Document unsafe use of environmental variable SASL_PATH in cyrus-sasl.

Approved by:    portmgr

Add some more apache ports.
Fix two errors found by nectar.

Approved by:    portmgr

Add imp3 issue, add apache13-ssl issue, correct a tag.

Approved by:    portmgr

Note that older packages of bmon were dangerously installed set-user-ID.

Approved by:    portmgr

Document GnuTLS denial-of-service (already mentioned in portaudit's
database).

Approved by:    portmgr

Record another PHP vulnerability.

Approved by:    portmgr

Record another PHP security issue.

Approved by:    portmgr

Note that xv should not be used.

Approved by:    portmgr

Note a symlink vulnerability in getmail.

Submitted by:   Shane Kinney <mod6@freebsdhackers.net>
Approved by:    portmgr

Fill in empty topic from previous commit.

Noticed by:     Shane Kinney <mod6@freebsdhackers.net>
Approved by:    portmgr

Record FreeBSD-SA-04:15.syscons.

Approved by:    portmgr

Add missing PORTEPOCH for samba.

Noticed by:     dinoex
Approved by:    portmgr

Note racoon certificate verification bug.

Submitted by:   Jon Passki <cykyc@yahoo.com>
Approved by:    portmgr

Note distcc IP address ACL bug.

Submitted by:   Jon Passi <cykyc@yahoo.com>
Approved by:    portmgr

Remove a duplicate entry.

Submitted by:   Jon Passki <cykyc@yahoo.com>
Approved by:    portmgr

Correct the version number for latest Mozilla entry.
(cut-n-paste damage)

Approved by:    portmgr

Document the last few of the relatively recent Mozilla vulnerabilities.

Approved by:    portmgr

Correct mangled CVE name: s/8983/0903/

Approved by:    portmgr

Add another two older vulnerabilities affecting Mozilla & co.
Continue to try hard to cover past package names:
  - I missed el-linux-mozillafirebird previously.
  - Move all the `obsolete' package names into one place
    for clarity.

Approved by:    portmgr

Don't forget `ja-samba' also.

Approved by:    portmgr

Note samba file disclosure vulnerability.

Approved by:    portmgr

Fix apache version number entry, bump modified date for apache as well.

Approved by:    portmgr

Make an initial attempt at covering all Mozilla/Firefox/Thunderbird
package names that we've had.  Similar changes need to be made to many
other entries, but let's use this one as a test subject first.

Approved by:    portmgr

Correct spelling of phpnuke package name.

Reported by:    Dan Langille
Approved by:    portmgr

Note BMP decoder flaws in Mozilla/Firefox/Thunderbird.

Approved by:    portmgr

Note stack buffer overflow in Mozilla mail.

Approved by:    portmgr

Document Mozilla/Firefox/Thunderbird heap buffer overflows.

Approved by:    portmgr

Correct the package name for phpMyAdmin.

Reported by:    Matthew Seaman <m.seaman@infracaninophile.co.uk>
Approved by:    portmgr

Add CERT Vulnerability Note references to xpm entry.

Approved by:    portmgr

Note two older vulnerabilities in PHP.

Submitted by:   Jon Passki <cykyc@yahoo.com>
Approved by:    portmgr

Note subversion information disclosure vulnerability.

Submitted by:   lev
Approved by:    portmgr

Add missing PORTEPOCH in a mozilla entry.
Correct package name in an apache entry.

Reported by:    Dan Langille <dan@langille.org>
Approved by:    portmgr

Forgot to add <modified> element for last commit.

Approved by:    portmgr

Add missing PORTEPOCH on one of the mozilla entries.

Noticed by:     Dan Langille <dan@langille.org>
Approved by:    portmgr

Document vulnerabilities in lha.

Reviewed by:    dinoex
Approved by:    portmgr

Lately it seems I like to use dashes in topics... but I should at
least be consistent with how many.  s/---/--/

Approved by:    portmgr

Document mysql buffer overflow.

Reported by:    ale
Approved by:    portmgr

Document Mozilla security icon spoofing vulnerability.

Approved by:    portmgr

Document Mozilla vulnerability involving NULL bytes in FTP URLs.

Also, correct s/firebird/firefox/ in a previously documented issue.

Approved by:    portmgr

Document Mozilla automatic file upload vulnerability.

Approved by:    portmgr

Document mozilla certificate import denial-of-service vulnerability.

Approved by:    portmgr

Note a file name disclosure issue in rssh.

Reported by:    leeym
Approved by:    portmgr

Add entry describe GNU Radius denial-of-service vulnerability.

Approved by:    portmgr

Add sudoedit vulnerability.

Approved by:    portmgr

In latest CVS entry, remove the reference to the exploit.  It does
not apply to any of these vulnerabilities, but to the previous CVS
vulnerability (CAN-2004-0396).

Approved by:    portmgr

Oh yeah, add affected FreeBSD versions for CVS issues.

Approved by:    portmgr

Update CVS entry with some details.

Approved by:    portmgr

Add an entry for the mod_proxy buffer overflow existant in apache13.

Approved by:    portmgr

Note some fixes for XPM image decoding vulnerabilities.

Submitted by:   lesi

Add references to Chris Evans's advisories while I'm at it.

