/advisories/FreeBSD-EN-21:14.pms.asc>`__ 
 * ports: curl 7.77.0 `[7] <https://curl.se/changes.html#7_77_0>`__ 
 * ports: isc-dhcp 4.4.2-P1 `[8] <https://downloads.isc.org/isc/dhcp/4.4.2-P1/dhcp-4.4.2-P1-RELNOTES>`__ 
 * ports: nss 3.66 `[9] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_66.html>`__ 
@@ -262,7 +262,7 @@ Here are the full patch notes:
 * plugins: os-zabbix5-proxy 1.5 `[9] <https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/zabbix5-proxy/pkg-descr>`__ 
 * src: axgbe: check for IFCAP_VLAN_HWTAGGING when reading descriptor
 * src: axgbe: add 1000BASE-BX SFP support
-* src: race condition in aesni(4) encrypt-then-auth operations `[10] <FREEBSD:FreeBSD-EN-21:11.aesni>`__ 
+* src: race condition in aesni(4) encrypt-then-auth operations `[10] <https://www.freebsd.org/security/advisories/FreeBSD-EN-21:11.aesni.asc>`__ 
 * ports: curl 7.76.1 `[11] <https://curl.se/changes.html#7_76_1>`__ 
 * ports: expat 2.4.1
 * ports: filterlog 0.4 adds label support to output if applicable
@@ -342,9 +342,9 @@ Here are the full patch notes:
 * plugins: os-wireguard 1.6 `[9] <https://github.com/opnsense/plugins/blob/stable/21.1/net/wireguard/pkg-descr>`__ 
 * plugins: os-zabbix5-proxy 1.4 `[10] <https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/zabbix5-proxy/pkg-descr>`__ 
 * src: axgbe: enable receive all mode to bypass the MAC filter to avoid dropping CARP MAC addresses
-* src: accept_filter: fix filter parameter handling `[11] <FREEBSD:FreeBSD-SA-21:09.accept_filter>`__ 
-* src: vm_fault: shoot down multiply mapped COW source page mappings `[12] <FREEBSD:FreeBSD-SA-21:08.vm>`__ 
-* src: mount: disallow mounting over a jail root `[13] <FREEBSD:FreeBSD-SA-21:10.jail_mount>`__ 
+* src: accept_filter: fix filter parameter handling `[11] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:09.accept_filter.asc>`__ 
+* src: vm_fault: shoot down multiply mapped COW source page mappings `[12] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:08.vm.asc>`__ 
+* src: mount: disallow mounting over a jail root `[13] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:10.jail_mount.asc>`__ 
 * src: em: add support for Intel I219 V10 device
 * src: em: fix a null de-reference in em_free_pci_resources
 * src: bsdinstall: switch to OPNsense branding
@@ -419,7 +419,7 @@ Here are the full patch notes:
 * plugins: os-theme-vicuna 1.4 (contributed by Team Rebellion)
 * plugins: os-wireguard 1.5 `[5] <https://github.com/opnsense/plugins/blob/stable/21.1/net/wireguard/pkg-descr>`__ 
 * plugins: os-wol 2.4 fixes dashboard widget (contributed by kulikov-a)
-* src: fix multiple OpenSSL vulnerabilities `[6] <FREEBSD:FreeBSD-SA-21:07.openssl>`__ 
+* src: fix multiple OpenSSL vulnerabilities `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:07.openssl.asc>`__ 
 * ports: ca_root_nss / nss 3.63 `[7] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_63.html>`__ 
 * ports: libressl 3.2.5 `[8] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.5-relnotes.txt>`__ 
 * ports: openldap 2.4.58 `[9] <https://www.openldap.org/software/release/changes.html>`__ 
@@ -482,10 +482,10 @@ Here are the full patch notes:
 * plugins: os-haproxy 3.0 `[1] <https://github.com/opnsense/plugins/blob/stable/21.1/net/haproxy/pkg-descr>`__ 
 * plugins: os-nginx 1.21 `[2] <https://github.com/opnsense/plugins/blob/stable/21.1/www/nginx/pkg-descr>`__ 
 * plugins: os-node_exporter 1.1 `[3] <https://github.com/opnsense/plugins/blob/stable/21.1/sysutils/node_exporter/pkg-descr>`__ 
-* src: jail: Handle a possible race between jail_remove(2) and fork(2) `[4] <FREEBSD:FreeBSD-SA-21:04.jail_remove>`__ 
-* src: jail: Change both root and working directories in jail_attach(2) `[5] <FREEBSD:FreeBSD-SA-21:05.jail_chdir>`__ 
