10:59 erwin 

Fix typo in previous revision.

 

08:36 erwin 

Add entry for the latest Bind vulnerabilities in CVE-2013-3919.

 

22:02 matthew 

Security upgrade to 4.0.3

Advisory: http://www.phpmyadmin.net/home_page/security/PMASA-2013-6.php

ChangeLog:
http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/4.0.3/phpMyAdmin-4.0.3-notes.html/view

Security:	6b97436c-ce1e-11e2-9cb2-6805ca0b3d42

 

09:02 kwm 

Update to 0.16.6.

Obtained from:	GNOME dev repo
Security:	CVE-2013-1431

 

22:30 rene 

Document vulnerabilities in www/chromium < 27.0.1453.110

Obtained from:	http://googlechromereleases.blogspot.nl/

 

21:52 eadler 

- Fix build
- Ensure validation

 

19:31 zeising 

Fix security issues in xorg client libraries.
Most libraries were updated to newer versions, in some cases patches
were backported instead.

Most notably, x11/libX11 was updated to 1.6.0

Security:	CVE-2013-1981
		CVE-2013-1982
		CVE-2013-1983
		CVE-2013-1984
		CVE-2013-1985
		CVE-2013-1986
		CVE-2013-1987
		CVE-2013-1988
		CVE-2013-1989
		CVE-2013-1990
		CVE-2013-1991
		CVE-2013-1992
		CVE-2013-1993
		CVE-2013-1994
		CVE-2013-1995
		CVE-2013-1996
		CVE-2013-1997
		CVE-2013-1998
		CVE-2013-1999
		CVE-2013-2000
		CVE-2013-2001
		CVE-2013-2002
		CVE-2013-2003
		CVE-2013-2004
		CVE-2013-2005
		CVE-2013-2062
		CVE-2013-2063
		CVE-2013-2064
		CVE-2013-2066

 

04:45 cy 

Update krb5 1.11.2 --> 1.11.3.

This is a bugfix release.

* Fix a UDP ping-pong vulnerability in the kpasswd (password changing)
  service.  [CVE-2002-2443]

* Improve interoperability with some Windows native PKINIT clients.

Security:	CVE-2002-2443

 

18:29 crees 

Update to 1.6.2

* Fix buffer overflows in fileserver and ptserver.
* Fix rare file corruption during background sync (Gerrit 8796).
* Fix corrupting clients' metadata cache during certain errors (Gerrit 6957).
* Fix cache corruption when reading from a file another client is simultaneously
writing to (Gerrit 7994).
* Fix fileservers to properly report >2 TiB partitions.

and some other less serious changes.

PR:		ports/179259
Submitted by:	Adam Nowacki <nowak@tepeserwery.pl>
Submitted by:	bjk (maintainer)
Security:	CVE-2013-1794

 

06:51 araujo 

- Update to 2.7.4.

More info:
https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES

PR:		ports/179167
Submitted by:	ohauer@
Security:	9dfb63b8-8f36-11e2-b34d-000c2957946c

 

19:22 rakuco 

Remove duplicate optipng vulnerability.

It was separately committed in r315254, so remove the version I added
in r318453.

Reported by:	Alexander Milanov <a@amilanov.com>

 

16:49 mandree 

Add two more URLs to openvpn's vulnerability from March 2013 (CVE-2013-2061)

Security: 92f30415-9935-11e2-ad4c-080027ef73ec

 

16:47 mandree 

- Backport fix for CVE-2013-2061 to openvpn22 and openvpn20;
  while it is unclear whether it affects OpenSSL-builds at all.
  Let's play it safe.
- Reference CVE-2013-2061 name in OpenVPN's VuXML entry
- Mark 2.0.9_4 <= openvpn < 2.1.0 and 2.2.2_2 < openvpn < 2.3.0 not vulnerable
- Mark openvpn22 deprecated and to expire 2013-09-01.
  (openvpn20 is already marked to expire 2013-07-11.)

Security:	CVE-2013-2061
Security:	92f30415-9935-11e2-ad4c-080027ef73ec

 

08:08 osa 

Document passenger vulnerability.

 

21:41 lev 

  Update subversion ports to 1.7.10 and 1.6.23.
  It fixes 3 security issues:

    CVE-2013-1968: fsfs repository corruption caused by newline characters in
filenames
    CVE-2013-2088: contrib hook-scripts can allow arbitrary code execution
    CVE-2013-2112: svnserve remotely triggerable DoS.

Security:	CVE-2013-1968
Security:	CVE-2013-2088
Security:	CVE-2013-2112

 

11:33 crees 

Actually remove bitchx-devel and add a VuXML entry.

