19:35 ohauer 

- update to latest release [1]
- use PKGNAMESUFFIX instead LATEST_LINK
- whitespace cleanup
- svn mv */bugzilla to */bugzilla40
- add vuxml entry

4.4.1, 4.2.7, and 4.0.11 Security Advisory
Wednesday Oct 16th, 2013

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:

* A CSRF vulnerability in process_bug.cgi affecting Bugzilla 4.4 only
  can lead to a bug being edited without the user consent.

* A CSRF vulnerability in attachment.cgi can lead to an attachment
  being edited without the user consent.

* Several unfiltered parameters when editing flagtypes can lead to XSS.

* Due to an incomplete fix for CVE-2012-4189, some incorrectly filtered
  field values in tabular reports can lead to XSS.

All affected installations are encouraged to upgrade as soon as
possible.

[1]  even bugzilla40 gets upstream fixes an upgrade to bugzilla42/44 is
recommend

Security:	vid e135f0c9-375f-11e3-80b7-20cf30e32f6d
		CVE-2013-1733
		CVE-2013-1734
		CVE-2013-1742
		CVE-2013-1743

 

12:43 des 

Fix build by commenting out the most recent of the two discovery
dates.

 

10:56 ak 

- Fix year, move entry up

 

10:46 ak 

- Document new vulnerabilities in security/dropbear

 

19:04 rene 

Document new vulnerabilities in www/chromium < 30.0.1599.101

Obtained from:	http://googlechromereleases.blogspot.nl/

 

20:02 ohauer 

- update mod_fcgid to version 2.3.9
- add stage support
- add vuxml entry

PR:		ports/182878
Submitted by:	Fabiano Sidler <freebsd.ports@webstyle.ch> (maintainer)
Security:	CVE-2013-4365

 

09:44 kuriyama 

Add recent gnupg1/gnupg vuln.

 

13:05 sem 

Document the last xinetd vulnerability

 

23:47 jase 

- Update to 1.2.9
- Add vuxml entry
- Prevent install target from copying patch backup files

Changes:	https://raw.github.com/polarssl/polarssl/60ad84f43f46b0d3673eaca8b9847d7e01b83c5e/ChangeLog
Security:	ccefac3e-2aed-11e3-af10-000c29789cb5
Security:	CVE-2013-5915

 

21:30 rene 

Document new vulnerabilities for www/chromium < 30.0.1599.66

Obtained from:	http://googlechromereleases.blogspot.nl/

 

20:55 delphij 

Our "package" can have multiple "name" elements.  Since these packages are
from the same origin, they can be collapased into one entry.

 

19:40 brd (doc committer) 

- Add a low version to the graphite-web vuln

Approved by:	swills@

 

19:31 swills 

- Document graphite issue

 

13:55 tabthorpe 

- ebd877b9-7ef4-4375-b1fd-c67780581898 also applies to our ruby18

Reviewed by:	swills

 

10:36 lwhsu 

Document CVE-2013-1443 for www/py-django{,14,-devel}

 

10:09 lwhsu 

- Split names for different packages

Notified by:	remko

 

08:29 rm 

- add modification date to mozilla entry, that I forgot about

 

07:50 rm 

- correct thunderbird version in recent mozilla entry

 

05:44 remko (src,doc committer) 

Add the latest two FreeBSD Security Advisories that have impact
on -RELEASE versions. (RC's are not documented).

Hat:	secteam

 

22:40 flo 

- update firefox, thunderbird and libxul to 24.0
- update seamonkey to 2.21
- update firefox-esr to 17.0.9
- enable GSTREAMER by default for html5 with h264/aac/mp3
- WEBRTC is now always built
- add PROFILE and TESTS options

Security:		7dfed67b-20aa-11e3-b8d8-0025905a4771
In collaboration with:	Jan Beich <jbeich@tormail.org>

 

13:13 eadler 

Update flash to version 11.2.202.310

PR:		ports/182013
Submitted by:	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Security:	http://www.vuxml.org/freebsd/5bd6811f-1c75-11e3-ba72-98fc11cdc4f5

