portaudit-db 0.2.3 security =16

Creates a portaudit database from a current ports tree
Was Maintained by: secteam@FreeBSD.org
Port Added: 12 Jun 2004 23:47:08

---

---

In contrast to security/portaudit, which is designed to be an
install-and-forget solution, portaudit-db requires a current
ports tree and generates a database that can be used locally
or distributed over a network.

Furthermore committers that want to add entries to the VuXML
database may use this port to check their changes locally.
It also features a file `database/portaudit.txt' where UUIDs
for vulnerabilities can be allocated before they have been
investigated thoroughly and moved to the VuXML database by
the security officer team.

Call `packaudit' after upgrading your ports tree.

WWW: http://people.freebsd.org/~eik/portaudit/
Oliver Eikemeier <eik@FreeBSD.org>

CVSWeb : Main Web Site : Distfiles Availability : PortsMon

---

Required To Run: textproc/libxslt

---

No installation instructions: this port has been deleted.

The package name of this deleted port was: portaudit-db

---

Configuration Options

     No options to configure

---

Master Sites:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/

• port moved to ports-mgmt/portaudit-db on 2007-02-05
  REASON: Moved to a new category
  

Populate a new ports-mgmt category. List of moved ports:

  devel/portcheckout -> ports-mgmt/portcheckout
  devel/portlint -> ports-mgmt/portlint
  devel/portmk -> ports-mgmt/portmk
  devel/porttools -> ports-mgmt/porttools
  misc/instant-tinderbox -> ports-mgmt/instant-tinderbox
  misc/porteasy -> ports-mgmt/porteasy
  misc/portell -> ports-mgmt/portell
  misc/portless -> ports-mgmt/portless
  misc/tinderbox -> ports-mgmt/tinderbox
  security/jailaudit -> ports-mgmt/jailaudit
  security/portaudit -> ports-mgmt/portaudit
  security/portaudit-db -> ports-mgmt/portaudit-db
  security/vulnerability-test-port -> ports-mgmt/vulnerability-test-port

Change MAINTAINER address for ports maintained by the Security Team to
secteam@ instead of security@ to make it more clear that the ports are
not maintained by the freebsd-security@ mailing list.  Both addresses
go to the same people.

- Set maintainership to security@.

Suggested by:   nectar, remko

Grab maintainer-ship of portaudit.  While I do not currently have any
plans for improvements (though I have ideas) I feel that portaudit is
too important to not have an active maintainer.

Approved by:    portmgr (linimon)

Document Horde's XSS vulnerabilities.

Approved by:    portmgr (krion).

Create a VuXML entry for Horde XSS help window vulnerability to replace
the portaudit-db entry.

Add an entry for a vulnerability fixed in horde-2.2.7.

Add entries for vulnerabilites in imported xpdf code in kdegraphics
and koffice.

Add an entry for a XSS vulnerability fixed in IMP-3.2.6.

- star-devel: privilege escalation
- multi-gnome-terminal: information leak
- usermin: remote shell command injection and insecure installation
- mpg123: layer 2 decoder buffer overflow

Approved by:    portmgr (implicit)

- XSS vulnerability in phpGroupWare wiki module
- add some references

Approved by:    portmgr (implicit)

multiple vulnerabilities in LHA

grrrr... left the test case intact

- add some references
- extend ImageMagick entry
- squid ntlm authentication helper DoS
- multiple vpopmail vulnerabilities
- first attempts to check the base system for vulnerabilities:
  + cvs server code
  + zlib DoS
- BSD license portaudit.xml

samba printer change notification request DoS

add some references, add ru-gaim

multiple vulnerabilities in gaim

security bug in rscsi client code

Submitted by:   marius

Document NSS SSLv2 server buffer overflow (already referenced in
portaudit.txt).

Document ripMIME decoding bug (already referenced in portaudit.txt).

Argh. Duplicate entry for "Scorched 3D server chat box format string
vulnerabilty"

Mozilla / NSS S/MIME DoS vulnerability & Scorched 3D server chat box format
string vulnerability

Note sanitize_path bug in rsync (already referenced in portaudit.txt).

Document buffer overflows in SoX (already referenced in portaudit.txt).

Document cookie bug in Konqueror (already referenced in portaudit.txt).

Remove libxine issue which is now documented in the FreeBSD VuXML
document.

Reminded by:    eik

nss library SSL remote buffer overflow

multiple buffer overflows in xv

Konqueror cross-domain cookie injection

handle some duplicates

a2ps: Possible execution of shell commands as local user.

correct topic of eda0ade6-f281-11d8-81b0-000347a4fa7d

QT 3.x BMP (and possibly other graphics formats) heap-based overflow

potential security flaws in mod_ssl

move a800386e-ef7e-11d8-81b0-000347a4fa7d to xml

ruby CGI::Session insecure file creation

multiple phpGroupWare vulnerabilities

phpGedView, jftpgw

apply xlist not to the own files

fix some vuxml duplicates, add sympa unauthorized list creation

Add another entry for kdelibs3 due to another missed patch.

