02:01 junovitch 

Document squid -- multiple vulnerabilities

PR:		208939
Reported by:	Pavel Timofeev <timp87@gmail.com>
Security:	CVE-2016-4054
Security:	CVE-2016-4053
Security:	CVE-2016-4052
Security:	CVE-2016-4051
Security:	https://vuxml.FreeBSD.org/freebsd/e05bfc92-0763-11e6-94fa-002590263bf5.html

 

12:33 matthew 

CVE-2016-3096 -- ansible and ansible1 vulnerability due to using
predictable temporary file names when managing LXC containers.

 

11:46 mm 

Document security vulnerability in proftpd mod_tls.

PR:		208876
Security:	CVE-2016-3125

 

20:14 rene 

Doument new vulnerabilities in www/chromium < 50.0.2661.75

Obtained
from:	http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_13.html

 

00:36 junovitch 

Document wpa_supplicant security advisories

PR:		208482
Security:	CVE-2015-5310
Security:	CVE-2015-5315
Security:	CVE-2015-5316
Security:	https://vuxml.FreeBSD.org/freebsd/976567f6-05c5-11e6-94fa-002590263bf5.html

 

20:07 junovitch 

Document earlier dhcpcd security issue that has been fixed in an earlier
version before the security implications were reported.

PR:		208840
Submitted by:	Ben Woods <woodsb02@gmail.com>
Submitted by:	Roy Marples <roy@marples.name>
Security:	CVE-2014-7912
Security:	https://vuxml.FreeBSD.org/freebsd/092156c9-04d7-11e6-b1ce-002590263bf5.html

 

01:16 junovitch 

Document dhcpcd security remote execution/denial of service

PR:		208840
Submitted by:	Ben Woods <woodsb02@gmail.com>
Security:	CVE-2014-7913
Security:	https://vuxml.FreeBSD.org/freebsd/6ec9f210-0404-11e6-9aee-bc5ff4fb5ea1.html

 

15:12 madpilot 

Document Asterisk and PJsip vulnerabilities.

 

02:07 junovitch 

Document go remote denial of service

Security:	CVE-2016-3959
Security:	https://vuxml.FreeBSD.org/freebsd/f2217cdf-01e4-11e6-b1ce-002590263bf5.html

 

18:59 feld 

Document linux-c6-nspr which was overlooked in previous vuxml entry

 

18:49 timur 

Multiple vulnerabilities in Samba.
[CVE-2015-5370] Errors in Samba DCE-RPC code can lead to denial of service
(crashes and high cpu consumption) and man in the middle attacks.
[CVE-2016-2110] The feature negotiation of NTLMSSP is not downgrade protected. A
man in the middle is able to clear even required flags,
    especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL.
[CVE-2016-2111] When Samba is configured as Domain Controller it allows remote
attackers to spoof the computer name of a secure channel's endpoints,
    and obtain sensitive session information, by running a crafted application
and leveraging the ability to sniff network traffic.
[CVE-2016-2112] A man in the middle is able to downgrade LDAP connections to no
integrity protection.
[CVE-2016-2113] Man in the middle attacks are possible for client triggered LDAP
connections (with ldaps://) and ncacn_http connections (with https://).
[CVE-2016-2114] Due to a bug Samba doesn't enforce required smb signing, even if
explicitly configured.
[CVE-2016-2115] The protection of DCERPC communication over ncacn_np (which is
the default for most the file server related protocols) is inherited
    from the underlying SMB connection.
[CVE-2016-2118] a.k.a. BADLOCK. A man in the middle can intercept any DCERPC
traffic between a client and a server in order to impersonate the client
    and get the same privileges as the authenticated user account. This is most
problematic against active directory domain controllers.
Security:	CVE-2015-5370
		CVE-2016-2110
		CVE-2016-2111
		CVE-2016-2112
		CVE-2016-2113
		CVE-2016-2114
		CVE-2016-2115
		CVE-2016-2118
Sponsored by:	Micro$oft

 

14:19 junovitch 

Document multiple vulnerabilities from the 31 Mar 16 PHP releases

PR:		208465
Reported by	Christian Schwarz <me@cschwarz.com>
Security:	https://vuxml.FreeBSD.org/freebsd/482d40cb-f9a3-11e5-92ce-002590263bf5.html

 