Approved by:    portmgr

Update to gdk-pixbuf vulnerability to reflect the fixed version of gtk20.

Approved by:    portmgr( implicit)

Note that a patched version of webmin 1.150 is now available, thanks
to olengi@.

Submitted by:   olengi

Add a paragraph introducing the Webmin blockquote while I'm here.

Approved by:    portmgr

Note gdk-pixbuf image decoding issues.

Approved by:    portmgr

clement@ has patched Apache 2.

Approved by:    portmgr

Note CUPS printer queue browser denial-of-service.

Approved by:    portmgr

Note Apache 2 IPv6 address parsing bug.

Approved by:    portmgr

Note new libXpm vulnerabilities.

Approved by:    portmgr

I appear to have deleted a line at the last minute.  Restore it.

Approved by:    portmgr

Add mod_dav denial-of-service issue.

Approved by:    portmgr

Oops, forgot to note that the previous issue affects only the Apache 2.x
series.

Approved by:    portmgr

Add Apache 2 vulnerability concerning environmental variables in
configuration files.

Approved by:    portmgr

Repair three <freebsdpr> elements.  The content of these elements
must be e.g. "ports/46613", not just "46613".

Reported by:    Matthew Seaman <m.seaman@infracaninophile.co.uk>
Approved by:    portmgr

Note that some versions of OpenOffice have been corrected.

Approved by:    portmgr

Fix botched date entry and correct iDefense URL.

Approved by:    portmgr

Really add Samba 3 vulnerability.
Remove incorrect URL in mpg123 entry.

Approved by:    portmgr
URL noticed:    nectar

Correct version.  Note my last commit here was for mpg123 instead of
samba3.

Noticed by:     nectar
Approved by:    portmgr

- There is a WITHOUT_X11 version of ImageMagick that needs to be
  taken into account.
- Fix transposed characters in `isakmpd'.

Noticed by:     Dan Langille <dan@langille.org>

- Add CVE name reference for ImageMagick.
- Add webmin temporary file handling issue.
- Add OpenOffice temporary file handling issue.
- Widen the `KDE frame injection' issue to cover Mozilla, Firebird,
  Netscape, and Opera as well
- Add Mozilla/Firebird/Netscape SOAPParameter vulnerability
- Add Mozilla/Thunderbird/Netscape POP client vulnerability

Approved by:    portmgr

Update for recent Samba3 vulnerabilities.

Approved by:    portmgr

Adjust the affected version for imlib now that the 2nd instance of BMP
loader has been corrected.

The recent commit to the krb5 port brought the version to 1.3.4_1 but
did not correct one of the existing vulnerabilities.  Update the
affected range to compensate.

Note recent MIT Kerberos 5 vulnerabilities.

Document imlib2 BMP decoder bug.

Document BMP decoder bugs in imlib1 and ImageMagick.

Correct bogus date in mysql entry. (It should be YYYY-MM-DD, not
DD-MM-YYYY.)

Reported by:    robert@openbsd.org

Add more references (particularly CVE names) for issues affecting
SpamAssassin, tnftpd, ruby, mysql.

Place text taken from another source inside <blockquote cite="...">
for ruby issue.

correct/add some references

Document NSS SSLv2 server buffer overflow (already referenced in
portaudit.txt).

Document ripMIME decoding bug (already referenced in portaudit.txt).

Remove <modified/> from the gnomevfs vulnerability since it was the same
as <entry/> and it needed to be last anyway.

Suggested by:   nectar

Update the gnomevfs entry to reflect the fixed versions.

Add entry for moinmoin ACL bypass.

Note sanitize_path bug in rsync (already referenced in portaudit.txt).

Unsafe URI handling in gnome-vfs, MidnightCommander.

Document buffer overflows in SoX (already referenced in portaudit.txt).

Document cookie bug in Konqueror (already referenced in portaudit.txt).

- Fix "make validate" problem when textproc/xhtml-basic is
  installed by adding an SGML declaration and DTDDECL.
- Remove the --catalogs option for xmllint(1) in validate.sh.

Approved by:    nectar (maintainer)
PR:             ports/63035

Place port name in the description.

Suggested by:   eik

Add libxine vcd URL handling issue.

Add DoS in SpamAssassin.

Add <modified> date for previous commit.

fidogate-ds was also affected by the ``write files as `news' user''
issue.

Off-by-one error in courier-imap entry.

Noticed by:     oliver

Add a more useful reference for the Qt issue.

Add Qt heap overflow issue.

Add a security issue affected courier-imap when run with certain debug
flags.

Add fidogate issue.

Add an issue covering a vulnerability in mysqlhotcopy.

Reported by:    robert@openbsd.org

Cancel a VuXML entry for an Apache vulnerability that does not affect
FreeBSD.

Reminded by:    recent conversations :-)

cancelled 6fd9a1e9-efd3-11d8-9837-000c41e2cdad: does not affect FreeBSD
  <http://docs.FreeBSD.org/cgi/mid.cgi?20040817123651.GB930>

Add a pointer to Przemyslaw Frasunek's advisory.

For the lukemftpd/tnftpd issue, add a reference to NetBSD security
advisory now that it is available.