Update to 0.57 - fixes possible overflow vulnerability regarding malformed
BMPs, see vuln.xml for details.

Security:       VuXML ID: 632c98be-aad2-4af2-849f-41a6862afd6a

Document FreeBSD -- IPv6 Routing Header 0 is dangerous

Rework the mod_perl entry to note that Mandriva originally released
an advisory.  Also add mod_perl2 to the vulnerable versions.

Minor wordsmithing in the last mod_perl entry.

Submitted by:   simon

Add entry for mod_perl -- remote DOS in PATH_INFO parsing

PR:             111844
Submitted by:   "Philip M. Gollucci" <pgollucci@p6m7g8.com>

p5-Crypt-OpenPGP 1.03_1 should not be vulnerable to CVE-2005-0366.

- Mark latest firefox and seamonkey snapshots as safe

- Add entry for claws-mail - APOP vulnerability

lighttpd -- DOS when access files with mtime 0
lighttpd -- Remote DOS in CRLF parsing

- Add freeradius-mysql to the list of affected packages of the recent
  freeradius entry.

Submitted by:   David Wood <david@wood2.org.uk>

Mark Google Earth >= 4.0.2414 as safe.

- Document recent remote dos vulnerability in freeradius.

Add an extra reference to the old "gnupg -- OpenPGP symmetric
encryption vulnerability" entry which explains the problem in a more
easy to read way.

Submitted by:   tobez (sort of)

Document fetchmail's "insecure APOP authentication" issue (fixed in 6.3.8).

Stylify the latest zope entry:

o Use consistent title description
o Use tabs when 8 spaces are hit
o Sort the references list (the alphabet goes from a to z)
o Bump modification date (note: please check the entry date
  so that it matches the correct data of insertion).

Also stylify the latest mcweject entry.

Add entry for exploitable buffer overflow in mcweject.

PR:             111365
Submitted by:   Jeff Forsythe<tornandfilthy2006@yahoo.com>

Add entry for webcalendar "noSet" variable overwrite vulnerability.

PR:             110585
Submitted by:   Greg Larkin <glarkin@sourcehosting.net>

Add entry for Zope2 cross-site scripting vulnerability.

Inspired by:    Yasushi Hayashi<yasi@yasi.to> (in PR 111119)

Remove f951cf4a-a1fe-11db-98f9-0004aca3703d entry. It's duplicate to
41da2ba4-a24e-11db-bd24-000f3dcc6a5d.

- Fix versions and dates in latest squid entry

Pointy hat to:  miwi

Standarise the latest Squid entry.

- Add entry for squid  TRACE method handling denial of service

Fix range for sql-ledger entry which I missed in my original review.

Document sql-ledger vulnerability

PR:             ports/110350
Submitted by:   Antoine Beaupre <anarcat@koumbit.org>

Document cacti -- remote injection exploit

PR:             ports/107838
Submitted by:   Dan Langille <dan at langille dot org>

Correct two tdiary entries:

o correct the affected version numbers
o package name of www/tdiary-devel is "tdiary-devel", not "tdiary"
o add ja-tdiary and ja-tdiary-devel to affected packages

PR:             ports/109086
Submitted by:   KOMATSU Shinichiro <koma2 at lovepeers dot org>

Document two long forgotten Samba vulnerabilities.

PR:             ports/109049
Submitted by:   KOMATSU Shinichiro <koma2 at lovepeers dot org>

ktorrent -- multiple vulnerabilities:
- Add CVE references
- Bump modification date

Spell out multiple vulnerabilities instead of specifying the exact
amount (we always do that). Also bump the modification date for
this entry and the PHP entry that had been touched

Fix typo in PHP entry

Document ktorrent -- two vulnerabilities

Add ja-trac-*.

- fix typo

- Add entry for mplayer -- DMO File Parsing Buffer Overflow Vulnerability

Reviewed by:    simon (secteam)

- Add entry for Trac "download wiki page as text" Cross-Site Scripting
Vulnerability.

Reviewed by:    simon@

Correct affected versions in "mod_jk -- long URL stack overflow
vulnerability" entry.

Noticed by:     Nick Barkas

Document mod_jk -- long URL stack overflow vulnerability.

For recent "mozilla -- multiple vulnerabilities" entry:

- Mark Seamonkey 1.1.1 as safe.  While mozilla.org does not clearly
  state this, it does seem to be the case. [1]
- Add another critical vulnerability which wasn't on the web site when
  the vuxml entry was initially added.

Reported by:    Volodymyr Kostyrko [1]

Document bind -- Multiple Denial of Service vulnerabilities
Now all Security Advisories are merged again in VuXML.

Document FreeBSD -- Jail rc.d script privilege escalation

Document: gtar -- name mangling symlink vulnerability

Document FreeBSD -- Kernel memory disclosure in firewire(4).

Document libarchive -- Infinite loop in corrupt archives handling in
libarchive.

This is also FreeBSD SA-06:24.libarchive, FreeBSD systems are not
affected, only specific STABLE versions which are not released!!

Document FreeBSD SA 06:23 OpenSSL - Multiple problems in crypto (3).

- Bump modified date for last update in mozilla entry.
- Bump file copyright year.

Extend the latest gecko vulnerabilities to mail/lightning.

Fix whitespace which I forgot before committing the last update.

Document mozilla -- multiple vulnerabilities.

Note that Seamonkey 1.1 is marked vulnerable under the "better safe than
sorry" principle, since it's not yet clear if Seamonkey 1.1 is
vulnerable to this batch of vulnerabilities.