13:43 junovitch 

Document PCRE heap overflow vulnerability

PR:		208260
Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
Security:	CVE-2016-1283
Security:	https://vuxml.FreeBSD.org/freebsd/497b82e0-f9a0-11e5-92ce-002590263bf5.html

 

02:27 junovitch 

Document djblets vulnerability from the 0.9.2 release notes

Security:	https://vuxml.FreeBSD.org/freebsd/df328fac-f942-11e5-92ce-002590263bf5.html

 

02:11 junovitch 

Document multiple security advisories for Moodle

Security:	CVE-2016-2151
Security:	CVE-2016-2152
Security:	CVE-2016-2153
Security:	CVE-2016-2154
Security:	CVE-2016-2155
Security:	CVE-2016-2156
Security:	CVE-2016-2157
Security:	CVE-2016-2158
Security:	CVE-2016-2159
Security:	CVE-2016-2190
Security:	https://vuxml.FreeBSD.org/freebsd/a430e15d-f93f-11e5-92ce-002590263bf5.html

 

00:48 junovitch 

Add additional reference URL for Kamailio entry from r411376

Security:	CVE-2016-2385
Security:	https://vuxml.FreeBSD.org/freebsd/c428de09-ed69-11e5-92ce-002590263bf5.html

 

00:00 junovitch 

Document squid multiple vulnerabilities

PR:		208463
Security:	CVE-2016-3947
Security:	CVE-2016-3948
Security:	https://vuxml.FreeBSD.org/freebsd/297117ba-f92d-11e5-92ce-002590263bf5.html

 

14:52 girgen 

This CVE is actually for the -contrib module:

Security: CVE-2016-3065

 

14:43 girgen 

Add vuxml entries for "Security Fixes for RLS, BRIN"
in PostgreSQL 9.5

Security:	CVE-2016-2193
Security:	CVE-2016-3065

 

12:25 tijl 

Document latest batch of flash plugin vulnerabilities.

 

08:01 madpilot 

Document mutiple Botan vulnerabilities.

PR:		208393
Submitted by:	Lapo Luchini <lapo at lapo.it>
Security:	CVE-2015-5726
Security:	CVE-2015-5727
Security:	CVE-2016-2194
Security:	CVE-2016-2195

 

22:15 olivierd 

Document multiple Mercurial vulnerabilities

Security:	CVE-2016-3630
Security:	CVE-2016-3068
Security:	CVE-2016-3069

 

20:08 cmt 

Document chromium vulnerabilities

Approved by:	miwi (mentor), rene (mentor)

 

01:51 junovitch 

Document BIND security advisories

PR:		208034
Reported by:	martin@lispworks.com
Security:	CVE-2016-1285
Security:	CVE-2016-1286
Security:	CVE-2016-2088
Security:	https://vuxml.FreeBSD.org/freebsd/c9075321-f483-11e5-92ce-002590263bf5.html
Security:	https://vuxml.FreeBSD.org/freebsd/cba246d2-f483-11e5-92ce-002590263bf5.html
Security:	https://vuxml.FreeBSD.org/freebsd/cd409df7-f483-11e5-92ce-002590263bf5.html

 

01:50 junovitch 

Syntax fix, drop leading FreeBSD- in <freebsdsa> tags as it caused links with
a FreeBSD-FreeBSD-SA starting the URL.

 

01:42 junovitch 

Document Salt Insecure configuration of PAM external authentication service

PR:		208244
Security:	CVE-2016-3176
Security:	https://vuxml.FreeBSD.org/freebsd/6d25c306-f3bb-11e5-92ce-002590263bf5.html

 

17:04 tj 

Document multipule activemq vulnerabilities:
	CVE-2016-0782 - ActiveMQ Web Console - Cross-Site Scripting
	CVE-2016-0734 - ActiveMQ Web Console - Clickjacking
	CVE-2015-5254 - Unsafe deserialization in ActiveMQ

PR:		208163
PR:		208193
Security:	CVE-2015-5254
Security:	http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt
Security:	CVE-2016-0782
Security:	http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt
Security:	CVE-2016-0734
Security:	http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt

 

02:43 feld 

Fix version range for pcre2 vulnerability

PR:		208167
Security:	CVE-2016-3191

 

02:32 feld 

Document pcre vulnerability

PR:		208167
Security:	CVE-2016-3191

 

01:22 junovitch 

Document kamailio SEAS Module Heap overflow vulnerability

Security:	CVE-2016-2385
Security:	https://vuxml.FreeBSD.org/freebsd/c428de09-ed69-11e5-92ce-002590263bf5.html

