- Document vulnerabilities in www/typo3 and www/typo345

- Document security/krb5 vulnerability as described in MITKRB5-SA-2011-007

- Add CVE for recent asterisk vulnerabilities

Feature safe:   yes

Document Opera multiple vulnerabilities.

Requested by:   tabthorpe
Feature safe:   yes

Document vulnerabilities fixed in Chromium 16.0.912.63

Security:       CVE-2011-[3903-3917]

Add cvename tag with content CVE-2011-4607 for PuTTY password 'vulnerability'.

Feature safe: yes
Submitted by: eadler

- Correct package name for asterisk18

Feature safe:   yes

Update PuTTY to new upstream security and bug fix release 0.62,
and add a new VuXML entry.

Changelog:     
http://lists.tartarus.org/pipermail/putty-announce/2011/000017.html
Security:       bbd5f486-24f1-11e1-95bc-080027ef73ec
Feature safe:   yes

- Document asterisk vulnerabilities

Feature safe:   yes

- Document vulnerabilities in isc-dhcp: CVE-2011-4539

Feature safe:   yes

Update to version 3.4.8

This is the formal release of the fix to CVE-2011-4634, but there are
no code differences from the preliminary fixes released in 3.4.8-rc1
except for the updated version number.

PMSA-2011-18 has now been published; vuxml entry attached.

PR:             ports/163001
Submitted by:   Matthew Seaman <m.seaman@infracaninophile.co.uk> (maintainer)

Feature safe:   yes

- Add a link to a nice documentation in PH

Suggested by:   dougb
Feature safe:   yes

- Add a quick guide to adding a new entry to this unfriendly file

Feature safe:   yes

- mark 1.3.41+2.8.31_4 as not vulnerable
Feature safe:   yes

hiawatha -- memory leak in PreventSQLi routine

Approved by:    glarkin@ (mentor)
Feature safe:   yes

Bump modified date for previous commit.

Feature safe:   yes

The long-term URL for the latest BIND vulnerability is up at ISC,
so adjust accordingly.

Feature safe:   yes

Mark chromium-15.0.874.120 vulnerable.

Obtained from: 
http://googlechromereleases.blogspot.com/search/label/Stable%20updates
Security:       CVE-2011-3900
Feature safe:   yes

Add an entry for the BIND DOS vulnerability announced today

Feature safe:   yes

- document apache13 CVE-2011-3368

Feature safe:   yes

- Fix previous entry

Feature safe:   yes

Add note about CVE-2011-2725 for ark in kdeutils4.

Approved by:    avilla (mentor, implicit)
Feature safe:   yes

- document apache apr-0.9 reimplementation of apr_fnmatch()

Feature safe:   yes

Fix the recent flash entry:

1. Only one <package> container is needed
2. Use of <lt> has to be relative to the latest (unvulnerable) version
3. Improve the range for the 11.x version to not tag all 10.x versions
4. Use https for the cite in blockquote
5. Fix a CVE entry

Feature safe:   yes

- Correct latest libxml(1) entrys
- Mark CVS-2009-2414 CVS-2009-2416 CVS-2011-1944 entrys as safe
- Fix whitespaces
- Bump modify date
- While here add missing blank lines between entries [1]

[1] This would not happened when committers use "make newentry" (sometimes RTFM
is really helpful)

Feature safe:   yes

Document latest phpMyAdmin vulnerability

PR:             ports/162442
Submitted by:   Matthew Seaman <m.seaman@infracaninophile.co.uk> (maintainer)
Security:       CVE-2011-4107
Security:       http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php
CC:             m.seaman@infracaninophile.co.uk
Feature safe:   yes

- update flash10 to 10.3r183.11
- add security issues to vuln.xml

Submitted by:   nox
Reviewed by:    dougb (vuxml)
Security:       CVE-2011-2445, CVE-2011-2450, CVE-2011-2451, CVE-2011-2452,
CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, CVE-2011-2456, CVE-2011-2457,
CVE-2011-2458, CVE-2011-2459, CVE-2011-2458

Feature safe:   yesA

Add vulnerabilities for www/chromium < 15.0.874.120

Obtained from: 
http://googlechromereleases.blogspot.com/search/label/Stable%20updates
Security:       CVE-2011-[3892-3898]
Feature safe:   yes

Add missing blank lines between entries.