Document snort -- DCE/RPC preprocessor vulnerability.

Document rar -- password prompt buffer overflow vulnerability.

Reminded by:    Nate Eldredge

Mark 5.2.1_2 as the first safe version for the recent "php -- multiple
vulnerabilities" entry since there was a bug in one of the fixes in
upstream 5.2.1 which port revision 5.2.1_2 fixed.

Document php -- multiple vulnerabilities.

joomla -- multiple remote vulnerabilities

Reviewed by:    secteam (remko)
Approved by:    erwin (mentor, implicit)

Document two sircd vulnerabilities:

  sircd -- remote reverse DNS buffer overflow
  sircd -- remote operator privilege escalation vulnerability

Reviewed by:    secteam (remko)
Approved by:    erwin (mentor)

- Document multple net/cacti vulnerabilities.

Add mplayer RealMedia RTSP streams buffer overflow entry.

PR:             ports/107217
Submitted by:   Thomas E. Zander (multimedia/mplayer maintainer)
Reviewed by:    simon@

Document two fetchmail vulnerabilities.

See also:       http://fetchmail.berlios.de/fetchmail-SA-2006-02.txt
                http://fetchmail.berlios.de/fetchmail-SA-2006-03.txt

Reported by:    Matthias Andree (upstream author)

Document opera -- multiple vulnerabilities.

Upgrade drupal to 4.7.5 fixing a couple security issues.
Upgrade drupal-pubcookie and drupal-textile to the 4.7 versions.

Submitted by:   Nick Hilliard <nick at foobar dot org> (upgrade to 4.7.4)
Security:       vid:3d8d3548-9d02-11db-a541-000ae42e9b93

Unbreak file by using & in w3m entry.

Pointy hat to:  nobutaka
Reported by:    Philipp Wuensche

Document a format string vulnerability of w3m.

- Document www/plone vulnerability

Reviewed by:    simon
Approved by:    erwin (mentor)

- Update the www/zope entry to indicate it is fixed now

PR:             ports/106505
Submitted by:   HAYASHI Yasushi <yasi@yasi.to>
Reviewed by:    simon
Approved by:    erwin (mentor)

phpbb -- NULL byte injection vulnerability has been fixed in
their 2.0.22, so mark it as safe.  Update to the port is pending.

Add an entry for recently fixed proftpd remote code execution
vulnerabilities.

Reviewed by:    remoko

Document gzip -- multiple vulnerabilities, this is FreeBSD-SA06:21.gzip

Document bind9 -- Denial of Service in named(8) which is also known
as FreeBSD-SA-06:20.bind

Notice: The previous commit was FreeBSD-SA-06:19.openssl

Document openssl -- Incorrect PKCS#1 v1.5 padding validation in crypto(3)

sql-ledger -- multiple vulnerabilities

Reviewed by:    remko

Update several entries, making them a bit clearer (Were possible),
adjusting some package names, and collapsing some ruby entries that
can be combined. Also properly sort the <bid> and <cvename> tags.
b comes before c.

Document the recent D-BUS vulnerability as described by CVE-2006-6107.

Submitted by:   mnag

- evince -- Buffer Overflow Vulnerability

- Change spaces to tabs in <name> and <range>
- Remove some empty lines
- Respect 2 spaces between <body> and <p>
- Respect empty line between <vuln vid=""> entry.

tDiary - Injection Vulnerability

- wv -- Multiple Integer Overflow Vulnerabilities

- wv2 -- Integer Overflow Vulnerability

- Fix tnftpd entry (made validate happy)

tnftpd - remote root exploit

Reviewed by:    simon
Approved by:    secteam

- clamav -- Multipart Nestings Denial of Service

Rewrite the libxine entry:

o Use the FDP style to fill in the entry.
o Remove the secunia references and use the libxine information.
o Properly sort the references section
o Add the modified tag (since I changed it).

Add an entry for libxine multiple buffer overflow vulnerabilities.

- Ok. gnupg-devel are not affected.

- Add gnupg-devel package in last entry
- Add secunia reference in las entry

Forced commit to note that my last commit is:

Approved by:    secteam (remko)

* Fix typo in the latest GnuPG entry, inherited from the original message
* Fix the URL in references, the former one gives 404 Not found.
  Kuriyama, where did you get it from?

Add CVE-2006-6235 entry for GnuPG.

- Add a modified field for the entry, touched by the previous commit

- List all affected packages for the Novermber ruby cgi DOS vulnerability
- This vulnerability was not fixed in ruby_static

- Documenet ruby cgi library vulnerability

- Document buffer overflow vulnerabilities in the libmusicbrainz.

Fix markup in last entry so the file is valid XML again.

Pointy hat to:  simon

- Add a entry for www/tDiary, www/tDiary-devel

Reviewed by:    simon

- Document the SGI Image File heap overflow vulnerability in ImageMagick

Document "gtar -- GNUTYPE_NAMES directory traversal vulnerability".

Document 'kronolith -- arbitrary local file inclusion vulnerability'

In latest gnupg entry:
- Use "Werner Koch reports" instead of "Author reports" to follow
  normal style in vuln.xml.
- Fix some indentation and markup in body.

Add recent gnupg one.

Add <modified> tag to previous proftpd entry.

Requested by:   remko

Add proftpd-mysql to the previous entry.

Document "proftpd -- Remote Code Execution Vulnerability".