net-im/jabber -- Mark the correct versions with fd_set vulnerability, author
fixed the problem on trunk and 2 new releases (1.4.3.1 and 1.4.4.1) is comming
soon

Update the latest FreeBSD-SA entry, ppp got replaced by sppp.
Also implement a suggestion from Simon, mark all versions before
the latest version vulnerable.

Document joomla -- multiple vulnerabilities

Note that I only documented the high level
threats, there are several others which can
be found at the link provided [1]

Reference:      http://www.joomla.org/content/view/1841/78/ [1]

Document FreeBSD-SA-06:18.ppp

Minor whitespace cleanup (we need a blank line every after </entry>
so that we can easily see the different entries).

- Add imp to the previous entry.
- Add some SecurityFocus BIDs too.

Document horde -- Phishing and Cross-Site Scripting Vulnerabilities.

Convert 8 spaces to tab as per the FDP for the latest
entry.

Add entry for globus tmpfile creation bugs.

The lang/f2c port has been updated, update affected versions.

Reviewed by:    simon

Document x11vnc -- authentication bypass vulnerability.

The 1.1111th commit, yay.

Document alsaplayer -- multiple vulnerabilities.

Document postgresql -- encoding based SQL injection.

Reported by:            Radim Kolar <hsn at netmag dot cz>

Bump modified date in the older entry I just corrected.

Spotted by:     simon (again)

Document postgresql -- multiple vulnerabilities.

These are all older vulnerabilities which had not yet been documented
by the Security Team.

Also fix a minor mistake in an older PostgreSQL entry.

Fix the discovery date in the latest MySQL entry.

Spotted by:     simon

Document mysql -- format string vulnerability.

OK after some more discussions with Simon it appeared that the ,2
marked all future releases of squirrelmail as vulnerable.

The negative side-effect of PORTEPOCH.  Split the previous entry
into two seperated entries again, restoring the old entry for
squirrelmail, and having the 'new' entry for ja-squirrelmail.

This would grab any future versions of ja-squirrelmail if it were
to be readded, and does not conflict with future versions of
squirrelmail.

For more information about the portepoch discussion etc:
http://lists.freebsd.org/pipermail/freebsd-vuxml/2006-July/000185.html

Simon provided me with the necessary clue to mark the appropriate ports
as vulnerable.  I was soo close..

Document squirrelmail -- random variable overwrite vulnerability.

Note that I marked all ja-squirrelmail entries as vulnerable, it
does no longer exist on it's own and the portepoch is giving me
matching problems.

Document rubygem-rails -- evaluation of ruby code.

Submitted by:   Marius Nuennerich <marius.nuennerich@gmx.net>

Add CVE name to recent ClamAV entry.

Document clamav and clamav-devel vulnerability

Reviewed by:    secteam (mnag)

- Fix discovery date in latest entry
- Remove extra "." in latest entry

Update drupal to 4.6.9 to fix yet another XSS vulnerability.

Security:       vuxml vid c905298c-2274-11db-896e-000ae42e9b93

Add recent gnupg issue.

We are not affected by: CAN-2005-0018 in the
f2c entry (43cb40b3-c8c2-11da-a672-000e0c2e438a).  We do not have
the shellscript, and it is not installed.

Reported by:            thierry

Unbreak latest ruby entry by adding missing </lt>.

Run make tidy to clean up some style issues.

Only sort on entry date, not modified date.  It simply causes too much
repo churn with little value to resort all entries which have been
modified.

- The last vulnerabilities was fixed in ruby18 port

OK, I misunderstood Simon with this one.  The <gt>1.8.*</gt> entry
should have stayed and I interpreted that wrong.

Pointyhat:              remko

Fix my previous version commit.  The two entries matched twice when you
have ruby installed.  You learn something new everyday...

Noticed/discussed with:         simon

Mark all 1.6 and 1.8 versions as vulnerable, we do not have a fix
yet and are unable to tell what the naming scheme will be with
those patches.  We can narrow down the scope later, we should
not do so before we know the mentioned scheme.

Triggered by:           sem

Add a BID to the latest vuxml entry.
Some minor changes to the markup of the entry.

- Document Ruby vulnerability. [1]
- Fix URL in previous mutt entry while here.

Reported by:    Joel Hatton via freebsd-ports [1]

Add linux-thunderbird to mozilla -- multiple vulnerabilities entry.

Prodded by:     sat

Document apache -- mod_rewrite ldap buffer overflow vulnerability.

Thanks to remko for doing initial list of apache package names in an
earlier VuXML entry.

Fix error in latest mozilla entry which marked all firefox version as
vulnerable.

Reported by:    Craig Leres

Document mozilla -- multiple vulnerabilities.

Note I assume that linux-firefox-devel 3.0.a2006.07.26 is fixed, I
haven't actually checked (way to many issues to check for).

Add "zope -- information disclosure vulnerability" entry

Reviewed by:    simon

For latest drupal entry:
 - Unbreak vuln.xml format by adding content to the references section.
 - Remove vulnerabilities already documented in
   40a0185f-ec32-11da-be02-000c6ec775d9.

Add entry for drupal issues.

Add shoutcast crosssite scripting.

Submitted by:   gabor
Reviewed by:    simon

Cancel VID 0a4cd819-0291-11db-bbf7-000c6ec775d9 / opera -- JPEG
processing integer overflow vulnerability, since it turns out that the
issue does not affect the FreeBSD or Linux versions of Opera.