Security:	CVE-2007-4584
Security:	CVE-2007-5839
Security:	CVE-2007-5922

 

14:23 jase 

- Document znc null pointer dereference vulnerability.

 

00:41 ehaupt 

Adjust range for socat entry.

 

22:01 ehaupt 

Document socat FD leak vulnerability.

Security:	CVE-2013-3571

 

20:34 swills 

- Add entry for ruby 1.9.3p429

 

08:38 delphij 

Document couchdb XSS vulnerability.

PR:		ports/178985
Submitted by:	wollman

 

15:30 flo 

Update to 2.17.1 as the 2.18 release was postponed / cancelled

 

08:20 cs 

Fix entry date, wrongly entered in revision 318453

 

08:02 cs 

fix typo in recent otrs vulnerability

 

07:58 cs 

Add vulnerabilities

Security:	CVE-2013-2637
		CVE-2013-3551

 

07:24 matthew 

Security Updates

   - www/rt40 to 4.0.13
   - www/rt38 to 3.8.17 [1]

This is a security fix addressing a number of CVEs:

    CVE-2012-4733
    CVE-2013-3368
    CVE-2013-3369
    CVE-2013-3370
    CVE-2013-3371
    CVE-2013-3372
    CVE-2013-3373
    CVE-2013-3374

Users will need to update their database schemas as described in
pkg-message

Approved by:	flo [1]
Security:	3a429192-c36a-11e2-97a9-6805ca0b3d42

 

09:14 rene 

Fix vuxml by using the correct format for CVE names.

Prodded by:	bz on IRC

 

08:45 rene 

List vulnerabilities fixed in www/chromium 27.0.1453.93 (which is the
current version in the Ports Collection).

 

14:06 rakuco 

Patch multiple vulnerabilities in x11-toolkits/plib.

PR:		ports/178710
Submitted by:	Denny Lin <dennylin93@hs.ntnu.edu.tw>

 

20:35 rakuco 

- Update to 0.7.4
- Add VuXML entry
- Trim Makefile header
- Add LICENSE

PR:		ports/177206
Submitted by:	Alexander Milanov <a@amilanov.com>
Approved by:	Thomas Hurst <tom@hur.st> (maintainer)
Security:	a8818f7f-9182-11e2-9bdf-d48564727302

 

22:46 delphij 

Update the recent nginx entry to cover the exact version range and include
information for CVE-2013-2070.

 

04:14 eadler 

Update to the latest version of Adobe Flash

 

02:00 flo 

- update firefox to 21.0
- update firefox-esr and thunderbird to 17.0.6
- WEBRTC now supports PULSEAUDIO
- make linux-firefox work with plugins again (e.g. quakelive)

Security:		4a1ca8a4-bd82-11e2-b7a0-d43d7e0c7c02
In collaboration with:	Jan Beich <jbeich@tormail.org>

 

07:15 osa 

Update ranges according latest available information.

Source:	http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html

 

00:08 ashish 

- Update emacs entry to correct the version ranges for CVE-2012-3479

 

18:58 delphij 

Update nginx entry to reflect the right version ranges for CVE-2013-2028.

Note that we don't really have nginx 1.3.9 in the ports collection, due
to the recent ports freeze.  The version 1.3.9 is used here just to
better match the original advisory.

 

13:32 osa 

Fix typo.

Found by:	ru

 

11:35 osa 

Document nginx -- a stack-base buffer overflow.

 

18:20 ohauer 

- fix strongSwan discovery date /2013-05-03/2013-04-30/

 

18:16 ohauer 

- update to version 5.0.4 which fixes CVE-2013-2944.
- add entry to vuxml
- add CVE references to jankins vuxml entry

while I'm here remove .sh from rc script

PR:		ports/178266
Submitted by:	David Shane Holden <dpejesh@yahoo.com>
Approved by:	strongswan@nanoteq.com (maintainer)

 

16:26 lwhsu 

Document Jenkins Security Advisory 2013-05-02

 

19:41 tmseck 

- Add the vendor patch for SQUID-2012:1 (CVE-2012-5643) and update VuXML
  information accordingly
- Bump PORTREVISION

PR:		ports/177773
Submitted by:	Kan Sasaki
Approved by:	flo (mentor)
Security:	c37de843-488e-11e2-a5c9-0019996bc1f7

 

22:41 des 

Add entry for SA-13:05.nfsserver

 

20:58 nivit 

- Document multiple XSS and DDoS vulnerabilities for Joomla!
(2.5.0 <= version < 2.5.10)

 

20:23 matthew 

Security updae to 3.5.8.1

Four new serious security alerts were issued today by the phpMyAdmin
them: PMASA-2013-2 and PMASA-2013-3 are documented in this commit to
vuln.xml.