Correct entries for recent kde vuln's and add new entry for kdelibs
(3.2.3_3 didn't have all patches).

fix security hole in non-chroot rsync daemon.

 
<http://www.freebsd.org/ports/portaudit/2689f4cb-ec4c-11d8-9440-000347a4fa7d.html>

9fb5bb32-d6fa-11d8-b479-02e0185c0b53 is a duplicate of
40800696-c3b0-11d8-864c-02e0185c0b53

f72ccf7c-e607-11d8-9b0a-000347a4fa7d is a duplicate of
6f955451-ba54-11d8-b88c-000d610a3b12, move references

Factor out all but one of the build switches of the KDE main module ports
into separate ports. The OPTIONS will remain as of yet and trigger dependencies
now, for easy transition.

Update KOffice to version 1.3.2.

Add patches to fix a number of issues, including:

- fix kxkb on Xorg
- fix kdemultimedia WITH_MPEGLIB (now mpeglib_artsplug) compilation on gcc 3.4.2
  with optimizations greater than -O

Add security related patches and entries to portaudit.txt.

libine "vcd:" input source buffer overflow

SpamAssassin DoS & cfengine authentication heap corruption

CVStrac arbitrary remote code execution

fold entry 7eded4b8-e6fe-11d8-b12f-0a001f31891a into
2de14f7a-dad9-11d8-b59a-00061bc2ad93

putty local command execution

move abe47a5a-e23c-11d8-9b0a-000347a4fa7d to vuxml, add mozilla to the list of
vulnerable ports

o Security Update to 2.2.10-ja-1.0.
o rcNG-ify obtained from net/samba3.

PR:             ports/70034
Submitted by:   NAKAJI Hiroyuki <nakaji@jp.freebsd.org> (maintainer)

add Opera "location" object write access vulnerability

move f9e3e60b-e650-11d8-9b0a-000347a4fa7d to vuxml, add mozilla to the list of
vulnerable ports

back out last commit

putty local command execution

libPNG stack-based buffer overflow and other code concerns

Acrobat Reader handling of malformed uuencoded pdf files

Squid NTLM authentication helper overflow

ripMIME attachment extraction bypass

GnuTLS certificate chain verification DoS

phpMyAdmin configuration manipulation and code injection

Register a vulnerability in mail/imp3.

This vulnerability only exists when using the Internet Explorer to
access IMP and only when using the inline MIME viewer for HTML messages.

Mozilla Firefox certificate spoofing

DansGuardian banned extension filter bypass vulnerability

add a reference to the SoX buffer overflow entry

SoX buffer overflows when handling .WAV files

LCDProc buffer overflow/format string vulnerabilities

pavuk digest auth buffer overflow

add Nessus "adduser" race condition and Dropbear DSS verification bug

l2tpd BSS-based buffer overflow

phpBB cross site scripting vulnerabilities

add subversion-perl, subversion-python

subversion access control bypass

mod_ssl format string vulnerability

Roundup directory traversal

wv library datetime field buffer overflow

multiple vulnerabilities in Bugzilla

correct vulnerable version of linux-png and add a reference

libpng row buffer overflow

add some references

move e5e2883d-ceb9-11d8-8898-000d6111a684 to vuln.xml

add some references

MySQL versions < 4.1 seem to be unaffected

Reported by:    Alexander Vasenin <blacksir@number.ru>

add MySQL server authentication bypass / buffer overflow

Mark 4aec9d58-ce7b-11d8-858d-000d610a3b12 as a duplicate of the
already existing c63936c1-caed-11d8-8898-000d6111a684.

Move phpnuke vulnerabilities to VuXML.

move "phpMyAdmin code injection" to vuxml

phpMyAdmin code injection

- SSLtelnet remote format string vulnerability
  (guys, this is a public list)

- add some references

add MIT Kerberos 5 krb5_aname_to_localname() buffer overflow

add isakmpd security association deletion vulnerability

add Apache input header folding DoS vulnerability

xine-lib RTSP handling vulnerabilities

Move MoinMoin entry to VuXML.

diversify url conversion

add portaudit2vuxml.pl to easy the migration of entries to VuXML

Add an entry for recent isc-dhcp3-server buffer overflows.
Remove the one in portaudit.txt.

Move giFT-FastTrack to VuXML.

6 vulnerabilities affecting 11 ports have been reported in the past 14 days

^* - modified, not new

All vulnerabilities