- Document Rails vulnerability

Document drupal multiple vulnerabilities.

Document new vulnerabilities in www/chromium < 31.0.1650.63

Obtained from:	http://googlechromereleases.blogspot.nl/

- Document multiple XSS core vulnerabilities for Joomla!
  (2.5.0 <= version <= 2.5.14, 3.0.0 <= version <= 3.1.5)

Update to version 1.3.3, which fixes an important crashy bug: denial of
service (server) using forcefully crashed aircrafts.

While here, reduce the diffs between other OpenTTD's VuXML entries; and
limit build logs verbosity to bulk package builders (or batch builds).

PR:		ports/184434, ports/184435
Submitted by:	Ilya A. Arkhipov
Security:	CVE-2013-6411

- security update to 3.3.1

This is a maintenance release that fixes a serious bug in the built-in HTTP
server. It was discovered that the handle_request() routine did not properly
perform input sanitization which led into a number of security
vulnerabilities.

An unauthenticated, remote attacker could exploit this flaw to execute
arbitrary commands on the remote host.

All users still using older versions are advised to upgrade to this version,
which resolves this issue.

Approved by:	crees (maintainer, per PM)
Security:	620cf713-5a99-11e3-878d-20cf30e32f6d

- security update subversion-1.8.5 / 1.7.14 [1]
- add vuxml entry
- let bindings ports load options file [2]

[1]
Version 1.8.5
(25 November 2013, from /branches/1.8.x)
http://svn.apache.org/repos/asf/subversion/tags/1.8.5

 User-visible changes:
  - Client-side bugfixes:
    * fix externals that point at redirected locations (issues #4428, #4429)
    * diff: fix assertion with move inside a copy (issue #4444)

  - Server-side bugfixes:

Make it more clear that "SAME URL" is actually the blockquote
url.

hat:	secteam

- Update devel/ruby-gems to 1.8.28
- Document security issues with 1.8.26 and 1.8.27 (CVE-2013-4287 and
CVE-2013-4363)

Security:	742eb9e4-e3cb-4f5a-b94e-0e9a39420600
Security:	54237182-9635-4a8b-92d7-33bfaeed84cd

- Fix and report heap overflow in floating point parsing issue in ruby

Security:	cc9043cf-7f7a-426e-b2cc-8d1980618113

Add entries about CVE-2013-4475 and CVE-2013-4476 for net/samba* ports.

Document new vulnerability in www/nginx (< 1.4.4) and www/nginx-devel (< 1.5.7).

Add back NO_STAGE which snuck away during testing.

Minor tweak to standard template in order to fit with convention

Document new vulnerability in www/chromium < 31.0.1650.57

Obtained from:	http://googlechromereleases.blogspot.nl/

Fix the OpenSSH entry, a version entry should be marked
on a per rule basis, and not on it's own lines, because
that would bogusly match other versions then intended.

When in doubt, please let me review your changes!!

hat:	secteam

Update to latest flash and mark the old one as vulnerable.

PR:		ports/183911
Submitted by:	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>

Document new vulnerabilities in www/chromium < 31.0.1650.48

Obtained from:	http://googlechromereleases.blogspot.nl/

- Set MAINTAINER to ports-secteam

Requested by:	des@
With hat:	ports-secteam@

- Fix versions for entry 5709d244-4873-11e3-8a46-000d601460a4

- Document memory corruption in security/openssh-portable

Document vulnerability in irc/quassel

security/vuxml: add modified date for gnutls

Reported by:	kwm

gnutls3 3.1.15 is affected by the same vulnerability

Thunderbird is only at version 24.1.0, not 25.0

Add an entry for the recent mozilla vulnerabilities

- Update www/mod_pagespeed to 1.2.24.2,1
- Document security issue in mod_pagespeed

- Cancel the vuxml entry correctly

Notified by:	remko

- Revert previous commit

- Document WordPress XSS vulnerability

- Add url reference to 9065b930-3d8b-11e3-bd1a-e840f2096bd0

With Hat: ports-secteam

- Remove report url as it is a default CVE

Reported by:	ak

- Document gnutls3 denial of service CVE

Document xorg-server use after free CVE.

