Update to 1.6.5

This is a security release by upstream, and requires configuration changes
in addition to the software update.  See UPDATING.

Reviewed by:	ports-security (zi, remko)
Approved by:	hrs (mentor, ports committer)

  Add <url></url> to references.

Submitted by:	Remko Lodder <remko@FreeBSD.org>

 Update:
   devel/subversion to 1.8.1
   devel/subversion16 to 1.7.11

 These releases fix CVE-2013-4131
 http://subversion.apache.org/security/CVE-2013-4131-advisory.txt

Approved by:	Olli Hauer <ohauer@FreeBSD.org> for devel/subversion17
Security:	CVE-2013-4131

- Update whitespace for 2fbfd455-f2d0-11e2-8a46-000d601460a4

Requested by:	remko

- Update suPHP to 0.7.2
- Document possible privilege escalation

Approved by:	maintainer timeout
Security:	2fbfd455-f2d0-11e2-8a46-000d601460a4

- change apache24 version from 2.4.5 to 2.4.6 (2.4.5 was not released)
- add http://www.apache.org/dist/httpd/Announcement2.4.html as reference

requested by remko@

- update to apache24-2.4.6
 - new modules: mod_cache_socache, mod_macro and mod_proxy_wstunnel

- add enty to vuxml

SECURITY: CVE-2013-1896 (cve.mitre.org)
 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
 the source href (sent as part of the request body as XML) pointing to a
 URI that is not configured for DAV will trigger a segfault.

SECURITY: CVE-2013-2249 (cve.mitre.org)
 mod_session_dbd: Make sure that dirty flag is respected when saving
 sessions, and ensure the session ID is changed each time the session
 changes. This changes the format of the updatesession SQL statement.
 Existing configurations must be changed.

Changelog:
http://www.apache.org/dist/httpd/CHANGES_2.4.6

with hat apache@

Security:	ca4d63fb-f15c-11e2-b183-20cf30e32f6d

Document gallery3 multiple vulnerabilities.

Add missing citation

Requested by:	remko

Add two more PHP entries for issues which have already been fixed.

Update to 11.2r202.291

PR:		ports/179502
Submitted by:	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>

Document squid 3.x denial of service vulnerability.

Adjust version numbers for OTRS vulnerabilities

Add missing modified dates from r321329.

I had this sitting for a bit, but forgot to test & commit.

Requested by:	remko

Wrap long lines.  No content change.

Security vulnerabilities in libzrtp

Security:	04320e7d-ea66-11e2-a96e-60a44c524f57

- Document ruby vulnerability

Add vulnerability on otrs

Security:	e3e788aa-e9fd-11e2-a96e-60a44c524f57

- update to apache-2.2.25
- update vuxml with additional CVE-2013-1896 entry

Changes with Apache 2.2.25
  http://www.apache.org/dist/httpd/CHANGES_2.2.25

  *) SECURITY: CVE-2013-1896 (cve.mitre.org)
     mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
     the source href (sent as part of the request body as XML) pointing to a
     URI that is not configured for DAV will trigger a segfault. [Ben Reser
     <ben reser.org>]

  *) SECURITY: CVE-2013-1862 (cve.mitre.org)
     mod_rewrite: Ensure that client data written to the RewriteLog is
     escaped to prevent terminal escape sequences from entering the

Add new vulnerabilities for www/chromium < 28.0.1500.71

Obtained from:	http://googlechromereleases.blogspot.nl/

- add fix for CVE-2013-1862
- adjust vuxml

- document apache22 CVE-2013-1862 (mod_rewrite)

Update to apache22-2.2.25 is ready to commit.
Until now there is no official announcement from apache.org
so we hold the update back until we have official checksums.

Fix CVE-2013-2174 for ftp/curl with a patch from vendor for
now so that users can build the port, per popular demands
on mailing list.

The upgrade patch found in ports/172325 is currently under
exp-run.  The changes in this commit against ftp/curl can be
safely reverted before applying that patch, as it's shipped
with new curl release.

