Document jdk - jar directory traversal vulnerability.

Approved by:    simon

Document several mozilla/firefox issues.

Mark wget >= 1.10.a1 safe from the "wget -- multiple vulnerabilities"
entry.

Info provided by:       sf

Document openoffice -- DOC document heap overflow vulnerability.

Fix and document insecure temporary file handling in portupgrade.

Security:       CAN-2005-0610
Security:      
http://vuxml.FreeBSD.org/22f00553-a09d-11d9-a788-0001020eed82.html
Approved by:    erwin (mentor), maintainer timeout
OK'ed by:       portmgr
Reviewed by:    nectar

Document three GAIM vulnerabilities.

Document an old PHP issue.

Document squid -- DoS on failed PUT/POST requests vulnerability.

Submitted by:   Devon H. O'Dell <dodell@offmyserver.com> (original version)

- Fix closing tag on the entry I just touched.

Pointed out by: still Chimera
Blaming:        too much bear earlier tonight

- Add <modified> to the entry I just touched

Prodded by:     Chimera

- CAN-2005-0133 is fixed in clamav-devel-20050408

PR:             ports/79688
Submitted by:   Renato Botelho <freebsd@galle.com.br>

Bump modified date for entry modified last commit.

add CVE name to latest vuln of Cyrus IMAPd.

Add an entry for a XSS vulnerabilty fixed in horde-3.0.4.

Document wu-ftpd -- remote globbing DoS vulnerability.

Add CVE name to hashash entry.

Document hashcash format string vulnerability.

Document clamav -- zip handling DoS vulnerability.

Approved by:    portmgr (blanket, VuXML)

Document Wine information disclosure.

Based on an entry that was
Submitted by:   Devon H. O'Dell <dodell@offmyserver.com>
Approved by:    portmgr (blanket, VuXML)

Document the most serious of the recently disclosed
Mozilla/Firefox/Thunderbird vulnerabilities.

Based on entries that were
Submitted by:   Devon H. O'Dell <dodell@offmyserver.com>
Approved by:    portmgr (blanket, VuXML)

Document Sylpheed buffer overflow.

Reminded by:    netchild
Approved by:    portmgr (blanket, VuXML)

Document xv -- filename handling format string vulnerability.

Approved by:    portmgr (implicit, VuXML)

Document kdelibs -- local DCOP denial of service vulnerability.

Approved by:    portmgr (implicit, VuXML)

Mark grip port as fixed for recent vulnerability.

Requested by:   ahze

Document phpmyadmin -- increased privilege vulnerability.

Note that recent Quake2-LNX is fixed.

Recent mysql snapshot import fixed several vulnerabilities.

Document ethereal -- multiple protocol dissectors vulnerabilities.

Document "grip -- CDDB response multiple matches buffer overflow
vulnerability".

Update references for latest MySQL entry:

- Use bid tag for Bugtraq ID reference.
- Add CVE names.

Document multiple mysql remote vulnerabilities.

Add an entry about rxvt-unicode bufer overflow.

Document two phpMyAdmin issues.

Document libexif -- buffer overflow vulnerability.

Fix invalid date.

Noticed by:     Kang Liu <liukang@bjut.edu.cn>

Add <modified> date for recent commit to phpbb vulnerability.

Forgotten by:   delphij

While here, add msgids for recent phpbb addition.

Document a low risk HTML injection (configuration bypass)
vulnerability [1] of phpBB.

(maintainer contacted and is preparing a fix)

[1] http://marc.theaimsgroup.com/?l=bugtraq&m=110987231502274

Add bugtraq bug ID for phpbb vulnerability.

Submitted by:   Kang LIU <liukang bjut edu cn>

Document two phpnuke vulnerabilities, and a Linux RealPlayer
vulnerability.

Based on entries that were
Submitted by:   Devon H. O'Dell <dodell@sitetronics.com>

- Document ImageMagick -- format string vulnerability.
- Fix typo on older tiff entry.

Document the privilege escalation vulnerability in uim.

Fix typo in linux-tiff version number for
http://vuxml.freebsd.org/8f86d8b5-6025-11d9-a9e7-0001020eed82.html

Reported by:    Ian Moore <no-spam@swiftdsl.com.au>

Document lighttpd information disclosure bug.

This entry is based on one that was
Submitted by:   Devon H. O'Dell <dodell@offmyserver.com>

Fix typo in linux-tiff version number for
http://vuxml..freebsd.org/fc7e6a42-6012-11d9-a9e7-0001020eed82.html

Reported by:    Ian Moore <no-spam@swiftdsl.com.au>

Document latest phpBB critical security vulnerabilities.

Submitted by:   Kang LIU <liukang bjut edu cn>

Correct the linux-tiff version number for several entries.