-* src: x86: free microcode memory later `[6] <FREEBSD:FreeBSD-EN-21:06.microcode>`__ 
-* src: xen-blkback: fix leak of grant maps on ring setup failure `[7] <FREEBSD:FreeBSD-SA-21:06.xen>`__ 
+* src: jail: Handle a possible race between jail_remove(2) and fork(2) `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:04.jail_remove.asc>`__ 
+* src: jail: Change both root and working directories in jail_attach(2) `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc>`__ 
+* src: x86: free microcode memory later `[6] <https://www.freebsd.org/security/advisories/FreeBSD-EN-21:06.microcode.asc>`__ 
+* src: xen-blkback: fix leak of grant maps on ring setup failure `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:06.xen.asc>`__ 
 * src: rtsold: auto-probe point to point interfaces
 * src: growfs: update check-hash when doing large filesystem expansions
 * src: axgbe: change default parameters to prevent manual tunable settings
@@ -601,10 +601,10 @@ Here are the full patch notes:
 * plugins: os-nginx upstream TLS verification fix (contributed by kulikov-a)
 * plugins: os-theme-cicada 1.26 (contributed by Team Rebellion)
 * plugins: os-theme-vicuna 1.2 (contributed by Team Rebellion)
-* src: panic when destroying VNET and epair simultaneously `[1] <FREEBSD:FreeBSD-EN-21:03.vnet>`__ 
-* src: uninitialized file system kernel stack leaks `[2] <FREEBSD:FreeBSD-SA-21:01.fsdisclosure>`__ 
-* src: Xen guest-triggered out of memory `[3] <FREEBSD:FreeBSD-SA-21:02.xenoom>`__ 
-* src: update timezone database information `[4] <FREEBSD:FreeBSD-EN-21:01.tzdata>`__ 
+* src: panic when destroying VNET and epair simultaneously `[1] <https://www.freebsd.org/security/advisories/FreeBSD-EN-21:03.vnet.asc>`__ 
+* src: uninitialized file system kernel stack leaks `[2] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:01.fsdisclosure.asc>`__ 
+* src: Xen guest-triggered out of memory `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:02.xenoom.asc>`__ 
+* src: update timezone database information `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-21:01.tzdata.asc>`__ 
 * ports: dnsmasq 2.84 `[5] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__ 
 * ports: lighttpd 1.4.59 `[6] <http://www.lighttpd.net/2021/2/2/1.4.59/>`__ 
 * ports: krb5 1.19 `[7] <https://web.mit.edu/kerberos/krb5-1.19/>`__ 
@@ -853,7 +853,7 @@ Here are the full patch notes against 20.7.7_1:
 * ui: move sidebar stage from session to local storage
 * plugins: os-bind 1.15 `[2] <https://github.com/opnsense/plugins/blob/stable/21.1/dns/bind/pkg-descr>`__ 
 * plugins: os-frr 1.21 `[3] <https://github.com/opnsense/plugins/blob/stable/21.1/net/frr/pkg-descr>`__ 
-* src: fix OpenSSL NULL pointer de-reference `[4] <FREEBSD:FreeBSD-SA-20:33.openssl>`__ 
+* src: fix OpenSSL NULL pointer de-reference `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:33.openssl.asc>`__ 
 * src: fix AES-CCM requests with an AAD size smaller than a single block
 * src: introduce HARDEN_KLD to ensure DTrace functionality
 * src: fix partial scrub of multicast packages
diff --git a/source/releases/CE_21.7.rst b/source/releases/CE_21.7.rst
index 05dd9228..8c229bd2 100644
--- a/source/releases/CE_21.7.rst
+++ b/source/releases/CE_21.7.rst
@@ -68,9 +68,9 @@ Here are the full patch notes:
 * plugins: os-telegraf 1.12.4 `[5] <https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/telegraf/pkg-descr>`__ 
 * plugins: os-wireguard 1.10 `[6] <https://github.com/opnsense/plugins/blob/stable/21.7/net/wireguard/pkg-descr>`__ 
 * src: axgbe: validate contents of gpio expander
-* src: incorrect XSAVE state size `[7] <FREEBSD:FreeBSD-EN-22:02.xsave>`__ 
-* src: vPCI compatibility improvements with certain Hyper-V releases `[8] <FREEBSD:FreeBSD-EN-22:03.hyperv>`__ 