 

00:24 junovitch 

Document hadoop2 unauthorized disclosure of data vulnerability

Security:	CVE-2015-1776
Security:	https://vuxml.FreeBSD.org/freebsd/5dd39f26-ed68-11e5-92ce-002590263bf5.html

 

11:22 garga 

Update git packages and versions affected by CVE-2016-2324

MFH:		2016Q1
Sponsored by:	Rubicon Communications (Netgate)

 

02:45 junovitch 

Document possible code execution and integer overflow issue in git

PR:		208074
Reported by:	Sevan Janiyan <venture37@geeklan.co.uk> (via PR)
Reported by:	Tony Tung <tonytung@merly.org> (via email)
Security:	CVE-2016-2315
Security:	CVE-2016-2324
Security:	https://vuxml.FreeBSD.org/freebsd/93ee802e-ebde-11e5-92ce-002590263bf5.html
Security:	https://vuxml.FreeBSD.org/freebsd/d2a84feb-ebe0-11e5-92ce-002590263bf5.html

 

16:46 feld 

Document node vulnerabilities

PR:		207832
Security:	CVE-2016-0702
Security:	CVE-2016-0705
Security:	CVE-2016-0797

 

14:03 feld 

Document dropbear security vulnerability

PR:		207903
Security:	CVE-2016-3116

 

13:56 feld 

Document assigned CVE for recent ssh vulnerability

Security:	CVE-2016-3115

 

12:10 jbeich 

Document one more graphite2 vulnerability

 

16:31 riggs 

Fix copy/paste error from previous commit

 

16:28 riggs 

Document XSS vulnerability in graphics/jpgraph2 before 3.0.7_1

PR:		207001
Security:	CVE-2009-4422

 

14:43 junovitch 

Document issues in recent PHP security release

Security:	https://vuxml.FreeBSD.org/freebsd/e991ef79-e920-11e5-92ce-002590263bf5.html
Security:	https://vuxml.FreeBSD.org/freebsd/5af511e5-e928-11e5-92ce-002590263bf5.html

 

14:39 junovitch 

Expand February PHP entry with extra CVE and all security bugs on changelog

Security:	CVE-2016-2554
Security:	https://vuxml.FreeBSD.org/freebsd/85eb4e46-cf16-11e5-840f-485d605f4717.html

 

22:50 bdrewery 

Document OpenSSH 7.2p2 fix for X11Forwarding command injection

 

23:37 feld 

Document net/quagga vulnerability

Security:	CVE-2016-2342

 

19:50 feld 

net-im/ricochet: Document vulnerability

PR:		207536

 

15:03 feld 

Document security/pidgin-otr vulnerability

Security:	CVE-2015-8833

 

22:58 feld 

Update libotr vulnerability information

Correct description is "integer overflow"

libotr3 has also been added as vulnerable. It appears vulnerable as it
also has datalen defined as unsigned int and identical functions.

Security:	http://www.vuxml.org/freebsd/c2b1652c-e647-11e5-85be-14dae9d210b8.html

 

22:42 feld 

Document security/libotr vulnerability

It is not clear at this time if security/libotr3 is also affected.

Security:	CVE-2016-2851

 

01:47 jbeich 

Adjust brotli vulnerability after MFH in r410670

 

21:16 jbeich 

Adjust brotli vulnerability after r410664

 

20:41 jbeich 

Move brotli to its own entry

 

19:45 jbeich 

Document recent Firefox vulnerabilities

 

01:45 junovitch 

Document Django multiple vulnerabilities

Security:	CVE-2016-2512
Security:	CVE-2016-2513
Security:	https://vuxml.FreeBSD.org/freebsd/f9e6c0d1-e4cc-11e5-b2bd-002590263bf5.html

 

01:09 junovitch 

Wrap long lines.  No content change.

 

01:00 junovitch 

Document Wordpress multiple vulnerabilities

While here, fix URL reference in last Wordpress entry

Security:	CVE-2016-2221
Security:	CVE-2016-2222
Security:	https://vuxml.FreeBSD.org/freebsd/fef03980-e4c6-11e5-b2bd-002590263bf5.html

 

15:37 madpilot 

Add CVE Names for old asterisk vulnerabilities.

 

12:53 mandree 

New: remote buffer overflow in PuTTY < 0.67's scp documented

Security:	CVE-2016-2563

 

13:22 rakuco 

Add entries for CVE-2013-6892 and CVE-2016-2511 in devel/websvn.

