- For the latest trac entry include information from the release
  announcements about setups which are not affected.  To avoid having
  to reference two documents simply reference the release notes for
  all the information (it's basically the same as the changelog with
  slightly different wording).
- Add a modified date tag.

Document twiki -- multiple file extensions file upload vulnerability.

Improve markup for last entry.  No content change.

Add trac DoS.

Add an entry for Horde's latest vulnerabilities.

Document mambo -- SQL injection vulnerabilities.

 Document phpmyadmin -- cross site scripting vulnerability

Approved by:    markus (co mentor)

Document webmin, usermin -- arbitrary file disclosure vulnerability.

Details are unknown, all sources talk about an "unspecified" vulnerability.

Document mutt -- Remote Buffer Overflow Vulnerability.

Approved by:    ahze (mentor)

Document joomla --  multiple vulnerabilities

Approved by:    markus (co mentor)

Document hashcash -- heap overflow vulnerability.

Document gnupg -- user id integer overflow vulnerability.

Document opera -- JPEG processing integer overflow vulnerability.

Update the webcalendar entry, use alphabetic sorting, no functional
change of information.

Add an entry for Horde's latest XSS vulnerabilities.

Add webcalendar -- information disclosure vulnerability.

PR:             ports/98993
Submitted by:   Gregory C. Larkin <glarkin@sourcehosting.net>

Add FreeBSD-SA-06:17.sendmail to the VuXML database.

Bump modification date in the last entry and earn my own pointyhat.

Forgotten by/pointyhat:         remko

Fix the latest entry by using the entity for &, this passes make validate.

Reported by:    Michal Kaps <michal at ionic dot co dot uk>
Pointyhat by:   aaron, (tobez implicit)

- Added multiple dokuwiki vulnerabilities

Approved by:    tobez

Add an entry for libxine -- buffer overflow vulnerability.

Document FreeBSD-SA-06:15.ypserv and FreeBSD-SA-06:16.smbfs.
Add the proper freebsdsa tag for older entries and bump
their modification date.

Document two freeradius issues, one newer and one older issue:
freeradius -- multiple vulnerabilities
freeradius -- authentication bypass vulnerability

Mark graphics/fractorama 1.6.7_1 "clean". This port now links against libtiff
from ports.

Approved by:    simon (secteam)

The awstats port has PORTEPOCH bumped, so update the vuxml entry awstats
-- arbitrary command execution vulnerability to reflect that.

Mumble, back out local changes which should not have been committed.

Mark squirrelmail-1.4.6_1 as fixed for squirrelmail -- plugin.php
local file inclusion vulnerability.

Document squirrelmail -- plugin.php local file inclusion vulnerability.

Document dokuwiki -- spellchecker remote PHP code execution.

Document drupal -- multiple vulnerabilities.

- Add last two MySQL vulnerabilities

MySQL -- SQL-injection security vulnerability
MySQL -- Information Disclosure and Buffer Overflow Vulnerabilities

Document frontpage -- cross site scripting vulnerability and point
FORBIDDEN from the frontpage ports at it.

While this is "only" a cross site scripting vulnerability it has some
rather serious implications which can allow an attacker to take over a
web site, so I'm keeping FORBIDDEN.

cscope -- buffer overflow vulnerabilities

coppermine -- Multiple File Extensions Vulnerability
coppermine -- "file" Local File Inclusion Vulnerability
coppermine -- File Inclusion Vulnerabilities

phpmyadmin -- XSRF vulnerabilities

- Normalize the topic of last entry

Requested by:   remko

- Add VuXML entry for vnc 4.1.1

- Add vulnerabilities in last topic.

phpldapadmin -- Cross-Site Scripting and Script Insertion

Modify the entry for p5-DBI insecure temporary files creation to reflect
the fact that version 1.37_1 of p5-DBI-137 is OK now.

Reviewed by:    simon

Add www/fswiki vulnerability.

- Add missing s in latest awstats entry's title.
- Document mysql50-server -- COM_TABLE_DUMP arbitrary code execution.

- Cancel last rsync entry. Does not affect FreeBSD port.

Notified by:    simon, pav
Discussed with: simon

Document awstat -- arbitrary command execution vulnerability.

Fix a incorrect use of cvename in the latest firefox entry, which I
missed when reviewing the entry (and which make validate did not / can
not catch).

phpwebftp -- "language" Local File Inclusion

Document firefox -- denial of service vulnerability

Reviewed by:    simon

trac -- Wiki Macro Script Insertion Vulnerability

rsync -- "xattrs.diff" Patch Integer Overflow Vulnerability

clamav -- Freshclam HTTP Header Buffer Overflow Vulnerability

- Add last jabberd entry:

jabberd -- SASL Negotiation Denial of Service Vulnerability

Also mark linux-seamonkey vulnerable to recent mozilla
vulnerabilities.