Reviewed by:	zeising@

Document pycrypto PRNG reseed race condition.

- Add CVE references to WordPress 3.6.1 entry

- Note issues with WordPress before 3.6.1

- node-devel packages is vulnerable too, guessing this is going to be fixed in
  0.11.7, but if not, I'll update further.

- Update to 0.10.21 to address a security issue

PR:		ports/183092
Submitted by:	Kenji Rikitake <kenji.rikitake@acm.org>
Security:	206f9826-a06d-4927-9a85-771c37010b32

- update to latest release [1]
- use PKGNAMESUFFIX instead LATEST_LINK
- whitespace cleanup
- svn mv */bugzilla to */bugzilla40
- add vuxml entry

4.4.1, 4.2.7, and 4.0.11 Security Advisory
Wednesday Oct 16th, 2013

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:

Fix build by commenting out the most recent of the two discovery
dates.

- Fix year, move entry up

- Document new vulnerabilities in security/dropbear

Document new vulnerabilities in www/chromium < 30.0.1599.101

Obtained from:	http://googlechromereleases.blogspot.nl/

- update mod_fcgid to version 2.3.9
- add stage support
- add vuxml entry

PR:		ports/182878
Submitted by:	Fabiano Sidler <freebsd.ports@webstyle.ch> (maintainer)
Security:	CVE-2013-4365

Add recent gnupg1/gnupg vuln.

Document the last xinetd vulnerability

- Update to 1.2.9
- Add vuxml entry
- Prevent install target from copying patch backup files

Changes:	https://raw.github.com/polarssl/polarssl/60ad84f43f46b0d3673eaca8b9847d7e01b83c5e/ChangeLog
Security:	ccefac3e-2aed-11e3-af10-000c29789cb5
Security:	CVE-2013-5915

Document new vulnerabilities for www/chromium < 30.0.1599.66

Obtained from:	http://googlechromereleases.blogspot.nl/

Our "package" can have multiple "name" elements.  Since these packages are
from the same origin, they can be collapased into one entry.

- Add a low version to the graphite-web vuln

Approved by:	swills@

- Document graphite issue

- ebd877b9-7ef4-4375-b1fd-c67780581898 also applies to our ruby18

Reviewed by:	swills

Document CVE-2013-1443 for www/py-django{,14,-devel}

- Split names for different packages

Notified by:	remko

Add NO_STAGE all over the place in preparation for the staging support (cat:
security)

- add modification date to mozilla entry, that I forgot about

- correct thunderbird version in recent mozilla entry

Add the latest two FreeBSD Security Advisories that have impact
on -RELEASE versions. (RC's are not documented).

Hat:	secteam

- update firefox, thunderbird and libxul to 24.0
- update seamonkey to 2.21
- update firefox-esr to 17.0.9
- enable GSTREAMER by default for html5 with h264/aac/mp3
- WEBRTC is now always built
- add PROFILE and TESTS options

Security:		7dfed67b-20aa-11e3-b8d8-0025905a4771
In collaboration with:	Jan Beich <jbeich@tormail.org>

Update flash to version 11.2.202.310

PR:		ports/182013
Submitted by:	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Security:	http://www.vuxml.org/freebsd/5bd6811f-1c75-11e3-ba72-98fc11cdc4f5

Document CVE-2013-4315 for www/py-django{,14,-devel}

- update devel/subversion to 1.8.3	[1]
- update devel/subversion17 to 1.7.13	[1]
- add vuxml entry

Version 1.7.13
(29 Aug 2013, from /branches/1.7.x)
http://svn.apache.org/repos/asf/subversion/tags/1.7.13/CHANGES

User-visible changes:
 - General
   * merge: fix bogus mergeinfo with conflicting file merges (issue #4306)
   * diff: fix duplicated path component in '--summarize' output (issue #4408)
   * ra_serf: ignore case when checking certificate common names (r1514763)

