security/vuxml: Fix version range of 9bad457e-b396-4452-8773-15bec67e1ceb

Sponsored by:	The FreeBSD Foundation

security/vuxml: Document Jenkins Security Advisory 2021-10-06

Sponsored by:	The FreeBSD Foundation

security/vuxml: Only apache24 2.4.49 is vulnerable

security/vuxml: document multiple issues with databases/redis-devel

security/vuxml: document multiple issue with databases/redis{,5,6}

PR:	258935

security/vuxml: Document Apache httpd vulnerability

security/vuxml: Document bacula-web vulnerabilities

security/vuxml: Document mediawiki's multiple vulnerabilities

security/vuxml: add www/chromium < 94.0.4606.71

Obtained
from:	https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html

security/vuxml: Document gitlab vulnerabilities

security/vuxml: Fix entry 7062bce0-1b17-11ec-9d9d-0022489ad614

This should also fix vuxml build.

PR:		258802
Sponsored by:	The FreeBSD Foundation

security/vuxml: document archivers/ha vulnerabilities

security/vuxml: document recent nexus2-oss vulnerabilities

PR:	252564

security/vuxml: Fix range on latest cURL vuln

Submitted by:	yasu
PR:		258586

security/vuxml: Fix double CVE- in latest httpd entry

security/vuxml: add www/webkit2-gtk3

PR:		255528
Obtained from:	https://webkitgtk.org/security/WSA-2021-0005.html

security/vuxml: add www/chromium < 94.0.4606.61

Obtained
from:	https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html

security/vuxml: Fix missing <name> field

I wasn't able to see my mistake based on the error "make validate"
gave me:

    Traceback (most recent call last):
      File
"/usr/local/poudriere/ports/current-patched/security/vuxml/files/extra-validation.py",
line 99, in <module>
	if (re_invalid_package_name.search(name.text) is not None):
    TypeError: expected string or bytes-like object
    *** Error code 1

Thanks to Dan for the pointy hat save.

Reported by:	Dan Langille

security/vuxml: Mark zeek < 4.0.4 as vulnerable as per:

    https://github.com/zeek/zeek/releases/tag/v4.0.4

 - Paths from log stream make it into system() unchecked, potentially
   leading to commands being run on the system unintentionally.
   This requires either bad scripting or a malicious package to be
   installed, and is considered low severity.

 - Fix potential unbounded state growth in the PIA analyzer when
   receiving a connection with either a large number of zero-length
   packets, or one which continues ack-ing unseen segments. It is
   possible to run Zeek out of memory in these instances and cause
   it to crash. Due to the possibility of this happening with packets
   received from the network, this is a potential DoS vulnerability.

security/vuxml: Document mod_auth_mellon vulnerability

security/vuxml: document Node.js August 2021 Security Releases (2)

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases2/

Sponsored by:	Miles AS

security/vuxml: document Node.js August 2021 Security Releases

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/

Sponsored by:	Miles AS

security/vuxml: document Node.js July 2021 Security Releases (2)

https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/

Sponsored by:	Miles AS

security/vuxml: document Node.js July 2021 Security Releases

https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/

Sponsored by:	Miles AS

security/vuxml: add chromium < 94.0.4606.54

Obtained
from:	https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_21.html

security/vuxml: Document libssh vulnerability

security/vuxml: Add entry for libpano13 < 2.9.20

PR:		258354
Approved by:	tcberner
Differential Revision:	https://reviews.freebsd.org/D31980

security/vuxml: update seatd 0.6.{0,1} entry

- Discovered 1 day before announcement
- Assigned CVE-2021-41387

security/vuxml: fix range in vid f55921aa-10c9-11ec-8647-00e0670f2660

Fix ranges for latest net/mpd5 vulnerability.

