vuxml Vulnerability and eXposure Markup Language DTD
1.1_4 security =32

Maintainer: ports-secteam@FreeBSD.org
Port Added: 2004-02-12 14:24:23
Last Update: 2019-03-18 18:25:00
SVN Revision: 496197
Also Listed In: textproc
License: BSD2CLAUSE

VuXML (the Vulnerability and eXposure Markup Language) is an XML
application for documenting security bugs and corrections within
a software package collection such as the FreeBSD Ports Collection.
This port installs the DTDs required for validating VuXML documents.

SVNWeb : PortsMon

Pseudo-pkg-plist information, but much better, from make generate-plist
Expand this list (10 items)

1. /usr/local/share/licenses/vuxml-1.1_4/catalog.mk
2. /usr/local/share/licenses/vuxml-1.1_4/LICENSE
3. /usr/local/share/licenses/vuxml-1.1_4/BSD2CLAUSE
4. @xmlcatmgr share/xml/dtd/vuxml/catalog
5. @xmlcatmgr share/xml/dtd/vuxml/catalog.xml
6. share/xml/dtd/vuxml/vuxml-10.dtd
7. share/xml/dtd/vuxml/vuxml-11.dtd
8. share/xml/dtd/vuxml/vuxml-model-10.mod
9. share/xml/dtd/vuxml/vuxml-model-11.mod
10. share/xml/dtd/vuxml/xml1.dcl
Collapse this list.

Dependency line: vuxml>0:security/vuxml

---

To install the port: cd /usr/ports/security/vuxml/ && make install clean
To add the package: pkg install vuxml

PKGNAME: vuxml

There is no flavor information for this port.

distinfo:

SHA256 (vuxml/vuxml-10.dtd) = 6a635ad2cf45f52361c8c2a29a689157fad4d00519045485bc822d34e04a524e
SIZE (vuxml/vuxml-10.dtd) = 2986
SHA256 (vuxml/vuxml-model-10.mod) = 051fed00b52bedde8ee901003fc29f7b95cd904157e31ceef34e6b06f2d1a14a
SIZE (vuxml/vuxml-model-10.mod) = 10599
SHA256 (vuxml/vuxml-11.dtd) = 12b50061d7bb34cecffede2e08d439e4469324376d55aeb7c73eb6aab0f36af1
SIZE (vuxml/vuxml-11.dtd) = 3063
SHA256 (vuxml/vuxml-model-11.mod) = a40777208625a3029c6f416aeeea733f614802a6a5f26035a4e445a09e61a47c
SIZE (vuxml/vuxml-model-11.mod) = 13282
SHA256 (vuxml/xml1.dcl) = 343efa94c4e1302e85e08b2d1791d86e50aac1ecdbc3161daecac100e4726847
SIZE (vuxml/xml1.dcl) = 7372
SHA256 (vuxml/catalog) = 479a69cf02995603443fd1f3b5b33f97811670931f87f53be99a727d664abc66
SIZE (vuxml/catalog) = 549
SHA256 (vuxml/catalog.xml) = 7b2e2850f57264eeba0ccd3d1fc161b9d5ce3071ae0ec51b9da7fa956f2a6509
SIZE (vuxml/catalog.xml) = 2150

---

NOTE: FreshPorts displays only information on required and default dependencies. Optional dependencies are not covered.

Runtime dependencies:

1. xmlcatmgr : textproc/xmlcatmgr
2. xsltproc : textproc/libxslt
3. VERSION : textproc/xhtml-modularization
4. xhtml-basic10.dtd : textproc/xhtml-basic
5. python2.7 : lang/python27

There are no ports dependent upon this port

---

Configuration Options

     No options to configure

---

USES:

python:run

---

Master Sites:

1. http://www.vuxml.org/dtd/vuxml-1/

Document Rails vulnerability

Record PuTTY security vulnerabilities in versions before 0.71.

Document py-notebook vulnerability

Document ruby-gems vulnerability

Document CVE fixes in libsndfile-1.0.28_2

PR:		227669
Reported by:	p5B2E9A8F@t-online.de

Fill in the actual URL for March 2019 ntp-4.2.8p13 NTP Release and
Security Vulnerability Announcement

security/vuxml: Document OpenSSL 1.1.1 vulnerability

Document crafted ull dereference ntp attack.

Security:	CVE-2019-8936
Obtained from:	nwtime.org

security/vuxml: Document shells/rssh < 2.3.4_2 vulnerabilities

PR:		235121
Approved by:	tcberner (mentor)
Differential Revision:	https://reviews.freebsd.org/D19473

Document a jQuery related XSS security fix in rt4.4.4 and rt4.2.16

Note: the release notes also mention 3 other security issues in perl
modules depended on by these packages.  Of those, vulnerabilities in
the Email::Address and Email::Address::List perl modules have already
been addressed in their respective ports, while the third: HTML::Gumbo
is not currently in the ports at all.