 - Server-side bugfixes:

- Document the last cacti vulnerabilities

PR:		ports/181606 (based on)
Submitted by:	Rodrigo (ros) OSORIO <rodrigo@bebik.net>

Add CVE entries to latest entry for Asterisk.
Add "The" in who reports the issue.
Bump modified date

Update net/asterisk to 1.8.23.1
Update net/asterisk10 to 10.12.3
Update net/asterisk11 to 11.5.1

Security:	fd2bf3b5-1001-11e3-ba94-0025905a4771

Document new vulnerabilities in www/chromium < 29.0.1547.57

Obtained from:	http://googlechromereleases.blogspot.nl/

Fix multiple security issues in the bundled libav version by replacing it
with a newer version.

Reported by:	Jan Beich <jbeich@tormail.org>

- Correct lcms2 VuXML entry: only versions before 2.5 are vulnerable.

PR:		ports/181384
Reported by:	Derek Schrock <dereks@lifeofadishwasher.com>

- Update modified date of VuXML entry which was missed in r317985

Reported by:	remko

Correct latest entry, properly indent the paragraphs
and sort the url list alphabetically.

Amend 689c2bf7-0701-11e3-9a25-002590860428 so that it doesn't overlap with
80771b89-f57b-11e2-bf21-b499baab0cbe, but keep both entries rather than
augmenting the old one, because I've cited the new one in a commit message.

Update security/libgcrypt to 1.5.3 [1], and document the latest gnupg
and libgcrypt vulnerability

PR:		181231
Submitted by:	Hirohisa Yamaguchi (maintainer) [1]
Security:	http://www.vuxml.org/freebsd/689c2bf7-0701-11e3-9a25-002590860428.html

- Update puppet to 3.2.4 which fixes CVE-2013-4761 and CVE-2013-4956

Approved by:	swills@
Security:	2b2f6092-0694-11e3-9e8e-000c29f6ae42

Correct polarssl entry, the lines were way to long, indentation was
incorrect, and the topic description does not need too many details
since that is explained in the description itself.

Also correct the url's since c comes before u ;-)

Prodded by:	stas

- Fix ordering of references.

Reported by:	remko

- Add lcms2 DoS vulnerability entry.

Hat: secteam

Add CVE Id, which was not in the advisory,
but on <https://polarssl.org/security>.

Record PolarSSL < 1.2.8 infinite loop denial of service.

Note: the port has not yet been upgraded, and the fix then needs to be merged
to the 9.2 ports branch before release.

Add a link to the advisory.

Submitted by:	remko

Document Samba DoS vulnerability.

- update firefox to 23.0
- update firefox-esr, thunderbird and libxul to 17.0.8
- update seamonkey to 2.20
- fix plist for *-i18n

Security:		0998e79d-0055-11e3-905b-0025905a4771
In collaboration with:	Jan Beich <jbeich@tormail.org>

Add one more reference for PuTTY 0.59-0.61 vuln CVE-2011-4607.

More references for PuTTY < 0.63 vulnerabilities.

Upgrade PuTTY to new 0.63 beta upstream release, adding vulnerability info.

Quoting the upstream's change log:

- Security fix: prevent a nefarious SSH server or network attacker from
  crashing PuTTY at startup in three different ways by presenting a maliciously
  constructed public key and signature.
- Security fix: PuTTY no longer retains the private half of users' keys in
  memory by mistake after authenticating with them.
- Revamped the internal configuration storage system to remove all fixed
  arbitrary limits on string lengths. In particular, there should now no longer
  be an unreasonably small limit on the number of port forwardings PuTTY can
  store.
- Port-forwarded TCP connections which close one direction before the other
  should now be reliably supported, with EOF propagated independently in the

Adjust NVidia driver version ranges after r304966 to remedy false positives.