 - Remote code execution via preg_replace().

 - Locally Saved SQL Dump File Multiple File Extension Remote Code
   Execution.

The other two: PMASA-2013-4 and PMASA-2013-5 only affect PMA 4.0.0
pre-releases earlier than 4.0.0-rc3, which are not available through
the ports.

 

20:57 dinoex 

- Security update to 1.0.21
Security: CVE-2013-1428

 

16:01 dinoex 

- Security fix
Security: CVE-2011-4517 execute arbitrary code on decodes images
Submitted by:   naddy (Christian Weisgerber)
Obtained from:  Fedora
Feature safe: yes

 

09:24 matthew 

Document PMASA-2013-1

It turns out that release 3.5.8 (recently updated in ports) was the
cure to an XSS vulnerability.

Feature safe:  yes

 

18:03 delphij 

Document roundcube arbitrary file disclosure vulnerability.

Reported by:	Marcelo Gondim <gondim bsdinfo com br>
Feature safe:	yes

 

04:03 dinoex 

- add jasper
Feature safe: yes

 

10:58 araujo 

- Update to 2.7.3 due a vulnerability that affect all versions 2.x. [1]
- Update MASTER_SITES.
- Convert to optionsNG.
- Trim header.

More info:
https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES

Reported by:    olli hauer <ohauer@gmx.de> [1]
Approved by:    portmgr (bdrewery)
Security:       2070c79a-8e1e-11e2-b34d-000c2957946c

 

12:28 bdrewery 

- Update to 0.85
- Convert to new options framework

sieve-connect was not actually verifying TLS certificate identities matched
the expected hostname. Changes with new version:

Fix TLS verification; find server by own hostname & SRV.

* TLS hostname verification was not actually happening.

* IO::Socket::SSL requirement bumped to 1.14 (was 0.97).

* By default, if no server specified, before falling back to localhost try to
use the current hostname and SRV records in DNS to figure out if Sieve is
available. Checks for sieve, imaps & imap protocol SRV records and honours
target==. to mean "no".

* This works better with the Mozilla::PublicSuffix module installed.

* Added ability to blacklist authentication mechanisms

More info:

http://mail.globnix.net/pipermail/sieve-connect-announce/2013/000005.html

PR:		ports/177859
Submitted by:	"Alexey V. Degtyarev" <alexey@renatasystems.org> (maintainer)
Approved by:	portmgr (implicit)
Security:	a2ff483f-a5c6-11e2-9601-000d601460a4

 

15:44 eadler 

Replace duplicate vids with a newly generated GUID.
Older duplicates kept their own number.

Approved by:	portmgr (implicit)
With Hat:	ports-secteam

 

16:19 des 

Oops, fix the cite URL.

Approved by:	portmgr (tabthorpe)

 

16:14 des 

Edit OpenVPN 2.3.1 entry:

 - Replace links to changelog and commit with a link to the official
   announcement (which also links to the commit)

 - Replace the description with a sentence lifted from the
   announcement.

Approved by:	portmgr (tabthorpe)

 

22:19 eadler 

Update flash to 11.2r202.280

Security:	15236023-a21b-11e2-a460-208984377b34
Reviewed by:	delphij
Approved by:	portmgr (bdrewery)

 

11:41 bdrewery 

- Add url reference to 1431f2d6-a06e-11e2-b9e0-001636d274f3

Approved by:	portmgr (implicit)
Requested by:	jgh

 

11:30 bdrewery 

- Update to 3.2.13 to fix security vulnerabilities
- Update rubygem-mail to 2.5.3 as rubygem-actionmailer-3.2.13 requires it

PR:		ports/177709
Submitted by:	Geoffroy Desvernay <dgeo@centrale-marseille.fr>
With hat:	ruby
Approved by:	portmgr (implicit)
Reviewed by:	miwi
Security:	db0c4b00-a24c-11e2-9601-000d601460a4

 

01:18 bdrewery 

- Document CVE-2013-0131 for nvidia-driver

Submitted by:	danfe
Approved by:	portmgr (implicit)

 

20:57 flo 

Typo fix for the typo fix. Validated with make validate this time.