-* src: vt console buffer overflow `[9] <FREEBSD:FreeBSD-SA-22:01.vt>`__ 
+* src: incorrect XSAVE state size `[7] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:02.xsave.asc>`__ 
+* src: vPCI compatibility improvements with certain Hyper-V releases `[8] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:03.hyperv.asc>`__ 
+* src: vt console buffer overflow `[9] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:01.vt.asc>`__ 
 * ports: expat 2.4.2 `[10] <https://github.com/libexpat/libexpat/blob/R_2_4_2/expat/Changes>`__ 
 * ports: filterlog 0.6 `[11] <https://github.com/opnsense/ports/commit/2e27655d84>`__ 
 * ports: flock 2.37.2
@@ -254,8 +254,8 @@ Here are the full patch notes for version 21.7.5:
 * plugins: os-wireguard 1.8 `[12] <https://github.com/opnsense/plugins/blob/stable/21.7/net/wireguard/pkg-descr>`__ 
 * src: axgbe: correctly enable RSS driver support by default
 * src: ixgbe: prevent subsequent I2C bus read timeouts
-* src: fix kernel panic in vmci driver initialization `[13] <FREEBSD:FreeBSD-EN-21:28.vmci>`__ 
-* src: timezone database information update `[14] <FREEBSD:FreeBSD-EN-21:29.tzdata>`__ 
+* src: fix kernel panic in vmci driver initialization `[13] <https://www.freebsd.org/security/advisories/FreeBSD-EN-21:28.vmci.asc>`__ 
+* src: timezone database information update `[14] <https://www.freebsd.org/security/advisories/FreeBSD-EN-21:29.tzdata.asc>`__ 
 * ports: lighttpd 1.4.61 `[15] <https://www.lighttpd.net/2021/10/28/1.4.61/>`__ 
 * ports: nss 3.72 `[16] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_72.html>`__ 
 * ports: openssh 8.8p1 `[17] <https://www.openssh.com/txt/release-8.8>`__ 
@@ -471,10 +471,10 @@ Here are the full patch notes:
 * src: lib: add libnetmap and related patches
 * src: dhclient: skip_to_semi() consumes semicolon already
 * src: rtsold: slightly change address read
-* src: fix missing error handling in bhyve(8) device models `[3] <FREEBSD:FreeBSD-SA-21:13.bhyve>`__ 
-* src: fix remote code execution in ggatec(8) `[4] <FREEBSD:FreeBSD-SA-21:14.ggatec>`__ 
-* src: fix libfetch out of bounds read `[5] <FREEBSD:FreeBSD-SA-21:15.libfetch>`__ 
-* src: fix multiple OpenSSL vulnerabilities `[6] <FREEBSD:FreeBSD-SA-21:16.openssl>`__  `[7] <FREEBSD:FreeBSD-SA-21:17.openssl>`__ 
+* src: fix missing error handling in bhyve(8) device models `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:13.bhyve.asc>`__ 
+* src: fix remote code execution in ggatec(8) `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:14.ggatec.asc>`__ 
+* src: fix libfetch out of bounds read `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:15.libfetch.asc>`__ 
+* src: fix multiple OpenSSL vulnerabilities `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:16.openssl.asc>`__  `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-21:17.openssl.asc>`__ 
 * ports: ifinfo 13.0
 * ports: libressl 3.3.4 `[8] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.4-relnotes.txt>`__ 
 * ports: nss 3.69 `[9] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_69.html>`__ 
@@ -684,8 +684,8 @@ Here are the full patch notes:
 * src: FreeBSD updates for Intel e1000, ixgbe and ixl drivers
 * src: compatibility shim for upcoming rtsold "-M" command line option
 * src: separately log NAT and firewall rules in pf(4)
-* src: libcasper: fix descriptors numbers `[12] <FREEBSD:EN-21:19.libcasper>`__ 
-* src: linux: prevent integer overflow in futex_requeue `[13] <FREEBSD:EN-21:22.linux_futex>`__ 
+* src: libcasper: fix descriptors numbers `[12] <https://www.freebsd.org/security/advisories/EN-21:19.libcasper.asc>`__ 
+* src: linux: prevent integer overflow in futex_requeue `[13] <https://www.freebsd.org/security/advisories/EN-21:22.linux_futex.asc>`__ 
