08:18 kwm 

Document freetype2 vuln.

MFH:	2014Q1

 

13:09 bapt 

Reference xmms vulnerabilities: CVE-2007-0653 and CVE-2007-0654

 

00:21 osa 

Add security advisory for nginx-1.5.10.

 

23:14 rene 

Document new vulnerabilities in www/chromium < 33.0.1750.146

Obtained from:	http://googlechromereleases.blogspot.nl/

 

22:50 bdrewery 

security/gnutls is fixed for CVE-2014-0092 and CVE-2014-1959

 

22:17 delphij 

Document GnuTLS multiple certification verification issues.

 

14:38 bf 

Add an entry for the file DOS vulnerability, CVE-2014-1943

 

15:26 demon 

Use correct PORTREVISION for python33's CVE.

 

12:51 koobs 

security/vuxml: Sort Python entry references alphabetically

MFH:		2014Q1
Reported by:	remko

 

10:51 koobs 

security/vuxml: Document CVE-2014-1912 for Python 2.7 - 3.3

Python: buffer overflow in socket.recvfrom_into()

MFH:		2014Q1
Security:	CVE-2014-1912

 

21:27 ohauer 

- add entry for subversion CVE-2014-0032

 

19:45 cs 

Report new vulnerability in otrs to vuxml
Security:	CVE-2014-1695

 

13:13 rene 

Document new vulnerabilities in www/chromium < 33.0.1750.117

Obtained from:	http://googlechromereleases.blogspot.nl/
MFH:		2014Q1

 

18:11 girgen 

The PostgreSQL Global Development Group has released an important
update to all supported versions of the PostgreSQL database system,
which includes minor versions 9.3.3, 9.2.7, 9.1.12, 9.0.16, and
8.4.20. This update contains fixes for multiple security issues, as
well as several fixes for replication and data integrity issues.  All
users are urged to update their installations at the earliest
opportunity, especially those using binary replication or running a
high-security application.

This update fixes CVE-2014-0060, in which PostgreSQL did not properly
enforce the WITH ADMIN OPTION permission for ROLE management. Before
this fix, any member of a ROLE was able to grant others access to the
same ROLE regardless if the member was given the WITH ADMIN OPTION
permission. It also fixes multiple privilege escalation issues,
including: CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064,
CVE-2014-0065, and CVE-2014-0066. More information on these issues can
be found on our security page and the security issue detail wiki page.

Security:	CVE-2014-0060,CVE-2014-0061,CVE-2014-0062,CVE-2014-0063
		CVE-2014-0064,CVE-2014-0065,CVE-2014-0066,CVE-2014-0067

 

17:05 lwhsu 

- Last whitespace change
- Sort CVE entries

Notified by:	remko

 

12:10 matthew 

Document the latest PMA security advisory: PMSA-2014-1

The version of PMA currently in ports (since 2014-02-09) is not
affected.

 

09:09 lwhsu 

Add CVE entry to references

Notified by:	remko

 

09:07 lwhsu 

whitespace

Notified by:	remko

 

08:04 lwhsu 

Document Jenkins Security Advisory 2014-02-14

 

04:36 zi 

- Document recent vulnerabilities in www/lighttpd

 

23:05 flo 

Document phpmyfaq vulnerabilities

 

20:39 cs 

Update VUXML entry on recent otrs vulnerabilities

Suggested by:	remko@

 

15:57 eadler 

Update the latest flash security advisory

 

02:15 eadler 

Report the latest flash security issue

 

21:19 beat 

Document mozilla vulnerabilities

Reviewed by:	flo

 

13:52 zi 

- Add modified date to libyaml entry

 

03:51 zi 

- Add libyaml to the libyaml vulnerability entry

 

20:53 bdrewery 

- Document libyaml vulnerability in pkg

Security:	CVE-2013-6393

 

08:42 ehaupt 

Use the same URL as in blockquote.

Submitted by:	remko

 

08:22 miwi 

- Fix format

 

07:53 ehaupt 

Document socat vulnerability.

Security:	CVE-2014-0019

 

22:29 cs 

2 new OTRS vulnerabilities

Security:	CVE-2014-1471

 

23:10 matthew 

rt42-4.2.1_3, which appears only on the 2014Q1 branch, should also be
counted as not vulnerable.