 

16:03 lwhsu 

Document CVE-2013-4315 for www/py-django{,14,-devel}

 

19:04 ohauer 

- update devel/subversion to 1.8.3	[1]
- update devel/subversion17 to 1.7.13	[1]
- add vuxml entry

Version 1.7.13
(29 Aug 2013, from /branches/1.7.x)
http://svn.apache.org/repos/asf/subversion/tags/1.7.13/CHANGES

User-visible changes:
 - General
   * merge: fix bogus mergeinfo with conflicting file merges (issue #4306)
   * diff: fix duplicated path component in '--summarize' output (issue #4408)
   * ra_serf: ignore case when checking certificate common names (r1514763)

 - Server-side bugfixes:
   * svnserve: fix creation of pid files (r1516556)
   * mod_dav_svn: better status codes for commit failures (r1490684)
   * mod_dav_svn: do not map requests to filesystem (r1512432 et al)

Developer-visible changes:
 - General:
   * support linking against gssapi on Solaris 10 (r1515068)
   * don't use uninitialized variable to produce an error code (r1482282)

 - Bindings:
   * swig-pl: fix SVN::Client not honoring config file settings (r150744)
   * swig-pl & swig-py: disable unusable svn_fs_set_warning_func (r1515119)

Version 1.8.3
(29 August 2013, from /branches/1.8.x)
http://svn.apache.org/repos/asf/subversion/tags/1.8.3/CHANGES

User-visible changes:
 - Client- and server-side bugfixes:
   * translation updates for Swedish
   * enforce strict version equality between tools and libraries (r1502267)
   * consistently output revisions as "r%ld" in error messags (r1499044 et al)

 - Client-side bugfixes:
   * status: always use absolute paths in XML output (issue #4398)
   * ra_serf: 'svn log -v' fails with a 1.2.x server (issue #4044)
   * ra_serf: fix crash when committing cp with deep deletion (issue #4400)
   * diff: issue an error for files that can't fit in memory (r1513119 et al)
   * svnmucc: generate proper error for mismatched URLs (r1511353)
   * update: fix a crash when a temp file doesn't exist (r1513156)
   * commit & update: improve sleep for timestamps performance (r1508438)
   * diff: continue on missing or obstructing files (issue #4396)
   * ra_serf: use runtime serf version for User-Agent (r1514315, r1514628)
   * ra_serf: ignore case when checking certificate common names (r1514763)
   * ra_serf: format distinguished names properly (r1514804)
   * ra_serf: do not retry HTTP requests if we started to parse them (r1503318)
   * ra_serf: output ssl cert verification failure reason (r1514785 et al)
   * ra_serf: allow session reuse after SVN_ERR_CEASE_INVOCATION (r1502901)
   * ra_serf: include library version in '--version' output (r1514295 et al)
   * info: fix spurious error on wc root with child in conflict (r1515366)

 - Server-side bugfixes:
   * svnserve: fix creation of pid files (r1516556)
   * svnadmin: fix output encoding in non-UTF8 environments (r1506966)
   * svnsync: fix high memory usage when running over ra_serf (r1515249 et al)
   * mod_dav_svn: do not map requests to filesystem (r1512432 et al)
   * svnauthz: improve help strings (r1511272)
   * fsfs: fixed manifest file growth with revprop changes (r1513874)
   * fsfs: fix packed revprops causing loss of revprops (r1513879 et al)

 - Other tool improvements and bugfixes:
   * svnwcsub/irkerbridge: fix symlink attack via pid file (r175 from upstream)

Developer-visible changes:
 - General:
   * describe APR unimplemented errors as coming from APR (r1503010 et al)
   * mod_dav_svn: update INSTALL to reflect configure defaults (r1515141)
   * davautocheck: use the correct apxs binary by default (r1507889, r1507891)

 - API changes:
   * svn_config_walk_auth_data() config_dir arg: permit NULL (r1507382 et al)