 * src: axgbe: make sure driver works on V1000 platform and remove unnecessary reset
 * ports: drop hardening options to ease migration to FreeBSD ports tree
 * ports: clog 1.0.2 fixes garbage header write on init
@@ -778,8 +778,8 @@ Here are the full patch notes:
 * plugins: os-tor Phalcon 4 fix
 * plugins: os-zabbix-agent 1.9 `[4] <https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/zabbix-agent/pkg-descr>`__ 
 * src: separately log NAT and firewall rules in pf(4)
-* src: libcasper: fix descriptors numbers `[5] <FREEBSD:EN-21:19.libcasper>`__ 
-* src: linux: prevent integer overflow in futex_requeue `[6] <FREEBSD:EN-21:22.linux_futex>`__ 
+* src: libcasper: fix descriptors numbers `[5] <https://www.freebsd.org/security/advisories/EN-21:19.libcasper.asc>`__ 
+* src: linux: prevent integer overflow in futex_requeue `[6] <https://www.freebsd.org/security/advisories/EN-21:22.linux_futex.asc>`__ 
 * ports: clog 1.0.2 fixes garbage header write on init
 * ports: php 7.4.21 `[7] <https://www.php.net/ChangeLog-7.php#7.4.21>`__ 
 * ports: suricata 5.0.7 `[8] <https://redmine.openinfosecfoundation.org/versions/166>`__ 
diff --git a/source/releases/CE_22.1.rst b/source/releases/CE_22.1.rst
index 68ce4365..f819b50d 100644
--- a/source/releases/CE_22.1.rst
+++ b/source/releases/CE_22.1.rst
@@ -314,12 +314,12 @@ Here are the full patch notes:
 * plugins: os-acme-client 3.9 `[1] <https://github.com/opnsense/plugins/blob/stable/22.1/security/acme-client/pkg-descr>`__ 
 * plugins: os-chrony 1.5 `[2] <https://github.com/opnsense/plugins/blob/stable/22.1/net/chrony/pkg-descr>`__ 
 * plugins: os-ddclient 1.5 `[3] <https://github.com/opnsense/plugins/blob/stable/22.1/dns/ddclient/pkg-descr>`__ 
-* src: pf(4) tables may fail to load `[4] <FREEBSD:FreeBSD-EN-22:15.pf>`__ 
-* src: potential jail escape vulnerabilities in netmap `[5] <FREEBSD:FreeBSD-SA-22:04.netmap>`__ 
-* src: bhyve e82545 device emulation out-of-bounds write `[6] <FREEBSD:FreeBSD-SA-22:05.bhyve>`__ 
-* src: mpr/mps/mpt driver ioctl heap out-of-bounds write `[7] <FREEBSD:FreeBSD-SA-22:06.ioctl>`__ 
-* src: 802.11 heap buffer overflow `[8] <FREEBSD:FreeBSD-SA-22:07.wifi_meshid>`__ 
-* src: zlib compression out-of-bounds write `[9] <FREEBSD:FreeBSD-SA-22:08.zlib>`__ 
+* src: pf(4) tables may fail to load `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:15.pf.asc>`__ 
+* src: potential jail escape vulnerabilities in netmap `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:04.netmap.asc>`__ 
+* src: bhyve e82545 device emulation out-of-bounds write `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:05.bhyve.asc>`__ 
+* src: mpr/mps/mpt driver ioctl heap out-of-bounds write `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:06.ioctl.asc>`__ 
+* src: 802.11 heap buffer overflow `[8] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:07.wifi_meshid.asc>`__ 
+* src: zlib compression out-of-bounds write `[9] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:08.zlib.asc>`__ 
 * ports: curl 7.82.0 `[10] <https://curl.se/changes.html#7_82_0>`__ 
 * ports: expat 2.4.8 `[11] <https://github.com/libexpat/libexpat/blob/R_2_4_8/expat/Changes>`__ 
 * ports: libxml 2.9.13 `[12] <http://www.xmlsoft.org/news.html>`__ 
@@ -366,8 +366,8 @@ Here are the full patch notes:
 * plugins: os-ddclient 1.4 `[1] <https://github.com/opnsense/plugins/blob/stable/22.1/dns/ddclient/pkg-descr>`__ 
 * plugins: os-theme-cicada 1.29
 * plugins: os-theme-vicuna 1.41
-* src: openssl: fix a bug in BN_mod_sqrt() that can cause it to loop forever `[2] <FREEBSD:FreeBSD-SA-22:03.openssl>`__ 
-* src: zfs: fix handling of errors from dmu_write_uio_dbuf() `[3] <FREEBSD:FreeBSD-EN-22:10.zfs>`__ 