 

23:01 rene 

Document vulnerabilities in www/chromium < 32.0.1700.102

Obtained from:	http://googlechromereleases.blogspot.nl/

 

22:46 matthew 

Formatting fixes

Submitted by:	remko

 

21:08 decke 

- Fix style for strongswan entry

Reported by:	remko

 

20:44 matthew 

vuxml entry concerning	the recent security advisory about www/rt42
from 4.2.0 to 4.2.2 inclusive.  This is slightly unusual in the the
fix is applied to a completely different port
mail/p5-Email-Address-List which www/rt42 depends on..

Security:	d1dfc4c7-8791-11e3-a371-6805ca0b3d42

 

13:52 decke 

- Fix typo in last entry

Reported by:	bz

 

13:31 decke 

- Document multiple DoS vulnerabilities in strongswan

Security:	CVE-2013-5018
Security:	CVE-2013-6075
Security:	CVE-2013-6076

 

09:24 koobs 

Document Varnish HTTP Cache < 3.0.5 DoS Vulnerability

Reviewed by:	remko

 

05:05 eadler 

Update flash to 11.2r202.335
Report security issues

PR:		ports/185790
Reported by:	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>

 

10:03 remko (src,doc committer) 

Cleanup the HTMLDOC entry, long lines and remove the ...
entries because I think it's not needed.  Also adjust
the previous entry by indenting correctly.

Hat:		secteam
Facilicated by:	Snow B.V.

 

23:51 mandree 

Document HTMLDOC < 1.8.28 vulnerability.

 

16:15 decke 

Document virtualbox-ose vulnerabilities

Security:	CVE-2013-5892

 

21:41 rene 

Document new vulnerabilities in www/chromium < 32.0.1700.77

Obtained from:	http://googlechromereleases.blogspot.nl/
MFH:		2014Q1

 

08:48 erwin 

Sort references

Submitted by:	remko

 

08:36 erwin 

Document SA-13:07.bind

 

21:15 remko (src,doc committer) 

Fix the latest entry, it has many issues, make validate
told us exactly what was wrong. I redid the entry and
just took out the ul/li structure and replaced it with
regular paragraphs. It might be worth investigating
to use the FreeBSD SA that got released because of this
as the main text, which is best suited imo.

Hat:	    secteam

 

20:54 cy 

Mark net/ntp forbidden.

Security:	CVE-2013-5211 / VU#348126

 

14:16 mat 

Document the latest nagios vulnerability.

 

17:38 mat 

Security update to fix CVE-2014-0591 as reported at
https://kb.isc.org/article/AA-01078/74/

9.9.4 -> 9.9.4-P2
9.8.6 -> 9.8.6-P2
9.6-ESV-R10 -> 9.6-ESV-R10-P2

Security:	CVE-2014-0591 Remote DOS

 

10:42 zeising 

Update libXfont to 1.4.7

This is a security fix and it is important to update, since it might lead to
a privilege escalation if the X server is run as root (which is the default)

Security:	CVE-2013-6462

 

23:55 delphij 

Document OpenSSL 1.0.1e multiple vulnerabilities.

 

23:52 remko (src,doc committer) 

Correct ident for most recent entries.  No functional changes.

People, please be aware that we use the FreeBSD Documentation Primer
and that there are style rules we have to follow.  If you are in
doubt please consult me and I am more then willing to help.

Hat:	secteam

 

17:49 ohauer 

- mark as FORBIDDEN (zero day SQL vuln)

Security:	CVE-2013-7149

 

07:45 delphij 

Cover gnupg1 ports/packages as well.

 

23:04 delphij 

Apply vendor fix for CVE-2013-6422, cURL libcurl cert name check ignore
with GnuTLS.  Document the vulnerability fix in vuxml while I'm here.

 

15:22 kuriyama 

Add about gnupg-1.4.16.

 

23:26 flo 

- document asterisk vulnerabilities
- correctly order references [1]

Reported by:	remko [1]

 

23:37 flo 

- update to 2.8.4
- add stage support

Security:	3b86583a-66a7-11e3-868f-0025905a4771

 

04:11 delphij 

Document Zabbix agent remote command execution vulnerability.