Reported by:	bz
Approved by:	portmgr (implicit)

 

20:33 flo 

Fix a typo in the recent mozilla entry

Reported by:	pluknet
Approved by:	portmgr (tabthorpe)

 

16:51 dinoex 

- Security udpate to 12.15
Security: http://www.opera.com/docs/changelogs/unified/1215/
Security: http://www.opera.com/security/advisory/1046
Security: http://www.opera.com/security/advisory/1047
PR:		177654
Approved by:	portmgr

 

16:43 ohauer 

- fix subversion range

Approved by:	portmgr (implizit)

 

10:00 ohauer 

- Subversion 1.7.9 security update [1]
- Subversion 1.6.21 security update [2]

This release addesses the following issues security issues:
[1][2]  CVE-2013-1845: mod_dav_svn excessive memory usage from property changes
[1][2]  CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity
URLs
[1][2]  CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existant
URLs
[1][2]  CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity
URLs
[1]     CVE-2013-1884: mod_dav_svn crashes on out of range limit in log REPORT
request

More information on these vulnerabilities, including the relevent advisories
and potential attack vectors and workarounds, can be found on the Subversion
security website:
    http://subversion.apache.org/security/

PR:		177646
Submitted by:	ohauer
Approved by:	portmgr (tabthorpe, erwin), lev
Security:	b6beb137-9dc0-11e2-882f-20cf30e32f6d

 

21:16 cs 

Vulnerability in OTRS

Approved by:	portmgr
Security:	eae8e3cf-9dfe-11e2-ac7f-001fd056c417

 

13:21 girgen 

The PostgreSQL Global Development Group has released a security
update to all current versions of the PostgreSQL database system,
including versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update
fixes a high-exposure security vulnerability in versions 9.0 and
later. All users of the affected versions are strongly urged to apply
the update *immediately*.

A major security issue (for versions 9.x only) fixed in this release,
[CVE-2013-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899),
makes it possible for a connection request containing a database name
that begins with "-" to be crafted that can damage or destroy files
within a server's data directory. Anyone with access to the port the
PostgreSQL server listens on can initiate this request. This issue was
discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source
Software Center.

Two lesser security fixes are also included in this release:
[CVE-2013-1900](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900),
wherein random numbers generated by contrib/pgcrypto functions may be
easy for another database user to guess (all versions), and
[CVE-2013-1901](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901),
which mistakenly allows an unprivileged user to run commands that
could interfere with in-progress backups (for versions 9.x only).

Approved by:	portmgr (bdrewery)
URL:		http://www.postgresql.org/about/news/1456/
Security:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899
Security:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900
Security:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901

 

20:27 flo 

- update thunderbird, firefox-esr, linux-thunderbird and linux-firefox to
  17.0.5
- update firefox to 20.0
- update seamonkey and linux-seamonkey to 2.17
- update nspr to 4.9.6
- remove mail/thunderbird-esr, Mozilla stopped providing 2 versions of
  thunderbird
- prune support for old FreeBSD versions; users of 8.2, 7.4 or earlier
  are advised to upgrade - http://www.freebsd.org/security/
- add vuln.xml entry

Security:	94976433-9c74-11e2-a9fc-d43d7e0c7c02
Approved by:	portmgr (miwi)
In collaboration with:	Jan Beich <jbeich@tormail.org>

 

20:21 delphij 

Document two latest FreeBSD security advisories.

Approved by:	portmgr (bdrewery)

 

17:36 ohauer 

- update japanes/bugzilla templates
- update vuxml to reflect bugzilla templates
- fix typo in vuxml

Approved by:	portmgr (miwi)
Sponsored by:

 

16:00 mandree 

security upgrade to OpenVPN 2.3.1; upstream release notes are

  "This release adds supports for PolarSSL 1.2. It also adds a fix to
  prevent potential side-channel attacks by switching to a constant-time
  memcmp when comparing HMACs in the openvpn_decrypt function. In
  addition, it contains several bugfixes and documentation updates, as
  well as some minor enhancements."

Full ChangeLog:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>

The port upgrade also offers an option to use the GPLv2+-licensed
PolarSSL instead of OpenSSL (which brings in a license mix).

PR:		ports/177517
Reviewed by:	miwi
Approved by:	portmgr (miwi)
Security:	92f30415-9935-11e2-ad4c-080027ef73ec

 

14:08 kwm 

Update to 2.8.0. [1]
Add patch to fix CVE-2013-0338 and CVE-2013-0339. [2]
Convert to OptionsNG, rename patches to standard form. [1]

Notified by:	swills@ [2]
Obtained from:	gnome team repo [1]
Security:	843a4641-9816-11e2-9c51-080027019be0

 

10:04 flo 

Update asterisk ports to:

net/asterisk 1.8.20.2
net/asterisk10 10.12.2
net/asterisk11 11.2.2

Security:	daf0a339-9850-11e2-879e-d43d7e0c7c02

 

10:29 erwin 

Add entry for latest Bind advisory CVE-2013-2266

 

20:58 rene 

Document vulnerabilities in www/chromium < 26.0.1410.43

Obtained from:	http://googlechromereleases.blogspot.nl/search/Stable%20Updates

 

18:16 delphij 

Remove trailing space, no content change.