 - Bindings:
   * swig-pl: fix SVN::Client not honoring config file settings (r150744)
   * swig-pl & swig-py: disable unusable svn_fs_set_warning_func (r1515119)

Approved by:	lev@ (explicit per PM)
Security:	f8a913cc-1322-11e3-8ffa-20cf30e32f6d
		CVE-2013-4277 [1]

 

10:56 sem 

- Document the last cacti vulnerabilities

PR:		ports/181606 (based on)
Submitted by:	Rodrigo (ros) OSORIO <rodrigo@bebik.net>

 

06:15 remko (src,doc committer) 

Add CVE entries to latest entry for Asterisk.
Add "The" in who reports the issue.
Bump modified date

 

20:51 flo 

Update net/asterisk to 1.8.23.1
Update net/asterisk10 to 10.12.3
Update net/asterisk11 to 11.5.1

Security:	fd2bf3b5-1001-11e3-ba94-0025905a4771

 

09:29 rene 

Document new vulnerabilities in www/chromium < 29.0.1547.57

Obtained from:	http://googlechromereleases.blogspot.nl/

 

15:36 kwm 

Fix multiple security issues in the bundled libav version by replacing it
with a newer version.

Reported by:	Jan Beich <jbeich@tormail.org>

 

08:07 stas (src committer) 

- Correct lcms2 VuXML entry: only versions before 2.5 are vulnerable.

PR:		ports/181384
Reported by:	Derek Schrock <dereks@lifeofadishwasher.com>

 

10:41 ashish 

- Update modified date of VuXML entry which was missed in r317985

Reported by:	remko

 

08:36 remko (src,doc committer) 

Correct latest entry, properly indent the paragraphs
and sort the url list alphabetically.

 

08:24 bf 

Amend 689c2bf7-0701-11e3-9a25-002590860428 so that it doesn't overlap with
80771b89-f57b-11e2-bf21-b499baab0cbe, but keep both entries rather than
augmenting the old one, because I've cited the new one in a commit message.

 

07:56 bf 

Update security/libgcrypt to 1.5.3 [1], and document the latest gnupg
and libgcrypt vulnerability

PR:		181231
Submitted by:	Hirohisa Yamaguchi (maintainer) [1]
Security:	http://www.vuxml.org/freebsd/689c2bf7-0701-11e3-9a25-002590860428.html

 

17:54 brd (doc committer) 

- Update puppet to 3.2.4 which fixes CVE-2013-4761 and CVE-2013-4956

Approved by:	swills@
Security:	2b2f6092-0694-11e3-9e8e-000c29f6ae42

 

05:35 remko (src,doc committer) 

Correct polarssl entry, the lines were way to long, indentation was
incorrect, and the topic description does not need too many details
since that is explained in the description itself.

Also correct the url's since c comes before u ;-)

Prodded by:	stas

 

19:54 stas (src committer) 

- Fix ordering of references.

Reported by:	remko

 

19:02 stas (src committer) 

- Add lcms2 DoS vulnerability entry.

Hat: secteam

 

06:20 mandree 

Add CVE Id, which was not in the advisory,
but on <https://polarssl.org/security>.

 

06:17 mandree 

Record PolarSSL < 1.2.8 infinite loop denial of service.

Note: the port has not yet been upgraded, and the fix then needs to be merged
to the 9.2 ports branch before release.

 

20:52 delphij 

Add a link to the advisory.

Submitted by:	remko

 

17:22 delphij 

Document Samba DoS vulnerability.

 

18:42 flo 

- update firefox to 23.0
- update firefox-esr, thunderbird and libxul to 17.0.8
- update seamonkey to 2.20
- fix plist for *-i18n

Security:		0998e79d-0055-11e3-905b-0025905a4771
In collaboration with:	Jan Beich <jbeich@tormail.org>

 

16:26 mandree 

Add one more reference for PuTTY 0.59-0.61 vuln CVE-2011-4607.

 

16:22 mandree 

More references for PuTTY < 0.63 vulnerabilities.