 

23:30 flo 

Update to 5.3.28

Security:	47b4e713-6513-11e3-868f-0025905a4771

 

13:42 flo 

Update to nspr 4.10.2
Update to nss 3.15.3.1
Update firefox-esr and thunderbird to 24.2.0
Update firefox to 26.0
Update seamonkey to 2.23

- catch up with directory renames since USES=webplugins was introduced;
  fixes plugins not being automatically enabled after install
- linux-firefox and linux-seamonkey can play HTML5 audio [2][3] and
  measure about:memory usage, again
- dom.ipc.plugins.enabled->true no longer crash linux-firefox which makes
  some flash sites work again; as there's no nspluginwrapper in-between
  the infamous "youtube issue" never occurs
- install DEBUG with symbols [3] and describe the option better [4]
- enable dumping about:memory upon kill -65, kill -66 and GC/CC log
  upon kill -67 to a file under /tmp directory; linux-firefox uses
  kill -34, kill -35 and kill -36 respectively

PR:		ports/183861 [1]
PR:		ports/184006 [2]
PR:		ports/169896 [3]
PR:		ports/184285 [3]
PR:		ports/184286 [4]
Security:	dd116b19-64b3-11e3-868f-0025905a4771
In collaboration with: Jan Beich <jbeich@tormail.org>

 

19:45 sunpoet 

- Group affected packages
- Sort CVE
- Fix indent

Notified by:	remko

 

04:57 timur 

Add entry for net/samba* CVE-2012-6150 and CVE-2013-4408

 

14:19 sunpoet 

- Document Rails vulnerability

 

00:38 delphij 

Document drupal multiple vulnerabilities.

 

12:07 rene 

Document new vulnerabilities in www/chromium < 31.0.1650.63

Obtained from:	http://googlechromereleases.blogspot.nl/

 

00:00 nivit 

- Document multiple XSS core vulnerabilities for Joomla!
  (2.5.0 <= version <= 2.5.14, 3.0.0 <= version <= 3.1.5)

 

06:28 danfe 

Update to version 1.3.3, which fixes an important crashy bug: denial of
service (server) using forcefully crashed aircrafts.

While here, reduce the diffs between other OpenTTD's VuXML entries; and
limit build logs verbosity to bulk package builders (or batch builds).

PR:		ports/184434, ports/184435
Submitted by:	Ilya A. Arkhipov
Security:	CVE-2013-6411

 

15:10 ohauer 

- security update to 3.3.1

This is a maintenance release that fixes a serious bug in the built-in HTTP
server. It was discovered that the handle_request() routine did not properly
perform input sanitization which led into a number of security
vulnerabilities.

An unauthenticated, remote attacker could exploit this flaw to execute
arbitrary commands on the remote host.

All users still using older versions are advised to upgrade to this version,
which resolves this issue.

Approved by:	crees (maintainer, per PM)
Security:	620cf713-5a99-11e3-878d-20cf30e32f6d

 

19:52 ohauer 

- security update subversion-1.8.5 / 1.7.14 [1]
- add vuxml entry
- let bindings ports load options file [2]

[1]
Version 1.8.5
(25 November 2013, from /branches/1.8.x)
http://svn.apache.org/repos/asf/subversion/tags/1.8.5

 User-visible changes:
  - Client-side bugfixes:
    * fix externals that point at redirected locations (issues #4428, #4429)
    * diff: fix assertion with move inside a copy (issue #4444)

  - Server-side bugfixes:
    * mod_dav_svn: Prevent crashes with some 3rd party modules (r1537360 et al)
    * mod_dav_svn: canonicalize paths properly (r1542071)
    * mod_authz_svn: fix crash of mod_authz_svn with invalid config (r1541432)
    * hotcopy: fix hotcopy losing revprop files in packed repos (issue #4448)

  - Other tool improvements and bugfixes:
    * mod_dontdothat: Fix the uri parser (r1542069 et al)

 Developer-visible changes:
  - General:
    * fix compilation with '--enable-optimize' with clang (r1534860)
    * fix copmpilation with debug build of BDB on Windows (r1501656, r1501702)
    * fix '--with-openssl' option when building on Windows (r1535139)
    * add test to fail when built against broken ZLib (r1537193 et al)

  - Bindings:
    * swig-rb: fix tests to run without installing on OS X (r1535161)
    * ctypes-python: build with compiler selected via configure (r1536537)

Version 1.7.14
(25 Nov 2013, from /branches/1.7.x)
http://svn.apache.org/repos/asf/subversion/tags/1.7.14

 User-visible changes:
  - Client- and server-side bugfixes:
    * fix assertion on urls of the form 'file://./' (r1516806)

  - Client-side bugfixes:
    * upgrade: fix an assertion when used with pre-1.3 wcs (r1530849)
    * ra_local: fix error with repository in Windows drive root (r1518184)
    * fix crash on windows when piped command is interrupted (r1522892)
    * fix externals that point at redirected locations (issues #4428, #4429)
    * diff: fix incorrect calculation of changes in some cases (issue #4283)
    * diff: fix errors with added/deleted targets (issues #4153, #4421)