+* src: openssl: fix a bug in BN_mod_sqrt() that can cause it to loop forever `[2] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:03.openssl.asc>`__ 
+* src: zfs: fix handling of errors from dmu_write_uio_dbuf() `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:10.zfs.asc>`__ 
 * src: debugnet: remove spurious message on boot
 * ports: ca_root_nss fix for faulty upstream file linking
 * ports: libressl 3.3.6 `[4] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.6-relnotes.txt>`__ 
diff --git a/source/releases/CE_22.7.rst b/source/releases/CE_22.7.rst
index b60d882e..58375578 100644
--- a/source/releases/CE_22.7.rst
+++ b/source/releases/CE_22.7.rst
@@ -146,7 +146,7 @@ Here are the full patch notes:
 * plugins: os-wireguard now attempts to start tunnels again when all DNS is configured
 * src: ixgbe: workaround errata about UDP frames with zero checksum
 * src: hpet: Allow a MMIO window smaller than 1K
-* src: ping: fix handling of IP packet sizes `[3] <FREEBSD:FreeBSD-SA-22:15.ping>`__ 
+* src: ping: fix handling of IP packet sizes `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc>`__ 
 * ports: php 8.0.26 `[4] <https://www.php.net/ChangeLog-8.php#8.0.26>`__ 
 * ports: sqlite 3.40.0 `[5] <https://sqlite.org/releaselog/3_40_0.html>`__ 
 * ports: suricata 6.0.9 `[6] <https://suricata.io/2022/11/29/suricata-6-0-9-released/>`__ 
@@ -268,12 +268,12 @@ Here are the full patch notes:
 * plugins: os-wireguard 1.13 `[8] <https://github.com/opnsense/plugins/blob/stable/22.7/net/wireguard/pkg-descr>`__ 
 * src: revert "e1000: try auto-negotiation for fixed 100 or 10 configuration"
 * src: vxlan: check the size of data available in mbuf before using them
-* src: vm_page: fix a logic error in the handling of PQ_ACTIVE operations `[9] <FREEBSD:FreeBSD-EN-22:23.vm>`__ 
-* src: cam: provide compatibility for CAMGETPASSTHRU for periph drivers `[10] <FREEBSD:FreeBSD-EN-22:26.cam>`__ 
-* src: loader: fix elf lookup_symbol type filtering `[11] <FREEBSD:FreeBSD-EN-22:27.loader>`__ 
-* src: zfs: fix a pair of bugs in zfs_fhtovp() `[12] <FREEBSD:FreeBSD-EN-22:24.zfs>`__ 
-* src: zfs: fix use-after-free in btree code `[13] <FREEBSD:FreeBSD-EN-22:21.zfs>`__ 
-* src: tcp: finish SACK loss recovery on sudden lack of SACK blocks `[14] <FREEBSD:FreeBSD-EN-22:25.tcp>`__ 
+* src: vm_page: fix a logic error in the handling of PQ_ACTIVE operations `[9] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:23.vm.asc>`__ 
+* src: cam: provide compatibility for CAMGETPASSTHRU for periph drivers `[10] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:26.cam.asc>`__ 
+* src: loader: fix elf lookup_symbol type filtering `[11] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:27.loader.asc>`__ 
+* src: zfs: fix a pair of bugs in zfs_fhtovp() `[12] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:24.zfs.asc>`__ 
+* src: zfs: fix use-after-free in btree code `[13] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:21.zfs.asc>`__ 
+* src: tcp: finish SACK loss recovery on sudden lack of SACK blocks `[14] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:25.tcp.asc>`__ 
 * src: igc: remove unnecessary PHY ID checks
 * src: ixl: add support for I710 devices and remove non-inclusive language
 * src: ixl: fix SR-IOV panics
@@ -518,8 +518,8 @@ Here are the full patch notes:
 * plugins: os-zabbix-agent 1.13 `[3] <https://github.com/opnsense/plugins/blob/stable/22.7/net-mgmt/zabbix-agent/pkg-descr>`__ 
 * plugins: os-zabbix-proxy 1.9 `[4] <https://github.com/opnsense/plugins/blob/stable/22.7/net-mgmt/zabbix-proxy/pkg-descr>`__ 
 * src: rc: improve NAME_setup integration
-* src: zlib: fix a bug when getting a gzip header extra field with inflate() `[5] <FREEBSD:FreeBSD-SA-22:13.zlib>`__ 