 

16:11 mandree 

Upgrade PuTTY to new 0.63 beta upstream release, adding vulnerability info.

Quoting the upstream's change log:

- Security fix: prevent a nefarious SSH server or network attacker from
  crashing PuTTY at startup in three different ways by presenting a maliciously
  constructed public key and signature.
- Security fix: PuTTY no longer retains the private half of users' keys in
  memory by mistake after authenticating with them.
- Revamped the internal configuration storage system to remove all fixed
  arbitrary limits on string lengths. In particular, there should now no longer
  be an unreasonably small limit on the number of port forwardings PuTTY can
  store.
- Port-forwarded TCP connections which close one direction before the other
  should now be reliably supported, with EOF propagated independently in the
  two directions. This also fixes some instances of port-forwarding data
  corruption (if the corruption consisted of losing data from the very end of
  the connection) and some instances of PuTTY failing to close when the session
  is over (because it wrongly thought a forwarding channel was still active
  when it was not).
- The terminal emulation now supports xterm's bracketed paste mode (allowing
  aware applications to tell the difference between typed and pasted text, so
  that e.g. editors need not apply inappropriate auto-indent).
- You can now choose to display bold text by both brightening the foreground
  colour and changing the font, not just one or the other.  - PuTTYgen will now
  never generate a 2047-bit key when asked for 2048 (or more generally n[?]1
bits
  when asked for n).
- Some updates to default settings: PuTTYgen now generates 2048-bit keys by
  default (rather than 1024), and PuTTY defaults to UTF-8 encoding and 2000
  lines of scrollback (rather than ISO 8859-1 and 200).
- Unix: PSCP and PSFTP now preserve the Unix file permissions, on copies in
  both directions.
- Unix: dead keys and compose-character sequences are now supported.
- Unix: PuTTY and pterm now permit font fallback (where glyphs not present in
  your selected font are automatically filled in from other fonts on the
  system) even if you are using a server-side X11 font rather than a Pango
  client-side one.
- Bug fixes too numerous to list, mostly resulting from running the code
  through Coverity Scan which spotted an assortment of memory and resource
  leaks, logic errors, and crashes in various circumstances.

Security:	4b448a96-ff73-11e2-b28d-080027ef73ec
Security:	CVE-2013-4206
Security:	CVE-2013-4207
Security:	CVE-2013-4208
Security:	CVE-2013-4852

 

08:41 danfe 

Adjust NVidia driver version ranges after r304966 to remedy false positives.

 

21:56 ohauer 

- secuity update for typo3 ports
- some small Makefile cleanups
- add vuxml entry

Vulnerability Types: Cross-Site Scripting, Remote Code Execution
 Overall Severity: Critical

Vulnerable subcomponent: Third Party Libraries used for audio and video playback
 Affected Versions: All versions from 4.5.0 up to the development branch of 6.2
 Vulnerability Type: Cross-Site Scripting
 Severity: Medium

Vulnerable subcomponent: Backend File Upload / File Abstraction Layer
 Vulnerability Type: Remote Code Execution by arbitrary file creation
 Affected Versions: All versions from 6.0.0 up to the development branch of 6.2
 Severity: Critical

PR:		ports/180951
		ports/180952
		ports/180953
Submitted by:	Helmut Ritter <freebsd-ports@charlieroot.de> (maintainer)
Security:	http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/
		CVE-2011-3642
		CVE-2013-1464

 

12:13 matthew 

- Security update of databases/phpmyadmin to 4.0.5

ChangeLog:
http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/4.0.5/phpMyAdmin-4.0.5-notes.html/download
SecurityAdvisory: http://www.phpmyadmin.net/home_page/security/PMASA-2013-10.php

- Deprecate databases/phpmyadmin35

This version is vulnerable to the 'clickjacking protection bypass'
problem fixed in 4.0.5, but the development team will not be
publishing a fix. "We have no solution for 3.5.x, due to the proposed
solution requiring JavaScript. We don't want to introduce a dependency
to JavaScript in the 3.5.x family."