Reported by:	Clive Lin

security/vuxml: Document Apache httpd vulns

security/vuxml: Register cURL vulns

security/vuxml: consistently use -- in topic after e0992ef21346

security/vuxml: mark seatd 0.6.{0,1} as vulnerable

security/vuxml: add chromium < 93.0.4577.82

Obtained
from:	https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html

security/vuxml: Document vulnerabilities in Matrix clients

Security:	93eb0e48-14ba-11ec-875e-901b0e9408dc
Security:	CVE-2021-40823
Security:	CVE-2021-40824

security/vuxml: document sysutils/consul vulnerability

security/vuxml: Document lang/go vulnerability

security/vuxml: Document multiple vulnerabilities of python38

security/vuxml: add net/mpd5 PPPoE Server remotely exploitable crash

Version 5.9_2 contains security fix for PPPoE servers.
Insufficient validation of incoming PPPoE Discovery request
specially crafted by unauthenticated user might lead to unexpected
termination of the process. The problem affects mpd versions since 5.0.
Installations not using PPPoE server configuration were not affected.

Reported by:	Yannick C at SourceForge
Tested by:	Yannick C at SourceForge, paul at SourceForge

security/vuxml: Document multiple vulnerabilities of python36 and python37

security/vuxml: Document WeeChat vulnerability

security/vuxml: Document py-matrix-synapse vulnerabilities

PR:		258187
Reported by:	Sascha Biberhofer <ports@skyforge.at>
Security:	a67e358c-0bf6-11ec-875e-901b0e9408dc
Security:	CVE-2021-39163
Security:	CVE-2021-39164

security/vuxml: Document python39 multiple vulnerabilities

security/vuxml: fix range

Reported by:	rene

security/vuxml: add www/chromium < 93.0.4577.63

Obtained
from:	https://chromereleases.googleblog.com/2021/08/stable-channel-update-for-desktop_31.html

security/vuxml: Document cyrus-imapd vulnerability.

security/vuxml: Document gitlab vulnerabilities

security/vuxml: document fetchmail TLS vulns

URL:		https://www.fetchmail.info/fetchmail-SA-2021-02.txt
Security:	CVE-2021-39272
Security:	1d6410e8-06c1-11ec-a35d-03ca114d16d6

security/vuxml: add FreeBSD SA-21:17.openssl

Reference FreeBSD SA-21:17.openssl in the 16 February 2021
OpenSSL entry and note the fixed patch releases.

security/vuxml: add FreeBSD SA-21:16.openssl

Reference FreeBSD SA-21:16.openssl in the 24 August 2021
OpenSSL entry and note the fixed patch releases.

security/vuxml: add FreeBSD SA-21:15.libfetch

security/vuxml: add FreeBSD SA-21:14.ggatec

security/vuxml: add FreeBSD SA-21:13.bhyve

security/vuxml: Fix openssl-devel version

security/vuxml: Document OpenSSL vulnerabilities

vuxml: Add entry for gitea < 1.15.0

PR:		257994

vuxml: Add entry for gitea < 1.14.6

security/vuxml: Document vulnerabilities in java/bouncycastle15

MFH:	2021Q3
Sponsored by:	Modirum MDPay
Sponsored by:	Klara, Inc.

security/vuxml: Excessive memory consumption vulnerability in binutils

Fixed in main a0e752df8013 and in 2021Q3 in 9c4ee12.

PR:	256133
Reviewed by:	fluffy@, koobs@
Security:	CVE-2021-3487

security/vuxml: add www/chromium < 92.0.4515.159

Obtained
from:	https://chromereleases.googleblog.com/2021/08/stable-channel-update-for-desktop.html

security/vuxml: Update release number for fixed lynx vulnerability

Security:	e9200f8e-fd34-11eb-afb1-c85b76ce9b5a

security/vuxml: Document credential leakage vulnerability

Security:	e9200f8e-fd34-11eb-afb1-c85b76ce9b5a

security/vuxml: postgresql??-server vuln CVE-2021-3677

security/vuxml: document xtrlock CVE-2016-10894

security/vuxml: Document x11/cde local privilege escalation

Security:	CVE-2020-2696, VU#308289

security/vuxml: Document lang/go vulnerability

security/vuxml: Security vulnerabilities for gitlab-ce

security/vuxml: Mark MariaDB vulnerable

security/vuxml: Add net-im/prosody CVE-2021-37601

PR:		257597

security/vuxml: update fetchmail CVE-2021-36386 vuln

this vuln was a reintroduction of CVE-2008-2711 which got fixed in
fetchmail 6.3.9, when 6.3.17 refactored code.