Feature safe:   yes

Fix build.

Feature safe:   yes

Register multiple libxml{1,2} vulnerabilities

- Cleanup a bit

Document gnutls client session resumption vulnerability.

- Document mozilla -- multiple vulnerabilities

- add vuxml entry for insecure use of temporary directories in caml-light

Reviewed by:    dougb
Approved by:    bapt,sahil (mentors, implicit)

- add vuxml entry for insecure use of temporary directories in caml-light

Reviewed by:    dougb
Approved by:    bapt,sahil (mentors, implicit)

Fix the freetype entry. The package name is freetype2 and fill in the comment.

Fix vuln.xml

Document vulnerabilities in handling Type 1 fonts in freetype.

Properly match lower bound of version numbers.

Noticed by:     Patrick Oonk <patrick.oonk pine.nl>

- bid from latest PivotX entry [1]
- while remove a lot whitespaces

PR:             161734 [1]
Submitted by:   Fumiyuki Shimizu <fumifumi@abacustech.jp>

Document cacti security issues.

SQL injection issue with user login
Cross-site scripting issues.

PR:             ports/162044
Reported by:    moggie <moggie@elasticmind.net>

- Cleanup & whitespace fixe

document phpmyfaq remote PHP code injection vulnerability

Mention vulnerabilities in www/chromium < 15.0.874.102

Obtained from:  http://googlechromereleases.blogspot.com/
Security:       CVE-2011-[2845, 3875-3891]

- Document phpldapadmin - remote PHP code injection vulnerability

PR:             ports/161954
Submitted by:   Ruslan Mahmatkhanov <cvs-src@yandex.ru>

Document CVE-2011-3365 and CVE-2011-3366.

Different CVE numbers for different software, but they share the same
KDE security advisory.

Approved by:    makc (mentor)

Fix the port names of a few past KDE vulnerabilities.

The entries mentioned kdebase4-runtime, kdebase3, kdelibs4 etc, but
the port names are kdebase, kdelibs etc.

Adjust the names and the version ranges.

Approved by:    makc (mentor)

add an entry for the recent piwik vulnerability, with the little information
that's available.

The only known fact is that Piwik rates this update critical.

Fix discovery date.

Document a File disclosure vulnerability and File permission change
vulnerability
in xorg-server.

Obtained from: 
http://lists.freedesktop.org/archives/xorg-announce/2011-October/001744.html
                upstream xorg-server
Security:       CVE-2011-4028, CVE-2011-4029

- Fix entry dates for recently added OpenTTD vulns

Submitted by:   "Ilya A. Arkhipov" <micro@heavennet.ru>

Document asterisk -- remote crash vulnerability in SIP channel driver.

Commit result of manually merged make tidy output.

Document PivotX remote file inclusion vulnerability.

PR:             ports/161734
Submitted by:   Fumiyuki Shimizu <fumifumi abacustech jp>

- Fix quotation links

Reported by:    danfe

Document openttd multiple vulnerabilities

PR:             161488
Submitted by:   "Ilya A. Arkhipov" <micro@heavennet.ru>

ca_root_nss - fix capitalization of topics

Security: 1b27af46-d6f6-11e0-89a6-080027ef73ec
Security: aa5bc971-d635-11e0-b3cf-080027ef73ec

ca_root_nss - reword topic for clarity

Security: 1b27af46-d6f6-11e0-89a6-080027ef73ec

Be less grubby in specifying vulnerable gnutls-devel versions.

Latest pyblosxom version is not vulnerable

Document quagga multiple vulnerabilities

Document latest vulnerabilities for www/chromium

Obtained from:  http://googlechromereleases.blogspot.com/
Security:       CVE-2011-[2876-2881, 3873]

Correct tomcat version represetations.

Pointed out by: Tim Zingelman <tez netbsd.org>

- Document mozilla -- multiple vulnerabilities

Properly mark version range for horde-imp.