Therefore deprecate this port and set expiry for one month.  Please
upgrade to 4.0.5 instead.

Security:	17326fd5-fcfb-11e2-9bb9-6805ca0b3d42

 

14:56 rene 

Add new vulnerabilities for www/chromium < 28.0.1500.95

Obtained from:	http://googlechromereleases.blogspot.nl/

 

18:43 remko (src,doc committer) 

Modify the latest puppet entry. Because the matching of the version everything
below 3.2.2 was a match, including all 2.7.x versions. It also appears that
there is no puppet27 version, just puppet-2.7.x and puppet-3.2.x instead.

Bump modification date.

PR:		180958
Submitted by:	Kan Sasaki <sasaki@fcc.ad.jp>

 

19:17 matthew 

Now that PMSA-2013-{9,11-15} have been published, borrow from them to
expand on the original rather sketchy entries.

Sort URL references[1]

Submitted by:	remko [1]

 

15:38 matthew 

Security update: multiple vulnerabilities in databases/phpmyadmin and
databases/phpmyadmin35

 - update phpmyadmin to 4.0.4.2

ChangeLog:
http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/4.0.4.2/phpMyAdmin-4.0.4.2-notes.html/view

 - update phpmyadmin35 to 3.5.8.2

ChangeLog:
http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/3.5.8.2/phpMyAdmin-3.5.8.2-notes.html/view

 - vuxml

The PMSA references shown have not been published yet, hence no CVE
numbers and a lack of detail in the descriptions.  Yes, PMSA-2013-10
is missing from the sequence.  According to the security alert e-mail:

   "For more details, see the upcoming PMASA-2013-8 to PMASA-2013-15 (minus
    PMASA-2013-10 which is reserved for a future advisory)."

 

17:36 remko (src,doc committer) 

Add entry for wordpress < 3.5.2

Requested by:	Patrick Oonk

 

13:24 remko (src,doc committer) 

Add additional reference, bump modified date.

 

23:22 delphij 

Document BIND denial of service vulnerability

 

11:06 remko (src,doc committer) 

Cleanup last entry. Properly indent the entry and
make sure that after a period on the end of a line
we follow with two spaces.

hat:	    secteam

 

22:56 kuriyama 

Add an entry for security/gnupg1.

 

18:29 bjk (doc committer) 

Update to 1.6.5

This is a security release by upstream, and requires configuration changes
in addition to the software update.  See UPDATING.

Reviewed by:	ports-security (zi, remko)
Approved by:	hrs (mentor, ports committer)

 

20:59 lev 

  Add <url></url> to references.

Submitted by:	Remko Lodder <remko@FreeBSD.org>

 

17:18 lev 

 Update:
   devel/subversion to 1.8.1
   devel/subversion16 to 1.7.11

 These releases fix CVE-2013-4131
 http://subversion.apache.org/security/CVE-2013-4131-advisory.txt

Approved by:	Olli Hauer <ohauer@FreeBSD.org> for devel/subversion17
Security:	CVE-2013-4131

 

10:32 bdrewery 

- Update whitespace for 2fbfd455-f2d0-11e2-8a46-000d601460a4

Requested by:	remko

 

13:24 bdrewery 

- Update suPHP to 0.7.2
- Document possible privilege escalation

Approved by:	maintainer timeout
Security:	2fbfd455-f2d0-11e2-8a46-000d601460a4

 

18:54 ohauer 

- change apache24 version from 2.4.5 to 2.4.6 (2.4.5 was not released)
- add http://www.apache.org/dist/httpd/Announcement2.4.html as reference

requested by remko@

 

17:11 ohauer 

- update to apache24-2.4.6
 - new modules: mod_cache_socache, mod_macro and mod_proxy_wstunnel

- add enty to vuxml

SECURITY: CVE-2013-1896 (cve.mitre.org)
 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
 the source href (sent as part of the request body as XML) pointing to a
 URI that is not configured for DAV will trigger a segfault.