-* src: tzdata: import tzdata 2022b and 2022c `[6] <FREEBSD:FreeBSD-EN-22:20.tzdata>`__ 
+* src: zlib: fix a bug when getting a gzip header extra field with inflate() `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:13.zlib.asc>`__ 
+* src: tzdata: import tzdata 2022b and 2022c `[6] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:20.tzdata.asc>`__ 
 * ports: ldns 1.8.3 `[7] <https://raw.githubusercontent.com/NLnetLabs/ldns/1.8.3/Changelog>`__ 
 * ports: liblz4 1.9.4
 * ports: libxml 2.10.1 `[8] <http://www.xmlsoft.org/news.html>`__ 
@@ -565,12 +565,12 @@ Here are the full patch notes:
 * plugins: os-haproxy 3.11 `[4] <https://github.com/opnsense/plugins/blob/stable/22.7/net/haproxy/pkg-descr>`__ 
 * plugins: os-git-backup hides SSH keys by default
 * plugins: os-postfix disables GSSAPI for the time being `[5] <https://github.com/opnsense/plugins/blob/stable/22.7/mail/postfix/pkg-descr>`__ 
-* src: lib9p: remove potential buffer overwrite in l9p_puqids() `[6] <FREEBSD:FreeBSD-SA-22:12.lib9p>`__ 
-* src: vm_fault: shoot down shared mappings in vm_fault_copy_entry() `[7] <FREEBSD:FreeBSD-SA-22:11.vm>`__ 
-* src: elf_note_prpsinfo: handle more failures from proc_getargv() `[8] <FREEBSD:FreeBSD-SA-22:09.elf>`__ 
-* src: pam_exec: fix segfault when authtok is null `[9] <FREEBSD:FreeBSD-EN-22:19.pam_exec>`__ 
-* src: kevent: fix an off-by-one in filt_timerexpire_l() `[10] <FREEBSD:FreeBSD-EN-22:16.kqueue>`__ 
-* src: cam: leep periph_links when restoring CCB in camperiphdone() `[11] <FREEBSD:FreeBSD-EN-22:17.cam>`__ 
+* src: lib9p: remove potential buffer overwrite in l9p_puqids() `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:12.lib9p.asc>`__ 
+* src: vm_fault: shoot down shared mappings in vm_fault_copy_entry() `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:11.vm.asc>`__ 
+* src: elf_note_prpsinfo: handle more failures from proc_getargv() `[8] <https://www.freebsd.org/security/advisories/FreeBSD-SA-22:09.elf.asc>`__ 
+* src: pam_exec: fix segfault when authtok is null `[9] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:19.pam_exec.asc>`__ 
+* src: kevent: fix an off-by-one in filt_timerexpire_l() `[10] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:16.kqueue.asc>`__ 
+* src: cam: leep periph_links when restoring CCB in camperiphdone() `[11] <https://www.freebsd.org/security/advisories/FreeBSD-EN-22:17.cam.asc>`__ 
 * src: pfctl: fix FOM_ICMP/POM_STICKYADDRESS clash
 * src: restrict default /root permissions to 750
 * src: rc: add ${name}_setup script support
diff --git a/source/releases/CE_23.1.rst b/source/releases/CE_23.1.rst
index cd021345..ba6413ed 100644
--- a/source/releases/CE_23.1.rst
+++ b/source/releases/CE_23.1.rst
@@ -57,10 +57,10 @@ Here are the full patch notes:
 * plugins: os-zabbix-proxy plugin variant for Zabbix 6.4
 * src: axgbe: account for 4 SFP ports during GPIO expander check
 * src: ipsec: make algorithm tables read-only
-* src: mpr: fix copying of event_mask `[1] <FREEBSD:FreeBSD-EN-23:07.mpr>`__ 
-* src: pam_krb5: fix spoofing vulnerability `[2] <FREEBSD:FreeBSD-SA-23:04.pam_krb5>`__ 
-* src: loader: comconsole: do not unconditionally wipe out hw.uart.console `[3] <FREEBSD:FreeBSD-EN-23:06.loader>`__ 
-* src: contrib/tzdata: import tzdata 2023c `[4] <FREEBSD:FreeBSD-EN-23:05.tzdata>`__ 
+* src: mpr: fix copying of event_mask `[1] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:07.mpr.asc>`__ 
+* src: pam_krb5: fix spoofing vulnerability `[2] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:04.pam_krb5.asc>`__ 
+* src: loader: comconsole: do not unconditionally wipe out hw.uart.console `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:06.loader.asc>`__ 
+* src: contrib/tzdata: import tzdata 2023c `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:05.tzdata.asc>`__ 