- restrict range (>= 6.3.9 < 6.3.17 unaffected)
- add reference to old CVE-2008-2711

URL:		https://www.fetchmail.info/fetchmail-SA-2021-01.txt
Security:	cbfd1874-efea-11eb-8fe9-036bd763ff35
Security:	CVE-2021-36386
Security:	CVE-2008-2711

security/vuxml: add www/chromium < 92.0.4515.131

Obtained
from:	https://chromereleases.googleblog.com/search/label/Stable%20updates

security/vuxml: document net/rabbitmq CVE-2021-22116

https://tanzu.vmware.com/security/cve-2021-22116

security/vuxml: document tomcat CVE-2021-33037

PR:		257153

security/vuxml: document tomcat CVE-2021-30640

PR:		257153

security/vuxml: correct tomcat package name/versions

PR:		257153
Fixes:	9462edd84baf

security/vuxml: document tomcat CVE-2021-30639

PR:		257153

security/vuxml: add fetchmail < 6.4.20 vuln

Security: cbfd1874-efea-11eb-8fe9-036bd763ff35
Security: CVE-2021-36386

security/vuxml: Document integer overflow vulnerability in redis

PR:		257325

security/vuxml: Document dns/powerdns CVE-2021-36754

PR:		257435

security/vuxml: Mark mosquitto >= 2.0.0, < 2.0.10 vulnerable as per:

   
https://github.com/eclipse/mosquitto/blob/d5ecd9f5aa98d42e7549eea09a71a23eef241f31/ChangeLog.txt

 - If an authenticated client connected with MQTT v5 sent a malformed
   CONNACK message to the broker a NULL pointer dereference occurred,
   most likely resulting in a segfault.

PR:		255229
Reported by:	Daniel Engberg

security/vuxml: Document new pjsip vulnerability

security/vuxml: Document new asterisk vulnerabilities

security/vuxml: document Chromium < 92.0.4515.107

security/vuxml: fix `make validate'

security/vuxml: Document cURL 7.77.0 vulnerabilities

security/vuxml: Document MySQL vulnerabilities Jul2021

security/vuxml: Document vulnerabilities in www/gitea

PR:		257221
Approved by:	lwhsu (mentor)

security/vuxml: Fix make validate after 069e58611c7933431ec82b0b9c119677e8d6cc21

Reported by:	lwhsu
Approved by:	delphij (ports-secteam)

security/vuxml: document chromium < 91.0.4472.164

Obtained
from:	https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html

security/vuxml: Document ruby vulnerability

security/vuxml: Fix make test

- Respect VUXML_FILE and VUXML_FLAT_FILE [1]
  It allows run "make test" on read-only media (e.g. poudriere jail)
- Copy all vuln XML file to the test directory [2]
  Since vuln.xml has been split into multiple XML files, all of them must be
copied to the test directory.

Without [1], the error message is as follows:
===>  Testing for vuxml-1.1_5
xmllint -noent vuln.xml > vuln-flat.xml
/bin/sh: cannot create vuln-flat.xml: Read-only file system
*** Error code 2
Stop.

Without [2], the error message is as follows:

security/vuxml: Document lang/go vulnerability

security/vuxml: Document vulnerabilities in databases/mantis

PR:		257068
Reported by:	Zoltan ALEXANDERSON BESSE <zab@zltech.eu>

security/vuxml: Document gitlab vulnerability

security/vuxml: document vulnerabilities in graphics/exiv2

PR:	256803

security/vuxml: document openexr < 3.0.5 vulns

Security:	f2596f27-db4c-11eb-8bc6-c556d71493c9

security/vuxml: Documented gitlab vulnerabilities.

security/vuxml: Let vuln-flat.xml depend on all vuln xml files

So it can get rebuilt when any of vuln xml file changed.

Approved by:	ports-secteam (fluffy, implicitly)

security/vuxml: Document Jenkins Security Advisory 2021-06-30

Sponsored by:	The FreeBSD Foundation

security/vuxml: Fix dovecot entry

Fix stray ">" character in a CVE URL.