SECURITY: CVE-2013-2249 (cve.mitre.org)
 mod_session_dbd: Make sure that dirty flag is respected when saving
 sessions, and ensure the session ID is changed each time the session
 changes. This changes the format of the updatesession SQL statement.
 Existing configurations must be changed.

Changelog:
http://www.apache.org/dist/httpd/CHANGES_2.4.6

with hat apache@

Security:	ca4d63fb-f15c-11e2-b183-20cf30e32f6d

 

22:09 delphij 

Document gallery3 multiple vulnerabilities.

 

22:07 eadler 

Add missing citation

Requested by:	remko

 

18:10 des 

Add two more PHP entries for issues which have already been fixed.

 

21:06 eadler 

Update to 11.2r202.291

PR:		ports/179502
Submitted by:	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>

 

18:25 delphij 

Document squid 3.x denial of service vulnerability.

 

09:26 cs 

Adjust version numbers for OTRS vulnerabilities

 

22:03 eadler 

Add missing modified dates from r321329.

I had this sitting for a bit, but forgot to test & commit.

Requested by:	remko

 

21:28 delphij 

Wrap long lines.  No content change.

 

20:35 cs 

Security vulnerabilities in libzrtp

Security:	04320e7d-ea66-11e2-a96e-60a44c524f57

 

20:17 swills 

- Document ruby vulnerability

 

07:50 cs 

Add vulnerability on otrs

Security:	e3e788aa-e9fd-11e2-a96e-60a44c524f57

 

19:01 ohauer 

- update to apache-2.2.25
- update vuxml with additional CVE-2013-1896 entry

Changes with Apache 2.2.25
  http://www.apache.org/dist/httpd/CHANGES_2.2.25

  *) SECURITY: CVE-2013-1896 (cve.mitre.org)
     mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
     the source href (sent as part of the request body as XML) pointing to a
     URI that is not configured for DAV will trigger a segfault. [Ben Reser
     <ben reser.org>]

  *) SECURITY: CVE-2013-1862 (cve.mitre.org)
     mod_rewrite: Ensure that client data written to the RewriteLog is
     escaped to prevent terminal escape sequences from entering the
     log file.  [Eric Covener, Jeff Trawick, Joe Orton]

  *) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
     strings.  The default limit for ap_pregsub() can be adjusted at compile
      time by defining AP_PREGSUB_MAXLEN.  [Stefan Fritsch, Jeff Trawick]

  *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
     on Linux kernel versions 3.x and above.  PR 55121.  [Bradley Heilbrun
     <apache heilbrun.org>]

  *) mod_setenvif: Log error on substitution overflow.
     [Stefan Fritsch]

  *) mod_ssl/proxy: enable the SNI extension for backend TLS connections
     [Kaspar Brand]

  *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
     forwarding to SSL backends. PR 53134.
     [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]

  *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
     in the error log to debug level.  [William Rowe]

  *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
     with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
     [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]

  *) mod_proxy_balancer: Added balancer parameter failontimeout to allow server
     admin to configure an IO timeout as an error in the balancer.
     [Daniel Ruggeri]

  *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
     password.  [Daniel Ruggeri]

  *) htdigest: Fix buffer overflow when reading digest password file
     with very long lines. PR 54893. [Rainer Jung]

  *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
     [Timothy Wood <tjw omnigroup.com>]

  *) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
     we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]

  *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
     result in a 412 Precondition Failed for a COPY operation. PR54610
     [Timothy Wood <tjw omnigroup.com>]

  *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
     property on a resource for which there is no dead property in the same
     namespace httpd segfaults. PR 52559 [Diego Santa Cruz
     <diego.santaCruz spinetix.com>]

  *) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
     PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]

  *) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
     PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]

PR:		ports/180248
Submitted by:	Jason Helfman jgh@

 

14:35 rene 

Add new vulnerabilities for www/chromium < 28.0.1500.71

Obtained from:	http://googlechromereleases.blogspot.nl/

 

08:46 ohauer 

- add fix for CVE-2013-1862
- adjust vuxml

 

21:06 ohauer 

- document apache22 CVE-2013-1862 (mod_rewrite)

Update to apache22-2.2.25 is ready to commit.
Until now there is no official announcement from apache.org
so we hold the update back until we have official checksums.