 * src: ixgbe: change if condition for RSS and rxcsum
 * src: pf: fix pf_nv##_array() size check
 * src: e1000: fix VLAN 0
@@ -556,7 +556,7 @@ Here are the full patch notes:
 * plugins: os-theme-cicada 1.33 (contributed by Team Rebellion)
 * plugins: os-theme-tukan 1.26 (contributed by Team Rebellion)
 * plugins: os-theme-vicuna 1.44 (contributed by Team Rebellion)
-* src: fix multiple OpenSSL vulnerabilities `[4] <FREEBSD:FreeBSD-SA-23:03.openssl>`__ 
+* src: fix multiple OpenSSL vulnerabilities `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:03.openssl.asc>`__ 
 * src: pfsync: support deferring IPv6 packets
 * src: pfsync: add missing bucket lock
 * src: pfsync: ensure 'error' is always initialised
@@ -637,10 +637,10 @@ Here are the full patch notes:
 * plugins: os-qemu-guest-agent 1.2 `[3] <https://github.com/opnsense/plugins/blob/stable/23.1/emulators/qemu-guest-agent/pkg-descr>`__ 
 * plugins: os-tayga fixes MVC interface registration
 * plugins: os-wireguard fixes MVC interface registration
-* src: geli: split the initalization of HMAC `[4] <FREEBSD:FreeBSD-SA-23:01.geli>`__ 
-* src: fix ena driver crash after reset in 7th gen AWS instance types `[5] <FREEBSD:FreeBSD-EN-23:03.ena>`__ 
-* src: fix sdhci broken write-protect settings `[6] <FREEBSD:FreeBSD-EN-23:02.sdhci>`__ 
-* src: import tzdata 2022g `[7] <FREEBSD:FreeBSD-EN-23:01.tzdata>`__ 
+* src: geli: split the initalization of HMAC `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:01.geli.asc>`__ 
+* src: fix ena driver crash after reset in 7th gen AWS instance types `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:03.ena.asc>`__ 
+* src: fix sdhci broken write-protect settings `[6] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:02.sdhci.asc>`__ 
+* src: import tzdata 2022g `[7] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:01.tzdata.asc>`__ 
 * src: ipsec: clear pad bytes in PF_KEY messages
 * src: fib_algo: set vnet when destroying algo instance
 * src: if_ipsec: handle situations where there are no policy or SADB entry for if
diff --git a/source/releases/CE_23.7.rst b/source/releases/CE_23.7.rst
index 2d0ee838..6d8ea593 100644
--- a/source/releases/CE_23.7.rst
+++ b/source/releases/CE_23.7.rst
@@ -62,17 +62,17 @@ Here are the full patch notes:
 * plugins: os-upnp now reloads on newwanip event
 * plugins: os-wireguard fix for missing firewall reload
 * plugins: os-wireguard-go fix for device registration
-* src: clang: sanitizer failure with ASLR enabled `[3] <FREEBSD:FreeBSD-EN-23:15.sanitizer>`__ 
+* src: clang: sanitizer failure with ASLR enabled `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:15.sanitizer.asc>`__ 
 * src: dhclient: do not add 0.0.0.0 interface alias
 * src: ice: match irdma interface changes
 * src: ixv: separate VFTA table for each interface
 * src: libnetmap: better fix for port parsing failure
 * src: pf: expose more syncookie state information to userspace
 * src: pf: fix mem leaks upon vnet destroy
-* src: pf: remove incorrect fragmentation check `[4] <FREEBSD:FreeBSD-SA-23:17.pf>`__ 
+* src: pf: remove incorrect fragmentation check `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:17.pf.asc>`__ 
 * src: rc: fix restart _precmd issue with _setup
 * src: re: add support for 8168FP HW rev
-* src: zfs: check dnode and its data for dirtiness in dnode_is_dirty() `[5] <FREEBSD:FreeBSD-EN-23:16.openzfs>`__ 
+* src: zfs: check dnode and its data for dirtiness in dnode_is_dirty() `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:16.openzfs.asc>`__ 
 * ports: perl 5.36.3 `[6] <https://perldoc.perl.org/5.36.3/perldelta>`__ 
 * ports: php 8.2.13 `[7] <https://www.php.net/ChangeLog-8.php#8.3.13>`__ 