Reported by:    netchild

Document curl -- authentication buffer overflow vulnerability.

- Document cyrus-imapd -- multiple buffer overflow vulnerabilities. [1]
- Use bid tag for a reference in sup entry.

Advice from:    ume [1]

Document format string vulnerabilities in net/sup.

- Just use mozilla in title for last entry for consistency.
- Document mozilla -- insecure temporary directory vulnerability.

Update list of affected mozilla/firefox ports by the web browsers --
window injection vulnerabilities entry.

Document mozilla & firefox -- arbitrary code execution vulnerability.

Submitted by:   Devon H. O'Dell <dodell@sitetronics.com> (original version)

Improve the description of the latest phpBB information disclosure
bugs.

Submitted by:   delphij (in part)

Document a format string vulnerability in mkbold-mkitalic.

Reviewed by:    simon

Add CVE names for wget.

De-confuse latest AWStats entry: rewrite description, and add relevant
references.  There were so many bugs, it was hard to keep them straight
(^_^).

Format the <topic> of the most recent entry so that it is more
consistent with other entries.

Document latest phpbb vulnerabilities.

Discussed with: phpbb maintainer

Add more references to recent putty vulnerability.

The mod_dosevasive port was upgraded.

Nit:
- In most recent `unace' entry, replace HTML entity with the Unicode
  character.  We do not use HTML entities so that a VuXML document may
  be processed without using the DTD.  (We also avoid character entity
  references for more natural grep'ing, sed'ing, and editor searching.)

Corrections:
- An invalid UUID was assigned to a FreeRADIUS vulnerability, and went
  undetected since last October.  (>_<)   Correct it.
- A bnc vulnerability was duplicated.  Cancel the older, less informative
  entry and update the newer entry.

Document unace-1.2b vulnerabilities: buffer overflows, directory traversal.

For the the recent kdelibs entry; note that dcopidlng is only used at
build time.

Reported by:    lofi

Document heap corruption vulnerabilities in putty.

Update affected versions of latest postgresql entry now that the ports
have been fixed.

Document insecure temporary file creation in kdelibs.

Document format string vulnerability in bidwatcher.

Document a directory traversal vulnerability in gftp.

- Document two Opera vulnerabilities.
- Update information about fixed version for Opera with regard to
  "Window Injection" issues (based on release notes for Opera 7.54u2).

Document multiple buffer overflows in postgresql.

Fix entry date for last commit.

Document vulnerabilities in awstats.  Note that this entry will most
likely be updated soon when more information becomes available.

Add a few more references to the awstats entry.

Change affected packages version for the emacs movemail format string
vulnerability since I fixed editors/emacs port by adding a patch
instead of upgrading it to 21.4.

Document DoS in powerdns.

Document format string vulnerability in the Emacs movemail utility.

- Reflect fixing vulnerability in `net/opendchub'
- Print project's name correctly

- Fix a cvename that should have been a certvu.
- Delete trailing white space.
- Fix some nearby formatting while I'm here anyway.

Document two vulnerabilities in ngircd.

Document mod_python information leakage vulnerability.

Document mailman directory traversal vulnerability.

Expand HTML entity reference in latest VuXML entry.

Document enscript-{a4,letter,letterdj} vulnerabilities.

Vulnerability in unrtf is fixed now.

Document privilege escalation vulnerability in postgresql.

Document multiple protocol dissectors vulnerabilities in ethereal.

Add another squid issue.

PR:             ports/76967
Submitted by:   Thomas-Martin Seck <tmseck@netcologne.de>

Add CERT Vulnerability Note reference for one squid issue,
and correct the reference for another one [1].

Reported by:    Thomas-Martin Seck <tmseck@netcologne.de> [1]

Add CVE name for squid confusing empty ACL issue.

Add US-CERT Vulnerability Note references for recent squid issues.

Add missing <code> markups in a citation from PSF-2005-001.

Add an entry for PSF-2005-001,
"SimpleXMLRPCServer.py allows unrestricted traversal"

Update the entry for CAN-2005-0064 to indicate that gpdf 2.8.3 has a fix
for this vulnerability.

Note that perl does not have a suidperl by default.

Note vulnerabilities in perl.

Add Bugtraq ID for evolution issue.

Add CVE name for squid WCCP issue.

Add a <modified> tag to the perl File::Path issue since the affected
versions were changed.

Forgotten by: tobez

Narrow perl File::Path vulnerability version range a bit.

Documented vulnerabilities found in the newspost, newsfetch and newsgrab ports.

http://people.freebsd.org/~niels/issues/newspost-20050114.txt
http://people.freebsd.org/~niels/issues/newsgrab-20050114.txt
http://people.freebsd.org/~niels/issues/newsfetch-20050119.txt

Approved by:    nectar (mentor)