- Update linux-f10-flashplugin to 10.3r183.10 . [1]
- Make gnome desktopfileutils dependency optional. [2]

PR:             ports/160894 [1]
Submitted by:   Garrett Cooper <yanegomi@gmail.com> [1]
Suggested by:   Peter Jeremy <peterjeremy@acm.org> [2]
Security:      
http://www.freebsd.org/ports/portaudit/53e531a7-e559-11e0-b481-001b2134ef46.html

Improve accuracy of krb5 vulnerability entries for upcoming port addition of
krb5-17.
(one entry was missed from the previous commit)

Improve accuracy of krb5 vulnerability entries for upcoming port addition
of krb5-17.

Document vulnerabilities in Chromium 13.0.x.y

Obtained from:  http://googlechromereleases.blogspot.com/
Security:       CVE-2011-[2834-2838, 2840-2844, 2846-2862, 2864, 2874-2875,
                          3234]

Document phpMyAdmin multiple XSS vulnerability.

Update phpMyAdminn to 3.4.5 release. [1]

PR:             ports/160589 [1]
Submitted by:   maitainer [1]

Document Django multiple vulnerabilities.

Document roundcube XSS vulnerability.

Document libsndfile -- PAF file processing integer overflow.

Security:       CVE-2011-2696

Re-revise emacs vulnerability to limit with >= 22 and < 22.2_1 instead of
>21.* and <22.2_1 which didn't work as expected

- Limit emacs vulnerability to > 21.* and <= 22.2 instead of just <= 22.2

Document two OpenSSL vulnerabilities.

(There is no OpenSSL 0.9.8s in the ports so mark <1.0.0 as vulnerable).

fix last thunderbird entry

add firefox, thunderbird and seamonkey to the DigiNotar.nl entry

Security:      
http://www.vuxml.org/freebsd/aa5bc971-d635-11e0-b3cf-080027ef73ec.html

Fix vuln.xml, while here fix indentation

- Update to 1.2.7

PR:             ports/160368
Submitted by:   gjb
Approved by:    dvl (maintainer), bapt (mentor)
Security:       CVE-2011-2938

- Document cfs buffer overflow vulnerability.
- While here, unbreak packaudit -- it doesn't like newlines in the
  middle of tags.  Perhaps a comment should say something?

Revise nss/ca_root_nss working around Mozilla,
limit ca_root_nss vuln to < 3.12.11 from <= 3.12.11.

Add a new entry for the ca_root_nss bug that caused extraction of untrusted
certificates to the trust bundle.

PR: ports/160455

- Correct affected plone versions

- bump modifiled for CVE-2007-5137

- update CVE-2007-5137

Update range to exclude nss 3.12.11 from vuln, as kwm@'s commit
to upgrade nss to 3.12.11 included the newer CKBI 1.87 that explicitly
distrusts DigiNotar.

Add a security notice for the DigiNotar incident, listing nss/ca_root/nss.

- only match vulnerable versions in the hlstats entry
- add additional CVEs

Final modification for apache22 vulnerability; include slave ports as well

Pointed out by: flo
Reviewed by:    eadler

Correct range for apache22, 2.2.20 is fixed and 1.3 wasn't affected.

Submitted by:   Aleksandr Stankevic (sysmonk on IRC/Freenode##FreeBSD)
Security:       CVE-2011-3192

Put a lower bound on the last php entry, as the bug was introduced in
5.3.7-RC5.

Submitted by:   "jaset" via #bsdports

- Fix entry date and use two ranges

Reviewed by:    gahr@
Approved by:    jadawin@ (mentor)

- Document CVE-2011-3192 for recent apache DoS vulnerability

Approved by:    jadawin@ (mentor)
Security:      
http://vuxml.org/freebsd/7f6108d2-cea8-11e0-9d58-0800279895ea.html

Upstream indicates that this only affects 4.40 and 4.41 so add a <ge> tag
to indicate that.

Document stunnel heap corruption vulnerability.

Fix discovery date

DOcument phpMyAdmin CVE-2011-3181 (multiple XSS).

Document new Chromium vulnerabilities.

Obtained from:  http://google-chrome-browser.com/releases
Security:       CVE-2011-[2821, 2823-2829, 2839]

Mark PHP5 < 5.3.7_2 as vulnerable to PHP bug #55439: crypt() returns only
the salt for MD5.