Approved by:	portmgr (miwi)

Security update to 4.0.4.1

ChangeLog:
http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/4.0.4.1/phpMyAdmin-4.0.4.1-notes.html/view

Advisory: http://www.phpmyadmin.net/home_page/security/PMASA-2013-7.php

Security:	1b93f6fe-e1c1-11e2-948d-6805ca0b3d42

Security update for apache-xml-security-c

URL:	http://santuario.apache.org/secadv.data/CVE-2013-2210.txt
Security:	81da673e-dfe1-11e2-9389-08002798f6ff
Security:	CVE-2013-2210

- update firefox to 22.0
- update firefox-esr, thunderbird and libxul to 17.0.7
- update nspr to 4.10
- OSS support was removed upstream, only ALSA and PulseAudio are supported
  from now on.

Security:	b3fcb387-de4b-11e2-b1c6-0025905a4771
In collaboration with:	Jan Beich <jbeich@tormail.org>

VuXML: document CVE-2013-2174, heap corruption in cURL library

- Update puppet to 3.2.2 which fixes CVE-2013-3567 [1]
- Update puppet27 to 2.7.22 which fixes CVE-2013-3567
- Document security issue

PR:		ports/179816 [1]
Submitted by:	mat [1]
Security:	b162b218-c547-4ba2-ae31-6fdcb61bc763

Correct the CVE-2013-0131 entry, so that the most recent revision of
x11/nvidia-driver-304 is not mistakenly flagged as vulnerable

- fix formating of 8b97d289-d8cf-11e2-a1f5-60a44c524f57

With Hat:	ports-secteam

Add extra-validation to the validation target.

While here, test with python2 and permit the script to run with either 2 or 3.

Requested by:	delphij
With Hat:	ports-secteam

- Fix entry dates for some 'insane' dates.  In some cases a best effort was made
to guess what was meant due to either destroyed svn logs (formatting 'fixes') or
lost to time reports.

With Hat:	ports-secteam

Add an additional validation script to the vuxml port.
At this point it is not tied to the validate: target because validation fails.

Reviewed by:	simon, delphij
With Hat:	ports-secteam

Fix typo soccat -> socat

Add vulnerability on OTRS

Fix date for flashpluginwrapper.

Add entry for SA-13:06.mmap.

Security update for apache-xml-security-c.
Dependant ports, especially shibboleth2-sp, opensaml2, xmltooling
and log4shib should all be updated.

Security: CVE-2013-2156

Document Tor bug 9072

- Fix typo in dbus entry

Reported by:	Christoph Mallon <christoph.mallon@gmx.de>

Update to 1.6.12.

I'm not completly sure this affects us, but beter safe then sorry.
While here wordsmith Options description to try to make it clearer.

Security:	CVE-2013-2168

Update to 11.2r202.291

PR:		ports/179502
Submitted by:	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>

- Document vulnerabilities in www/owncloud

Security:	d7a43ee6-d2d5-11e2-9894-002590082ac6
Obtained from:	http://owncloud.org/about/security/advisories/

Update to 5.3.26

Security:	59e7163c-cf84-11e2-907b-0025905a4770

Match only the most recent Bind9* version in the latest vulnerability,
older versions are not affected.

Fix typo in previous revision.

Add entry for the latest Bind vulnerabilities in CVE-2013-3919.

Security upgrade to 4.0.3

Advisory: http://www.phpmyadmin.net/home_page/security/PMASA-2013-6.php

ChangeLog:
http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/4.0.3/phpMyAdmin-4.0.3-notes.html/view

Security:	6b97436c-ce1e-11e2-9cb2-6805ca0b3d42

Update to 0.16.6.

Obtained from:	GNOME dev repo
Security:	CVE-2013-1431

Document vulnerabilities in www/chromium < 27.0.1453.110

Obtained from:	http://googlechromereleases.blogspot.nl/

- Fix build
- Ensure validation

Fix security issues in xorg client libraries.
Most libraries were updated to newer versions, in some cases patches
were backported instead.

Most notably, x11/libX11 was updated to 1.6.0

Security:	CVE-2013-1981
		CVE-2013-1982
		CVE-2013-1983
		CVE-2013-1984
		CVE-2013-1985
		CVE-2013-1986
		CVE-2013-1987
		CVE-2013-1988
		CVE-2013-1989

Update krb5 1.11.2 --> 1.11.3.

This is a bugfix release.

* Fix a UDP ping-pong vulnerability in the kpasswd (password changing)
  service.  [CVE-2002-2443]

* Improve interoperability with some Windows native PKINIT clients.