- secuity update for typo3 ports
- some small Makefile cleanups
- add vuxml entry

Vulnerability Types: Cross-Site Scripting, Remote Code Execution
 Overall Severity: Critical

Vulnerable subcomponent: Third Party Libraries used for audio and video playback
 Affected Versions: All versions from 4.5.0 up to the development branch of 6.2
 Vulnerability Type: Cross-Site Scripting
 Severity: Medium

Vulnerable subcomponent: Backend File Upload / File Abstraction Layer
 Vulnerability Type: Remote Code Execution by arbitrary file creation
 Affected Versions: All versions from 6.0.0 up to the development branch of 6.2
 Severity: Critical

PR:		ports/180951
		ports/180952
		ports/180953
Submitted by:	Helmut Ritter <freebsd-ports@charlieroot.de> (maintainer)
Security:	http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/
		CVE-2011-3642
		CVE-2013-1464

- Security update of databases/phpmyadmin to 4.0.5

ChangeLog:
http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/4.0.5/phpMyAdmin-4.0.5-notes.html/download
SecurityAdvisory: http://www.phpmyadmin.net/home_page/security/PMASA-2013-10.php

- Deprecate databases/phpmyadmin35

This version is vulnerable to the 'clickjacking protection bypass'
problem fixed in 4.0.5, but the development team will not be
publishing a fix. "We have no solution for 3.5.x, due to the proposed
solution requiring JavaScript. We don't want to introduce a dependency
to JavaScript in the 3.5.x family."

Therefore deprecate this port and set expiry for one month.  Please
upgrade to 4.0.5 instead.

Security:	17326fd5-fcfb-11e2-9bb9-6805ca0b3d42

Add new vulnerabilities for www/chromium < 28.0.1500.95

Obtained from:	http://googlechromereleases.blogspot.nl/

Modify the latest puppet entry. Because the matching of the version everything
below 3.2.2 was a match, including all 2.7.x versions. It also appears that
there is no puppet27 version, just puppet-2.7.x and puppet-3.2.x instead.

Bump modification date.

PR:		180958
Submitted by:	Kan Sasaki <sasaki@fcc.ad.jp>

Now that PMSA-2013-{9,11-15} have been published, borrow from them to
expand on the original rather sketchy entries.

Sort URL references[1]

Submitted by:	remko [1]

Security update: multiple vulnerabilities in databases/phpmyadmin and
databases/phpmyadmin35

 - update phpmyadmin to 4.0.4.2

ChangeLog:
http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/4.0.4.2/phpMyAdmin-4.0.4.2-notes.html/view

 - update phpmyadmin35 to 3.5.8.2

ChangeLog:
http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/3.5.8.2/phpMyAdmin-3.5.8.2-notes.html/view

 - vuxml

The PMSA references shown have not been published yet, hence no CVE
numbers and a lack of detail in the descriptions.  Yes, PMSA-2013-10
is missing from the sequence.  According to the security alert e-mail:

   "For more details, see the upcoming PMASA-2013-8 to PMASA-2013-15 (minus
    PMASA-2013-10 which is reserved for a future advisory)."

Add entry for wordpress < 3.5.2

Requested by:	Patrick Oonk

Add additional reference, bump modified date.

Document BIND denial of service vulnerability

Cleanup last entry. Properly indent the entry and
make sure that after a period on the end of a line
we follow with two spaces.

hat:	    secteam

Add an entry for security/gnupg1.

Update to 1.6.5

This is a security release by upstream, and requires configuration changes
in addition to the software update.  See UPDATING.

Reviewed by:	ports-security (zi, remko)
Approved by:	hrs (mentor, ports committer)

  Add <url></url> to references.

Submitted by:	Remko Lodder <remko@FreeBSD.org>

 Update:
   devel/subversion to 1.8.1
   devel/subversion16 to 1.7.11

 These releases fix CVE-2013-4131
 http://subversion.apache.org/security/CVE-2013-4131-advisory.txt

Approved by:	Olli Hauer <ohauer@FreeBSD.org> for devel/subversion17
Security:	CVE-2013-4131