 * ports: phpseclib 3.0.34 `[8] <https://github.com/phpseclib/phpseclib/releases/tag/3.0.34>`__ 
@@ -203,11 +203,11 @@ Here are the full patch notes:
 * plugins: os-wireguard 2.5 `[3] <https://github.com/opnsense/plugins/blob/stable/23.7/net/wireguard/pkg-descr>`__ 
 * src: pfctl: fix incorrect mask on dynamic address
 * src: libpfctl: assorted improvements
-* src: msdosfs: zero partially valid extended cluster `[4] <FREEBSD:FreeBSD-SA-23:12.msdosfs>`__ 
-* src: copy_file_range: require CAP_SEEK capability `[5] <FREEBSD:FreeBSD-SA-23:13.capsicum>`__ 
-* src: fflush: correct buffer handling in __sflush `[6] <FREEBSD:FreeBSD-SA-23:15.stdio>`__ 
-* src: cap_net: correct capability name from addr2name to name2addr `[7] <FREEBSD:FreeBSD-SA-23:16.cap_net>`__ 
-* src: regcomp: use unsigned char when testing for escapes `[8] <FREEBSD:FreeBSD-EN-23:14.regcomp>`__ 
+* src: msdosfs: zero partially valid extended cluster `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:12.msdosfs.asc>`__ 
+* src: copy_file_range: require CAP_SEEK capability `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:13.capsicum.asc>`__ 
+* src: fflush: correct buffer handling in __sflush `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:15.stdio.asc>`__ 
+* src: cap_net: correct capability name from addr2name to name2addr `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:16.cap_net.asc>`__ 
+* src: regcomp: use unsigned char when testing for escapes `[8] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:14.regcomp.asc>`__ 
 * ports: lighttpd 1.4.73 `[9] <https://www.lighttpd.net/2023/10/30/1.4.73/>`__ 
 * ports: php 8.2.12 `[10] <https://www.php.net/ChangeLog-8.php#8.2.12>`__ 
 * ports: squid 6.5 `[11] <http://www.squid-cache.org/Versions/v6/squid-6.5-RELEASENOTES.html>`__ 
@@ -529,8 +529,8 @@ Here are the full patch notes:
 * src: iflib: fix white space and reduce some line lengths
 * src: ixgbe: define IXGBE_LE32_TO_CPUS
 * src: ixgbe: check for fw_recovery
-* src: net80211: fail for unicast traffic without unicast key `[4] <FREEBSD:FreeBSD-SA-23:11.wifi>`__ 
-* src: pcib: allocate the memory BAR with the MSI-X table `[5] <FREEBSD:FreeBSD-EN-23:10.pci>`__ 
+* src: net80211: fail for unicast traffic without unicast key `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:11.wifi.asc>`__ 
+* src: pcib: allocate the memory BAR with the MSI-X table `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:10.pci.asc>`__ 
 * ports: php 8.2.10 `[6] <https://www.php.net/ChangeLog-8.php#8.2.10>`__ 
 * ports: python 3.9.18 `[7] <https://docs.python.org/release/3.9.18/whatsnew/changelog.html>`__ 
 * ports: unbound 1.18.0 `[8] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-18-0>`__ 
@@ -677,8 +677,8 @@ Here are the full patch notes:
 * mvc: fix empty item selection issue in BaseListField
 * plugins: os-ddclient 1.14 `[1] <https://github.com/opnsense/plugins/blob/stable/23.7/dns/ddclient/pkg-descr>`__ 
 * plugins: os-acme-client 3.19 `[2] <https://github.com/opnsense/plugins/blob/stable/23.7/security/acme-client/pkg-descr>`__ 
-* src: bhyve: fully reset the fwctl state machine if the guest requests a reset `[3] <FREEBSD:FreeBSD-SA-23:07.bhyve>`__ 
-* src: frag6: avoid a possible integer overflow in fragment handling `[4] <FREEBSD:FreeBSD-SA-23:06.ipv6>`__ 
+* src: bhyve: fully reset the fwctl state machine if the guest requests a reset `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:07.bhyve.asc>`__ 
+* src: frag6: avoid a possible integer overflow in fragment handling `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:06.ipv6.asc>`__ 
 * src: amdtemp: Fix missing 49 degree offset on current EPYC CPUs
 * src: libpfctl: ensure the initial allocation is large enough
 * src: pf: handle multiple IPv6 fragment headers