Security:	CVE-2002-2443

Update to 1.6.2

* Fix buffer overflows in fileserver and ptserver.
* Fix rare file corruption during background sync (Gerrit 8796).
* Fix corrupting clients' metadata cache during certain errors (Gerrit 6957).
* Fix cache corruption when reading from a file another client is simultaneously
writing to (Gerrit 7994).
* Fix fileservers to properly report >2 TiB partitions.

and some other less serious changes.

PR:		ports/179259
Submitted by:	Adam Nowacki <nowak@tepeserwery.pl>
Submitted by:	bjk (maintainer)
Security:	CVE-2013-1794

- Update to 2.7.4.

More info:
https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES

PR:		ports/179167
Submitted by:	ohauer@
Security:	9dfb63b8-8f36-11e2-b34d-000c2957946c

Remove duplicate optipng vulnerability.

It was separately committed in r315254, so remove the version I added
in r318453.

Reported by:	Alexander Milanov <a@amilanov.com>

Add two more URLs to openvpn's vulnerability from March 2013 (CVE-2013-2061)

Security: 92f30415-9935-11e2-ad4c-080027ef73ec

- Backport fix for CVE-2013-2061 to openvpn22 and openvpn20;
  while it is unclear whether it affects OpenSSL-builds at all.
  Let's play it safe.
- Reference CVE-2013-2061 name in OpenVPN's VuXML entry
- Mark 2.0.9_4 <= openvpn < 2.1.0 and 2.2.2_2 < openvpn < 2.3.0 not vulnerable
- Mark openvpn22 deprecated and to expire 2013-09-01.
  (openvpn20 is already marked to expire 2013-07-11.)

Security:	CVE-2013-2061
Security:	92f30415-9935-11e2-ad4c-080027ef73ec

Document passenger vulnerability.

  Update subversion ports to 1.7.10 and 1.6.23.
  It fixes 3 security issues:

    CVE-2013-1968: fsfs repository corruption caused by newline characters in
filenames
    CVE-2013-2088: contrib hook-scripts can allow arbitrary code execution
    CVE-2013-2112: svnserve remotely triggerable DoS.

Security:	CVE-2013-1968
Security:	CVE-2013-2088
Security:	CVE-2013-2112

Actually remove bitchx-devel and add a VuXML entry.

Security:	CVE-2007-4584
Security:	CVE-2007-5839
Security:	CVE-2007-5922

- Document znc null pointer dereference vulnerability.

Adjust range for socat entry.

Document socat FD leak vulnerability.

Security:	CVE-2013-3571

- Add entry for ruby 1.9.3p429

Document couchdb XSS vulnerability.

PR:		ports/178985
Submitted by:	wollman

Update to 2.17.1 as the 2.18 release was postponed / cancelled

Fix entry date, wrongly entered in revision 318453

fix typo in recent otrs vulnerability

Add vulnerabilities

Security:	CVE-2013-2637
		CVE-2013-3551

Security Updates

   - www/rt40 to 4.0.13
   - www/rt38 to 3.8.17 [1]

This is a security fix addressing a number of CVEs:

    CVE-2012-4733
    CVE-2013-3368
    CVE-2013-3369
    CVE-2013-3370
    CVE-2013-3371
    CVE-2013-3372
    CVE-2013-3373
    CVE-2013-3374

Users will need to update their database schemas as described in
pkg-message

Approved by:	flo [1]
Security:	3a429192-c36a-11e2-97a9-6805ca0b3d42

Fix vuxml by using the correct format for CVE names.

Prodded by:	bz on IRC

List vulnerabilities fixed in www/chromium 27.0.1453.93 (which is the
current version in the Ports Collection).

Patch multiple vulnerabilities in x11-toolkits/plib.

PR:		ports/178710
Submitted by:	Denny Lin <dennylin93@hs.ntnu.edu.tw>

- Update to 0.7.4
- Add VuXML entry
- Trim Makefile header
- Add LICENSE

PR:		ports/177206
Submitted by:	Alexander Milanov <a@amilanov.com>
Approved by:	Thomas Hurst <tom@hur.st> (maintainer)
Security:	a8818f7f-9182-11e2-9bdf-d48564727302

Update the recent nginx entry to cover the exact version range and include
information for CVE-2013-2070.