Security:	CVE-2013-6892
Security:	CVE-2016-2511

 

06:37 sunpoet 

- Document Ruby on Rails multiple vulnerabilities

 

20:39 cmt 

Document recent chromium vulnerabilities

Approved by:	miwi (mentor), rene (mentor)
Obtained
from:	http://googlechromereleases.blogspot.de/2016/03/stable-channel-update.html

 

13:10 rakuco 

Make 7d09b9ee-e0ba-11e5-abc4-6fb07af136d2 pass `make validate'.

 

13:09 rakuco 

Add entry for security/libssh's CVE-2016-0739.

This was fixed in r409932, but the 2016Q1 branch is still vulnerable.

 

21:17 vsevolod 

Document the latest exim vulnerability - local privilleges escalation via
insecure environment when using `perl_startup` option and setuid exim.

 

13:53 feld 

Update graphite vuxml entry to add another relevant URL

PR:		207574

 

02:28 junovitch 

Document SQL injection and authentication bypass in Cacti

Note CVE-2015-8369/upstream bug 0002646: SQL injection in graph.php
was also fixed in this release but that was backported to 0.8.8f and is
covered in a prior entry.

PR:		207444
Security:	CVE-2015-8377
Security:	CVE-2015-8604
Security:	CVE-2016-2313
Security:	https://vuxml.FreeBSD.org/freebsd/db3301be-e01c-11e5-b2bd-002590263bf5.html

 

07:30 matthew 

Document the latest round of phpMyAdmin vulnerabilities.  Lots of XSS
problems, and a man-in-the-middle attack on API calls to GitHub.

 

03:00 junovitch 

Document wireshark multiple vulnerabilities

Security:	CVE-2016-2522
Security:	CVE-2016-2523
Security:	CVE-2016-2524
Security:	CVE-2016-2525
Security:	CVE-2016-2526
Security:	CVE-2016-2527
Security:	CVE-2016-2528
Security:	CVE-2016-2529
Security:	CVE-2016-2530
Security:	CVE-2016-2531
Security:	CVE-2016-2532
Security:	https://vuxml.FreeBSD.org/freebsd/45117749-df55-11e5-b2bd-002590263bf5.html
Security:	https://vuxml.FreeBSD.org/freebsd/42c2c422-df55-11e5-b2bd-002590263bf5.html

 

22:50 osa 

Update www/tomcat7 version.

 

22:10 feld 

Update tomcat vuxml entry

CVE-2015-5346 does not affect Tomcat 6.

 

21:44 feld 

Document additional tomcat vulnerabilities

Security:	CVE-2015-5346
Security:	CVE-2015-5351
Security:	CVE-2016-0763

 

21:37 feld 

Update documented tomcat vulnerabiltiies

 

20:50 feld 

Document tomcat vulnerabilities

Security:	CVE-2016-0714

 

18:15 girgen 

Document vulnerability i xerces-c3

Security:	CVE-2016-0729

 

00:50 junovitch 

Revise Squid entry with CVE assignment and SQUID-2016:2 advisory reference

PR:		207454
Reported by:	Pavel Timofeev <timp87@gmail.com>
Security:	CVE-2016-2569
Security:	CVE-2016-2570
Security:	CVE-2016-2571
Security:	https://vuxml.FreeBSD.org/freebsd/660ebbf5-daeb-11e5-b2bd-002590263bf5.html

 

00:48 feld 

Document django vulnerability

Security:	CVE-2016-2048

 

00:29 junovitch 

Document Xen Security Advisories (XSAs 167, 168, 170)

Security:	CVE-2016-1570
Security:	CVE-2016-1571
Security:	CVE-2016-2271
Security:	https://vuxml.FreeBSD.org/freebsd/7ed7c36f-ddaf-11e5-b2bd-002590263bf5.html
Security:	https://vuxml.FreeBSD.org/freebsd/80adc394-ddaf-11e5-b2bd-002590263bf5.html
Security:	https://vuxml.FreeBSD.org/freebsd/81f9d6a4-ddaf-11e5-b2bd-002590263bf5.html

 

00:25 feld 

Document moodle vulnerabilities

Security:	CVE-2016-0724
Security:	CVE-2016-0725

 

16:16 feld 

Document multimedia/pitivi vulnerability

Security:	CVE-2015-0855

 