  - Server-side bugfixes:
    * mod_dav_svn: Prevent crashes with some 3rd party modules (r1537360 et al)
    * fix OOM on concurrent requests at threaded server start (r1527103 et al)
    * fsfs: limit commit time of files with deep change histories (r1536790)
    * mod_dav_svn: canonicalize paths properly (r1542071)

  - Other tool improvements and bugfixes:
    * mod_dontdothat: Fix the uri parser (r1542069 et al)

 Developer-visible changes:
  - Bindings:
    * javahl: canonicalize path for streamFileContent method (r1524869)

[2]
- Set OPTIONS_NAME to let bindings ports load the new options file.
  Leave OPTIONSFILE for now to load the old file on systems where
  it hasn't been moved to the new location yet.
- Remove an old hack.

PR:		ports/180612 [2]
Submitted by:	Tijl Coosemans <tijl@FreeBSD.org>
Security:	e3244a7b-5603-11e3-878d-20cf30e32f6d
		CVE-2013-4505
		CVE-2013-4558

 

05:36 swills 

- Update devel/ruby-gems to 1.8.28
- Document security issues with 1.8.26 and 1.8.27 (CVE-2013-4287 and
CVE-2013-4363)

Security:	742eb9e4-e3cb-4f5a-b94e-0e9a39420600
Security:	54237182-9635-4a8b-92d7-33bfaeed84cd

 

03:10 swills 

- Fix and report heap overflow in floating point parsing issue in ruby

Security:	cc9043cf-7f7a-426e-b2cc-8d1980618113

 

23:11 timur 

Add entries about CVE-2013-4475 and CVE-2013-4476 for net/samba* ports.

 

17:54 osa 

Document new vulnerability in www/nginx (< 1.4.4) and www/nginx-devel (< 1.5.7).

 

12:57 rene 

Document new vulnerability in www/chromium < 31.0.1650.57

Obtained from:	http://googlechromereleases.blogspot.nl/

 

14:07 remko (src,doc committer) 

Fix the OpenSSH entry, a version entry should be marked
on a per rule basis, and not on it's own lines, because
that would bogusly match other versions then intended.

When in doubt, please let me review your changes!!

hat:	secteam

 

05:55 eadler 

Update to latest flash and mark the old one as vulnerable.

PR:		ports/183911
Submitted by:	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>

 

19:08 rene 

Document new vulnerabilities in www/chromium < 31.0.1650.48

Obtained from:	http://googlechromereleases.blogspot.nl/

 

12:34 bdrewery 

- Fix versions for entry 5709d244-4873-11e3-8a46-000d601460a4

 

12:50 bdrewery 

- Document memory corruption in security/openssh-portable

 

16:24 makc 

Document vulnerability in irc/quassel

 

12:37 wg 

security/vuxml: add modified date for gnutls

Reported by:	kwm

 

11:16 wg 

gnutls3 3.1.15 is affected by the same vulnerability

 

15:42 flo 

Thunderbird is only at version 24.1.0, not 25.0

 

20:59 flo 

Add an entry for the recent mozilla vulnerabilities

 

18:48 swills 

- Update www/mod_pagespeed to 1.2.24.2,1
- Document security issue in mod_pagespeed

 

07:04 sunpoet 

- Cancel the vuxml entry correctly

Notified by:	remko

 

18:19 sunpoet 

- Revert previous commit

 

17:53 sunpoet 

- Document WordPress XSS vulnerability

 

16:52 jgh 

- Add url reference to 9065b930-3d8b-11e3-bd1a-e840f2096bd0

With Hat: ports-secteam

 

16:07 wg 

- Remove report url as it is a default CVE

Reported by:	ak

 

15:55 wg 

- Document gnutls3 denial of service CVE

 

13:05 kwm 

Document xorg-server use after free CVE.

Reviewed by:	zeising@

 

08:27 delphij 

Document pycrypto PRNG reseed race condition.

 

03:54 swills 

- Add CVE references to WordPress 3.6.1 entry

 

03:40 swills 

- Note issues with WordPress before 3.6.1

 

03:22 swills 

- node-devel packages is vulnerable too, guessing this is going to be fixed in
  0.11.7, but if not, I'll update further.

 

02:48 swills 

- Update to 0.10.21 to address a security issue

PR:		ports/183092
Submitted by:	Kenji Rikitake <kenji.rikitake@acm.org>
Security:	206f9826-a06d-4927-9a85-771c37010b32