Source: http://www.opera.com/support/search/supsearch.dml?index=834

Correct dates in latest mambo entry by resetting entry date and adding
a modified date.

OK'ed by:       itetcu

Bump modified date for previous commit.

Requested by:   simon

The two two SQL injection vulnerabilities in Mambo described in
vid f70d09cb-0c46-11db-aac7-000c6ec775d9 are fixed in 4.5.4

PR:             ports/100044
Submited by:    maintainer

Fix markup breakage that slipped in just before commit of the latest
samba entry.

Document samba -- memory exhaustion DoS in smbd.

- For the latest trac entry include information from the release
  announcements about setups which are not affected.  To avoid having
  to reference two documents simply reference the release notes for
  all the information (it's basically the same as the changelog with
  slightly different wording).
- Add a modified date tag.

Document twiki -- multiple file extensions file upload vulnerability.

Improve markup for last entry.  No content change.

Add trac DoS.

Add an entry for Horde's latest vulnerabilities.

Document mambo -- SQL injection vulnerabilities.

 Document phpmyadmin -- cross site scripting vulnerability

Approved by:    markus (co mentor)

Document webmin, usermin -- arbitrary file disclosure vulnerability.

Details are unknown, all sources talk about an "unspecified" vulnerability.

Document mutt -- Remote Buffer Overflow Vulnerability.

Approved by:    ahze (mentor)

Document joomla --  multiple vulnerabilities

Approved by:    markus (co mentor)

Document hashcash -- heap overflow vulnerability.

Document gnupg -- user id integer overflow vulnerability.

Document opera -- JPEG processing integer overflow vulnerability.

Update the webcalendar entry, use alphabetic sorting, no functional
change of information.

Add an entry for Horde's latest XSS vulnerabilities.

Add webcalendar -- information disclosure vulnerability.

PR:             ports/98993
Submitted by:   Gregory C. Larkin <glarkin@sourcehosting.net>

Add FreeBSD-SA-06:17.sendmail to the VuXML database.

Bump modification date in the last entry and earn my own pointyhat.

Forgotten by/pointyhat:         remko

Fix the latest entry by using the entity for &, this passes make validate.

Reported by:    Michal Kaps <michal at ionic dot co dot uk>
Pointyhat by:   aaron, (tobez implicit)

- Added multiple dokuwiki vulnerabilities

Approved by:    tobez

Add an entry for libxine -- buffer overflow vulnerability.

Document FreeBSD-SA-06:15.ypserv and FreeBSD-SA-06:16.smbfs.
Add the proper freebsdsa tag for older entries and bump
their modification date.

Document two freeradius issues, one newer and one older issue:
freeradius -- multiple vulnerabilities
freeradius -- authentication bypass vulnerability

Mark graphics/fractorama 1.6.7_1 "clean". This port now links against libtiff
from ports.

Approved by:    simon (secteam)

The awstats port has PORTEPOCH bumped, so update the vuxml entry awstats
-- arbitrary command execution vulnerability to reflect that.

Mumble, back out local changes which should not have been committed.

Mark squirrelmail-1.4.6_1 as fixed for squirrelmail -- plugin.php
local file inclusion vulnerability.

Document squirrelmail -- plugin.php local file inclusion vulnerability.

Document dokuwiki -- spellchecker remote PHP code execution.

Document drupal -- multiple vulnerabilities.

- Add last two MySQL vulnerabilities

MySQL -- SQL-injection security vulnerability
MySQL -- Information Disclosure and Buffer Overflow Vulnerabilities

Document frontpage -- cross site scripting vulnerability and point
FORBIDDEN from the frontpage ports at it.

While this is "only" a cross site scripting vulnerability it has some
rather serious implications which can allow an attacker to take over a
web site, so I'm keeping FORBIDDEN.

cscope -- buffer overflow vulnerabilities

coppermine -- Multiple File Extensions Vulnerability
coppermine -- "file" Local File Inclusion Vulnerability
coppermine -- File Inclusion Vulnerabilities

phpmyadmin -- XSRF vulnerabilities

- Normalize the topic of last entry

Requested by:   remko

- Add VuXML entry for vnc 4.1.1

- Add vulnerabilities in last topic.

phpldapadmin -- Cross-Site Scripting and Script Insertion

Modify the entry for p5-DBI insecure temporary files creation to reflect
the fact that version 1.37_1 of p5-DBI-137 is OK now.

Reviewed by:    simon

Add www/fswiki vulnerability.

- Add missing s in latest awstats entry's title.
- Document mysql50-server -- COM_TABLE_DUMP arbitrary code execution.

- Cancel last rsync entry. Does not affect FreeBSD port.

Notified by:    simon, pav
Discussed with: simon

Document awstat -- arbitrary command execution vulnerability.

Fix a incorrect use of cvename in the latest firefox entry, which I
missed when reviewing the entry (and which make validate did not / can
not catch).

phpwebftp -- "language" Local File Inclusion

Document firefox -- denial of service vulnerability

Reviewed by:    simon

trac -- Wiki Macro Script Insertion Vulnerability

rsync -- "xattrs.diff" Patch Integer Overflow Vulnerability

clamav -- Freshclam HTTP Header Buffer Overflow Vulnerability

- Add last jabberd entry:

jabberd -- SASL Negotiation Denial of Service Vulnerability