15:50 feld 

Document graphics/giflib vulnerability

Security:	CVE-2015-7555

 

15:36 feld 

Document drupal vulnerabilities

PR:		207467
Security:	https://www.drupal.org/SA-CORE-2016-001

 

05:25 lwhsu 

Document Jenkins Security Advisory 2016-02-24

 

20:27 feld 

vuxml: Update entry for graphics/jasper

These vulnerabilities are resolved in 1.900.1_16

Security:	http://www.vuxml.org/freebsd/006e3b7c-d7d7-11e5-b85f-0018fe623f2b.html
Security:	http://www.vuxml.org/freebsd/f1692469-45ce-11e5-adde-14dae9d210b8.html

 

11:46 junovitch 

Document squid remote DoS in HTTP response processing

PR:		207454
Reported by:	Pavel Timofeev <timp87@gmail.com>
Security:	https://vuxml.FreeBSD.org/freebsd/660ebbf5-daeb-11e5-b2bd-002590263bf5.html

 

15:25 junovitch 

Document bsh remote code execution vulnerability

PR:		207334
Submitted by:	pfg (maintainer)
Security:	CVE-2016-2510
Security:	https://vuxml.FreeBSD.org/freebsd/9e5bbffc-d8ac-11e5-b2bd-002590263bf5.html

 

14:55 junovitch 

Document libsrtp DoS via crafted RTP header vulnerability

PR:		207003
Reported by:	pi
Security:	CVE-2015-6360
Security:	https://vuxml.FreeBSD.org/freebsd/6171eb07-d8a9-11e5-b2bd-002590263bf5.html

 

14:54 junovitch 

Respace entry so `make validate' passes

 

14:01 dinoex 

- add jasper -- multiple vulnerabilities
- fix version for CVE-2015-5221

 

23:08 feld 

Document that graphics/silgraphite is also vulnerable

Security:	http://www.vuxml.org/freebsd/8f10fa04-cf6a-11e5-96d6-14dae9d210b8.html

 

21:23 rene 

Document new vulnerability in www/chromium < 48.0.2564.116

Obtained
from:	http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_18.html

 

03:04 junovitch 

Document Linux glibc crash/code execution via crafted DNS responses

PR:		207272
Submitted by:	Johannes Jost Meixner <johannes@meixner.dk>
Security:	CVE-2015-7547
Security:	https://vuxml.FreeBSD.org/freebsd/2dd7e97e-d5e8-11e5-bcbd-bc5ff45d0f28.html

 

02:20 junovitch 

Revise earlier Squid entry with official Squid SA as a reference

PR:		203186
Security:	https://vuxml.FreeBSD.org/freebsd/d3a98c2d-5da1-11e5-9909-002590263bf5.html

 

02:16 junovitch 

Document Squid SSL/TLS processing remote DoS

PR:		207294
Security:	CVE-2016-2390
Security:	https://vuxml.FreeBSD.org/freebsd/56562efb-d5e4-11e5-b2bd-002590263bf5.html

 

17:23 feld 

Document databases/adminer vulnerabilities

 

22:48 jkim 

Correct CVE numbers for recent Flash vulnerabilities.

 

02:40 cpm 

Document libgcrypt side-channel attack on ECDH

PR:		207107
Security:	CVE-2015-7511
Security:	https://vuxml.FreeBSD.org/freebsd/95b92e3b-d451-11e5-9794-e8e0b747a45a.html

 

01:00 junovitch 

Document xdelta3 buffer overflow vulnerability

PR:		207174
Security:	CVE-2014-9765
Security:	https://vuxml.FreeBSD.org/freebsd/f1bf28c5-d447-11e5-b2bd-002590263bf5.html

 

15:31 miwi 

- Update Description from previous commit.

PR:		207207
Suggested by:   Jan Beich

 

15:18 miwi 

- Document firefox -- Same-origin-policy violation using Service Workers with
plugins

PR:		20720
Submitted by:	Christoph Moench-Tegeder

 

21:18 junovitch 

Add CVE to the OpenSSH 7.0.p1 entry and also mention CVE-2015-6565

Security:	CVE-2015-6563
Security:	CVE-2015-6564
Security:	CVE-2015-6565
Security:	https://vuxml.FreeBSD.org/freebsd/2920c449-4850-11e5-825f-c80aa9043978.html

 

19:11 girgen 

Correct URL.

 

14:46 miwi 

- Fix formating