gistfile1.txt

diff --git a/Mk/bsd.port.mk b/Mk/bsd.port.mk
index 1903c44e7b63..2de8869a2113 100644
--- a/Mk/bsd.port.mk
+++ b/Mk/bsd.port.mk
@@ -5337,7 +5337,7 @@ _STAGE_SEQ=		050:stage-message 100:stage-dir 150:run-depends \
 				200:apply-slist 300:pre-install \
 				400:generate-plist 450:pre-su-install 475:create-users-groups \
 				500:do-install 550:kmod-post-install 600:fixup-lib-pkgconfig 700:post-install \
-				750:post-install-script 800:post-stage 850:compress-man \
+				750:post-install-script 800:post-stage 825:fixup-mitigations 850:compress-man \
 				860:install-rc-script 870:install-ldconfig-file \
 				880:install-license 890:install-desktop-entries \
 				900:add-plist-info 910:add-plist-docs 920:add-plist-examples \
@@ -5364,6 +5364,14 @@ _PACKAGE_SEQ=	100:package-message 300:pre-package 450:pre-package-script \
 				500:do-package 850:post-package-script \
 				${_OPTIONS_package} ${_USES_package}
 
+fixup-mitigations:
+.for _file in ${PAGEEXEC_DISABLE}
+		/usr/sbin/hbsdcontrol pax disable pageexec ${STAGEDIR}/${PREFIX}/${_file}
+.endfor
+.for _file in ${MPROTECT_DISABLE}
+		/usr/sbin/hbsdcontrol pax disable mprotect ${STAGEDIR}/${PREFIX}/${_file}
+.endfor
+
 # Enforce order for -jN builds
 .for _t in ${_TARGETS_STAGES}
 # Check if the port need to change the default order of some targets...
diff --git a/shells/zsh/Makefile b/shells/zsh/Makefile
index dc9a546fce2f..eca8d40ea64c 100644
--- a/shells/zsh/Makefile
+++ b/shells/zsh/Makefile
@@ -21,6 +21,7 @@ LICENSE_PERMS=	dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
 MAKE_JOBS_UNSAFE=	yes
 
 USE_HARDENING=	safestack
+PAGEEXEC_DISABLE=	bin/zsh
 
 USES=		autoreconf iconv ncurses shebangfix tar:xz