Reported by:    Andrew Pantyukhin infofarmer at gmail dotty com

cacti -- ADOdb "server.php" Insecure Test Script Security Issue

amaya -- Attribute Value Buffer Overflow Vulnerabilities

lifetype -- ADOdb "server.php" Insecure Test Script Security Issue

ethereal -- Multiple Protocol Dissector Vulnerabilities

My 100th commit to the vuln.xml file:

- Document Asterisk -- denial of service vulnerability, local system access.

Change paraview checks to be < 2.4.3 now that paraview uses system libtiff.

Document zgv, xzgv -- heap overflow vulnerability.

Document crossfire-server -- denial of service and remote code execution
vulnerability.

Document p5-DBI -- insecure temporary file creation vulnerability.

Document wordpress -- full path disclosure.

Document xine -- multiple remote string vulnerabilities.

Add an entry for cyrus-sasl -- DIGEST-MD5 Pre-Authentication
Denial of Service.

Also mark all other versions of FreeBSD (That were released) as
vulnerable.

Noticed by:     brueffer
Discussed with: brueffer, simon

Add FreeBSD -- FPU information disclosure (SA-06:14) to the
vuxml list.

Add some CERT references to latest Mozilla entry.

plone -- "member_id" Parameter Portrait Manipulation Vulnerability

Fix copy/paste error in last commit and mark linux-mozilla < 1.7.13 as
vulnerable.

Document mozilla/firefox/thunderbirds's latest attempt at Internet
Explorer compatibility.

Note that I omitted marking some really old mozilla versions as
vulnerable this time, since there is already a bunch of entries
covering these versions (which haven't been in ports for a while).

Update entry for sysutils/heartbeat. The insecure temporary file creation
vulnerability is fixed in 1.2.4.

Approved by:    secteam (simon)

mailman -- Private Archive Script Cross-Site Scripting

Document f2c -- insecure temporary files.

It is not very clear to me to see what version is fixed.  The one fixing
this port should import the latest available one which is fixed.

mplayer -- Multiple integer overflows

- Add Secunia references for last phpMyAdmin issue.

Document kaffeine -- buffer overflow vulnerability.

Document thunderbird -- javascript execution.

Update the latest zoo entry to match the latest update to the port.
This will mark zoo-2.10.1_2 and later as not vulnerable for this
issue.

phpmyadmin -- XSS vulnerabilities
phpmyadmin -- 'set_theme' Cross-Site Scripting

clamav -- Multiple Vulnerabilities

Add cvename to the recent OpenVPN entry.

Submitted by:   Matthias Andree <matthias dot andree at gmx dot de>

Document mediawiki -- hardcoded placeholder string security bypass
vulnerability.

Document netpbm -- buffer overflow in pnmtopng.

Document zoo -- stack based buffer overflow.

Document mediawiki -- cross site scripting vulnerability.

dia -- XFig Import Plugin Buffer Overflow

openvpn -- LD_PRELOAD code execution on client through malicious or compromised
server

PR:             95343
Submitted by:   Matthias Andree <matthias.andree__gmx.de>

samba -- Exposure of machine account credentials in winbind log files

Upgrade pubcookie from 3.3.0-beta2 to 3.3.0a fixing serious XSS
vulnerabilities.

Fill in the version numbers for the vids
6e3b12e2-6ce3-11da-b90c-000e0c2e438a and
82a41084-6ce7-11da-b90c-000e0c2e438a to show which Mantis versions
are vulnerable.

Submitted by:   In cooperation with dvl

For horde -- remote code execution vulnerability in the help viewer
entry:
- Add more references.
- Reformat description to follow normal formatting style better.
- Remove a redundant line in the description to make the meaning more
  clear.

freeradius -- EAP-MSCHAPv2 Authentication Bypass

Add an entry about Horde's remote code execution vulnerability in the
help viewer.

linux-realplayer -- buffer overrun
linux-realplayer -- heap overflow

Reviewed by:    simon

s/8 spaces/tab/ in the sendmail entry.

Noticed by:     simon

Record that our sendmail port was also vulnerable.
Bump modification date.

Update the 'Evolution - remote format string vulnerabilities' entry.

Document the latest three FreeBSD Security Advisories:

SA-06:13
SA-06:12
SA-06:11

xorg-server -- privilege escalation

Reviewed by:    simon

- heimdal -- Multiple vulnerabilities

Reviewed by:    simon

Document ftp/curl's TFTP packet buffer overflow vulnerability

Reworked by:    simon
Approved by:    security-officer (simon)