Document a slixmpp < 1.4.1 vulnerability

Reviewed by:	krion, mat
Approved by:	krion (mentor), mat (mentor)
MFH:		2019Q1

Doucumented several www/gitlab-ce security vulnerabilities.

Document www/py-gunicorn vulnerability

Update mybb entry

Sponsored by:	Netzkommune GmbH

security/vuxml: document Node.js February 2019 Security Releases

https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

Sponsored by:	Miles AS

Document vulnerability in www/mybb

Sponsored by:	Netzkommune GmbH

Document new asterisk vulnerability.

Security:	CVE-2019-7251

security/vuxml: Update OpenSSL 1.0.2r entry

Document webkit-gtk CVE's

Security:	CVE-2019-6212, CVE-2019-6215, CVE-2019-6216, CVE-2019-6217, \
		CVE-2019-6226, CVE-2019-6227, CVE-2019-6229, CVE-2019-6233, \
		CVE-2019-6234.

security/vuxml: dokument rdesktop < 1.8.4 vulnerabilities

PR:		235885, 229029

Document sysutils/puppetserver* vulnerabilities.

PuppetServer bundles Bouncy Castle, so add affected ports to the Bouncy Castle
entry.

sysutils/puppetserver is EOL and will likely never get a fix;
sysutils/puppetserver5 may get fixed in a future release of the 5.x branch;
sysutils/puppetserver6 was fixed in the latest release.

With hat:	puppet

- Add drupal8 vulnerability entry

security/vuxml: Document announced OpenSSL vulnerability

 - To be updated with more specifics on 2019-02-26

Document mail/msmtp certificate verification issue

fix firefox-esr PORTEPOCH in latest entry

Submitted by:	jbeich

add more mozilla products to latest entry

https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/
(same CVEs as mfsa2019-04, so not creating another entry)

document firefox vulnerabilities

https://www.mozilla.org/en-US/security/advisories/mfsa2019-04/

Document the latest Flash Player vulnerability.

https://helpx.adobe.com/security/products/flash-player/apsb19-06.html

Fix r492723 for the name of NVD report

Update openjpeg status

There were 5 vulnerabilities in openjpeg and 4 of them are fixed.
The current status  is described in [1] as follows:
- CVE-2017-17479 and CVE-2017-17480 were fixed in r477112.
- CVE-2018-5785 was fixed in r480624.
- CVE-2018-6616 was fixed in r489415.
- CVE-2018-5727 is not fixed yet.

Though I keep committing fixes and updating the status, it does not show in the
"pkg audit" result. Users have to follow the link but apparently few people
would do that. Therefore, I got mails asking if the CVEs are fixed, etc.

I don't know if there's a better way to handle this condition (partly fixed over
several months). Instead of removing fixed CVEs from vuln.xml, I decided to add
a new entry (5efd7a93-2dfb-11e9-9549-e980e869c2e9) which is split from the old
entry (11dc3890-0e64-11e8-99b0-d017c2987f9a). It should be clearer for users if
they only read the "pkg audit" result.

[1] https://www.vuxml.org/freebsd/11dc3890-0e64-11e8-99b0-d017c2987f9a.html

Document FreeBSD-SA-19:02.fd

Document FreeBSD-SA-19:01.syscall

Document kf5-kauth vulnerability.

Update versions range for recent unit vulnerability.

Document unit vulnerability.

Document curl vulnerability

Document gitlab-ce vulnerability.

mail/dovecot: update reporter for latest vuln

mail/dovecot: Suitable client certificate can be used to login as other user

update vuxml

Document typo3 vulnerability

PR:		235187, 235188

security/vuxml: Document Gitea < 1.7.1 vulnerabilities

PR:		235399
Submitted by:	stb@lassitu.de (www/gitea maintainer)

Document vulnerability addressed by release 0.06 of p5-Email-Address-List

Unfortunately there is very little real description of the
vulnerability available, other than what is in the changelog.  Even
the CVE number only leads to a page saying the number is reserved.

Documented multiple vulnerabilities for www/gitlab-ce.

security/vuxml: document vulnerabilities in net/turnserver

Sponsored by:	Miles AS

security/vuxml: mark firefox < 65 as vulnerable

Document powerdns-recursor issue

PR:		235113
Submitted by:	Ralf van der Enden <tremere@cainites.net>

Update py-requests entry

Reference:	https://lists.freebsd.org/pipermail/svn-ports-head/2019-January/198601.html

security/vuxml: Document recent MySQL vulnerabilities

 - 5.5 branch see https://mariadb.com/kb/en/library/mariadb-5563-release-notes/

security/vuxml: Document security/botan2 vulnerability

PR:		234938
Submitted by:	Ralf van der Enden <tremere@cainites.net> (maintainer)

Document PMASA-2019-1 and PMSA-2019-2 security advisories: Arbitrary
file disclosure and SQL injection attacks.