 

07:43 delphij 

Fix CVE-2013-2174 for ftp/curl with a patch from vendor for
now so that users can build the port, per popular demands
on mailing list.

The upgrade patch found in ports/172325 is currently under
exp-run.  The changes in this commit against ftp/curl can be
safely reverted before applying that patch, as it's shipped
with new curl release.

Approved by:	portmgr (miwi)

 

20:49 matthew 

Security update to 4.0.4.1

ChangeLog:
http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/4.0.4.1/phpMyAdmin-4.0.4.1-notes.html/view

Advisory: http://www.phpmyadmin.net/home_page/security/PMASA-2013-7.php

Security:	1b93f6fe-e1c1-11e2-948d-6805ca0b3d42

 

11:07 girgen 

Security update for apache-xml-security-c

URL:	http://santuario.apache.org/secadv.data/CVE-2013-2210.txt
Security:	81da673e-dfe1-11e2-9389-08002798f6ff
Security:	CVE-2013-2210

 

11:01 flo 

- update firefox to 22.0
- update firefox-esr, thunderbird and libxul to 17.0.7
- update nspr to 4.10
- OSS support was removed upstream, only ALSA and PulseAudio are supported
  from now on.

Security:	b3fcb387-de4b-11e2-b1c6-0025905a4771
In collaboration with:	Jan Beich <jbeich@tormail.org>

 

20:14 rea 

VuXML: document CVE-2013-2174, heap corruption in cURL library

 

12:49 swills 

- Update puppet to 3.2.2 which fixes CVE-2013-3567 [1]
- Update puppet27 to 2.7.22 which fixes CVE-2013-3567
- Document security issue

PR:		ports/179816 [1]
Submitted by:	mat [1]
Security:	b162b218-c547-4ba2-ae31-6fdcb61bc763

 

09:36 bf 

Correct the CVE-2013-0131 entry, so that the most recent revision of
x11/nvidia-driver-304 is not mistakenly flagged as vulnerable

 

21:56 jgh 

- fix formating of 8b97d289-d8cf-11e2-a1f5-60a44c524f57

With Hat:	ports-secteam

 

21:14 eadler 

- Fix entry dates for some 'insane' dates.  In some cases a best effort was made
to guess what was meant due to either destroyed svn logs (formatting 'fixes') or
lost to time reports.

With Hat:	ports-secteam

 

11:08 cs 

Fix typo soccat -> socat

 

11:07 cs 

Add vulnerability on OTRS

 

15:50 delphij 

Fix date for flashpluginwrapper.

 

15:45 delphij 

Add entry for SA-13:06.mmap.

 

15:15 girgen 

Security update for apache-xml-security-c.
Dependant ports, especially shibboleth2-sp, opensaml2, xmltooling
and log4shib should all be updated.

Security: CVE-2013-2156

 

03:23 bf 

Document Tor bug 9072

 

06:21 ak 

- Fix typo in dbus entry

Reported by:	Christoph Mallon <christoph.mallon@gmx.de>

 

19:54 kwm 

Update to 1.6.12.

I'm not completly sure this affects us, but beter safe then sorry.
While here wordsmith Options description to try to make it clearer.

Security:	CVE-2013-2168

 

22:44 eadler 

Update to 11.2r202.291

PR:		ports/179502
Submitted by:	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>

 

21:03 culot 

- Document vulnerabilities in www/owncloud

Security:	d7a43ee6-d2d5-11e2-9894-002590082ac6
Obtained from:	http://owncloud.org/about/security/advisories/

 

15:19 flo 

Update to 5.3.26

Security:	59e7163c-cf84-11e2-907b-0025905a4770

 

06:30 erwin 

Match only the most recent Bind9* version in the latest vulnerability,
older versions are not affected.