Update to the latest version of Adobe Flash

- update firefox to 21.0
- update firefox-esr and thunderbird to 17.0.6
- WEBRTC now supports PULSEAUDIO
- make linux-firefox work with plugins again (e.g. quakelive)

Security:		4a1ca8a4-bd82-11e2-b7a0-d43d7e0c7c02
In collaboration with:	Jan Beich <jbeich@tormail.org>

Update ranges according latest available information.

Source:	http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html

- Update emacs entry to correct the version ranges for CVE-2012-3479

Update nginx entry to reflect the right version ranges for CVE-2013-2028.

Note that we don't really have nginx 1.3.9 in the ports collection, due
to the recent ports freeze.  The version 1.3.9 is used here just to
better match the original advisory.

Fix typo.

Found by:	ru

Document nginx -- a stack-base buffer overflow.

- fix strongSwan discovery date /2013-05-03/2013-04-30/

- update to version 5.0.4 which fixes CVE-2013-2944.
- add entry to vuxml
- add CVE references to jankins vuxml entry

while I'm here remove .sh from rc script

PR:		ports/178266
Submitted by:	David Shane Holden <dpejesh@yahoo.com>
Approved by:	strongswan@nanoteq.com (maintainer)

Document Jenkins Security Advisory 2013-05-02

- Add the vendor patch for SQUID-2012:1 (CVE-2012-5643) and update VuXML
  information accordingly
- Bump PORTREVISION

PR:		ports/177773
Submitted by:	Kan Sasaki
Approved by:	flo (mentor)
Security:	c37de843-488e-11e2-a5c9-0019996bc1f7

Add entry for SA-13:05.nfsserver

- Document multiple XSS and DDoS vulnerabilities for Joomla!
(2.5.0 <= version < 2.5.10)

Security updae to 3.5.8.1

Four new serious security alerts were issued today by the phpMyAdmin
them: PMASA-2013-2 and PMASA-2013-3 are documented in this commit to
vuln.xml.

 - Remote code execution via preg_replace().

 - Locally Saved SQL Dump File Multiple File Extension Remote Code
   Execution.

The other two: PMASA-2013-4 and PMASA-2013-5 only affect PMA 4.0.0
pre-releases earlier than 4.0.0-rc3, which are not available through
the ports.

- Security update to 1.0.21
Security: CVE-2013-1428

- Security fix
Security: CVE-2011-4517 execute arbitrary code on decodes images
Submitted by:   naddy (Christian Weisgerber)
Obtained from:  Fedora
Feature safe: yes

Document PMASA-2013-1

It turns out that release 3.5.8 (recently updated in ports) was the
cure to an XSS vulnerability.

Feature safe:  yes

Document roundcube arbitrary file disclosure vulnerability.

Reported by:	Marcelo Gondim <gondim bsdinfo com br>
Feature safe:	yes

- add jasper
Feature safe: yes

- Update to 2.7.3 due a vulnerability that affect all versions 2.x. [1]
- Update MASTER_SITES.
- Convert to optionsNG.
- Trim header.

More info:
https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES

Reported by:    olli hauer <ohauer@gmx.de> [1]
Approved by:    portmgr (bdrewery)
Security:       2070c79a-8e1e-11e2-b34d-000c2957946c

- Update to 0.85
- Convert to new options framework

sieve-connect was not actually verifying TLS certificate identities matched
the expected hostname. Changes with new version:

Fix TLS verification; find server by own hostname & SRV.

* TLS hostname verification was not actually happening.

* IO::Socket::SSL requirement bumped to 1.14 (was 0.97).

* By default, if no server specified, before falling back to localhost try to
use the current hostname and SRV records in DNS to figure out if Sieve is
available. Checks for sieve, imaps & imap protocol SRV records and honours

Replace duplicate vids with a newly generated GUID.
Older duplicates kept their own number.

Approved by:	portmgr (implicit)
With Hat:	ports-secteam

Oops, fix the cite URL.

Approved by:	portmgr (tabthorpe)

Edit OpenVPN 2.3.1 entry:

 - Replace links to changelog and commit with a link to the official
   announcement (which also links to the commit)

 - Replace the description with a sentence lifted from the
   announcement.

Approved by:	portmgr (tabthorpe)