Add entry for www/gitea

PR:		235140
Sponsored by:	Netzkommune GmbH

security/vuxml: Add libzmq4 -- Remote Code Execution Vulnerability

PR:	230575

- Add package name validation

Fix invalid package name in previous commit for
4af3241d-1f0c-11e9-b4bd-d43d7eed0ce2

Add entry for www/apache24

Sponsored by:	Netzkommune GmbH

 Add CVE-2018-11803 for www/mod_dav_svn.

Attempt to fix vuxml build.

Sponsored by:	The FreeBSD Foundation

security/vuxml: Add www/py-requests: Information disclosure vulnerability

security/vuxml: Document joomla 3 vulnerabilities.

- Add drupal7 and drupal8 vulnerability entry

Document helm security advisory

Documented gitlab security vulnerability.

Document Jenkins Security Advisory 2019-01-16

Sponsored by:	The FreeBSD Foundation

Document py-matrix-synapse issue

PR:		234828
Submitted by:	Sascha Biberhofer <ports@skyforge.at> (with slight editing)

security/vuxml: Document irc/irssi issue

Security:	CVE-2019-5882

PR:		234798

Document out-of-bounds vulnerability in net/uriparser < 0.9.1

Reported by:	sebastian@pipping.org (via e-mail)

Document gitea issue

PR:		234659
Submitted by:	stb@lassitu.de

Update openjpeg status

Document new vulnerability in www/chromium < 71.0.3578.98

Obtained
from:	https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop_12.html

Document new vulnerabilities in www/chromium < 71.0.3578.80

Obtained
from:	https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html

- Documented security vulnerability of Django

Documented several gitlab-ce security vulnerabilities.

Approved by:	mentors (implicit)

Document gitea issue

Add entry for archivers/rpm4 security isssue on 4.14.2

Update handbrake entries now that 1.2.0 has been released.

PR:		234322
Submitted by:	Nei Teng  You Yi Lang  <naito.yuichiro@gmail.com> (maintainer)

Documented security vulnerability for gitlab-ce.

Approved by:	mentors (implicit)

Add vuxml entry for shibboleth-sp

Document databases/couchdb2 and databases/couchdb vulnerability

Approved by:	jrm (mentor)
Security:	CVE-2018-17188
Security:	see http://docs.couchdb.org/en/stable/cve/2018-17188.html
Differential Revision:	https://reviews.freebsd.org/D18498

Mark bro < 2.6.1 as vulnerable as per:

    https://www.bro.org/download/NEWS.bro.html

The issue is a remote code execution vulnerability in the bundled
sqlite ("Magellan").

Reviewed by:	ler (mentor)
Approved by:	ler (mentor)
Differential Revision:	https://reviews.freebsd.org/D18615

Document FreeBSD-SA-18:15.bootpd

Document wordpress issues

Sponsored by:	Netzkommune GmbH

HTML encode < and > and fix the formatting of the latest typo3 entry.

Add Mbed TLS Security Advisory 2018-03.

Security:	https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-03
Security:	CVE-2018-19608

Add entry for typo3-8 and typo3-9

PR:		233935 233936
Sponsored by:	Netzkommune GmbH

Document gitlab-ce vulnerability.

Approved by:	mentors (implicit)

Revert r487286 -- PHP70 is still present in the 2018Q4 quarterly branch.

Reported by:	mat

PHP 70 was EoL'd and is no longer in the ports.

Reported by:	joneum

Document three more security advisories from phpMyAdmin

security/vuxml: update to 1.1_3

Document FreeBSD-SA-18:14.bhyve

Document FreeBSD-SA-18:13.nfs

security/vuxml: document Node.js vulnerabilities from November 2018

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

Sponsored by:	Miles AS

Document powerdns-recursor issue

PR:		233603
Submitted by:	Ralf van der Enden <tremere@cainites.net>

Correct entry date on previous entry

Pointyhat to:	swills

Document security/py-asyncssh issue

Document security vulnerability for gitlab-ce < 11.5.3.

Approved by:	mentors (implicit)

Document the latest Flash Player vulnerabilities.

https://helpx.adobe.com/security/products/flash-player/apsb18-42.html

Document Jenkins Security Advisory 2018-12-05

Sponsored by:	The FreeBSD Foundation

- Document moodle login CSRF vulnerability

Document Rails vulnerability

13 vulnerabilities affecting 42 ports have been reported in the past 14 days

^* - modified, not new

All vulnerabilities

Last updated:
2019-03-18 18:34:00