 

18:09 delphij 

unexpand vuln.xml.

 

05:31 acm 

firebird vulnerability entry (CVE-2013-2492)

Security:	6adca5e9-95d2-11e2-8549-68b599b52a02

 

01:13 zi 

- Document vulnerability in graphics/optipng (CVE-2012-4432)

PR:		ports/177206
Submitted by:	Alexander Milanov <a@amilanov.com>
Security:	8818f7f-9182-11e2-9bdf-d48564727302

 

20:46 flo 

Update to 5.3.23

Security:	1d23109a-9005-11e2-9602-d43d7e0c7c02

 

12:12 zi 

- Document recent vulnerabilities in www/piwigo: CVE-2013-1468, CVE-2013-1469
Reported by:	Ruslan Makhmatkhanov <cvs-src@yandex.ru>
Security:	edd201a5-8fc3-11e2-b131-000c299b62e1

 

22:12 remko (src,doc committer) 

Fix typo in the libpurple entry.

Submitted by:	Derek Schrock <dereks@lifeofadishwasher.com>

 

13:52 zi 

- Perl vulnerability (CVE-2013-1667) also applies to perl-threaded

Reported by:	Alexandre Krasnov <freebsd@tern.ru>
Security:	68c1f75b-8824-11e2-9996-c4850808617

 

08:17 pclin 

- graphics/libexif:
  * Update to 0.6.21
  * Add LICENSE
  * Switch to OptionsNG and PORTDOCS
- Document libexif 2012-07-12 vulnerabilty
- Bump PORTREVISION for libexif related ports
- Trim headers while here

PR:		ports/175910
Approved by:	swills (mentor)
Security:	d881d254-70c6-11e2-862d-080027a5ec9a

 

04:04 eadler 

Update flash the latest (hopefully) secure version.

PR:		ports/176904
Submitted by:	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Security:	http://www.vuxml.org/freebsd/5ff40cb4-8b92-11e2-bdb6-001060e06fd4.html

 

03:35 swills 

- Update puppet to 3.1.1 resolving multiple security issues
- Update puppet27 to 2.7.21 resolving multiple security issues
- Document multiple puppet security issues

Security:	cda566a0-2df0-4eb0-b70e-ed7a6fb0ab3c

 

19:04 rea 

Perl 5.x: fix CVE-2013-1667

Feature safe:	wholeheartedly hope so

 

04:03 miwi 

- Fix previous entry

 

00:13 marcus 

Belatedly add an entry for libpurple's recent vulnerabilities.

 

22:27 flo 

- update thunderbird, firefox-esr, linux-thunderbird and linux-firefox to
  17.0.4
- update firefox to 19.0.2
- add vuln.xml entry

Security:	630c8c08-880f-11e2-807f-d43d7e0c7c02

 

09:06 rene 

Document a vulnerability in chromium < 25.0.1364.160

Obtained from:	http://googlechromereleases.blogspot.nl/search/Stable%20Updates

 

15:57 culot 

- Document vulnerabilities in typo3.

Security:       b9a347ac-8671-11e2-b73c-0019d18c446a
Obtained from: 
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-001/

 

00:19 rene 

Document vulnerabilities in www/chromium < 25.0.1364.152

Obtained from:	http://googlechromereleases.blogspot.nl/search/Stable%20Updates

 

20:17 zi 

- Document recent vulerability in security/stunnel (CVE-2013-1762)
Security:	c97219b6-843d-11e2-b131-000c299b62e1

 

20:07 ohauer 

- document apache22 issues
- tim trailing tabs

 

02:08 wxs 

Document two sudo problems.

 

01:46 swills 

- Update to 0.9.14 to fix CVE-2013-1756

Security:	aa7764af-0b5e-4ddc-bc65-38ad697a484f

 

13:40 eadler 

Update to 11.2r202.273

Security:	http://www.vuxml.org/freebsd/dbdac023-80e1-11e2-9a29-001060e06fd4.html

 

17:27 sunpoet 

- Update affected ettercap versions: CVE-2012-0722 was fixed in
0.7.5.2-Assimilation

 

01:38 bdrewery 

- Document 3 OTRS vulnerabilities from 2012
 - CVE-2012-4751
 - CVE-2012-4600
 - CVE-2012-2582

 

18:21 swills 

- Document Ruby REXML DoS