18:08 olgeni 

Add entry for webmin < 1.600_1 (potential XSS attack).

Feature safe:	yes

 

03:17 bdrewery 

- Document ruby vulnerabilities:
 * CVE-2012-4464 + CVE-2012-4466
   $SAFE escaping vulnerability about Exception#to_s / NameError#to_s
 * CVE-2012-4522
   Unintentional file creation caused by inserting an illegal NUL character

Reviewed by:	eadler
Feature safe:	yes

 

14:10 flo 

Update to 3.8.15

Security:	4b738d54-2427-11e2-9817-c8600054b392
Feature safe:	yes

 

21:01 rm 

- update to 7.16 [1]

while here:
- trim Makefile header
- remove indefinite article in COMMENT
- remove IGNORE_WITH_PHP and IGNORE_WITH_PGSQL since
  we have not this versions in the tree anymore
- fix pkg-plist
- add vuxml entry

PR:		173211
Submitted by:	Rick van der Zwet <info at rickvanderzwet dot nl> [1]
Approved by:	Nick Hilliard <nick at foobar dot org> (maintainer)
Security:	2adc3e78-22d1-11e2-b9f0-d0df9acfd7e5
Feature safe:   yes

 

17:03 flo 

- Update www/firefox{,-i18n} to 16.0.2
- Update seamonkey to 2.13.2
- Update ESR ports and libxul to 10.0.10
- Update nspr to 4.9.3
- Update nss to 3.14
- with GNOMEVFS2 option build its extension, too [1]
- make heap-committed and heap-dirty reporters work in about:memory
- properly mark QT4 as experimental (needs love upstream)
- *miscellaneous cleanups and fixups*

mail/thunderbird will be updated once the tarballs are available.

PR:		ports/173052 [1]
Security:	6b3b1b97-207c-11e2-a03f-c8600054b392
Feature safe:	yes
In collaboration with:	Jan Beich <jbeich@tormail.org>

 

08:46 rea 

mail/exim: upgrade to 4.80.1

This is bugfix-only release, it eliminates remote code execution
in the DKIM code.

Security: http://www.vuxml.org/freebsd/b0f3ab1f-1f3b-11e2-8fe9-0022156e8794.html
QA page: http://codelabs.ru/fbsd/ports/qa/mail/exim/4.80.1
Feature safe: yes

 

19:31 rm 

- add CVE reference (still in reserved state) for recent django vulnerabilty

Feature safe:	yes

 

10:12 rm 

- update django ports to 1.3.4 and 1.4.2, that fixing couple of security issues.
  All users are encouraged to upgrade immediately.
- add vuxml entry

changes common for both ports:
- trim Makefile header
- strict python version to 2.x only
- utilize options framework multiple choice feature to let user to choose
  database backends needed. Make SQLITE option default
- shorten description of HTMLDOCS_DESC to make it fit into dialog screen
- SITELIBDIR -> PKGNAMEPREFIX change in dependencies
- convert NOPORTDOCS condition to optionsng
- tab -> space change in pkg-descr

PR:		173017
Submitted by:	rm (myself)
Approved by:	lwhsu (maintainer, by mail)
Security:	5f326d75-1db9-11e2-bc8f-d0df9acfd7e5
Feature safe:   yes

 

02:37 wxs 

Document multiple wireshark vulnerabilities.

Feature safe:	yes

 

04:13 jgh 

- clarify end-user impact for 57652765-18aa-11e2-8382-00a0d181e71d
Suggested by:	simon@
Feature safe:	yes

 

23:47 jgh 

- document xlockmore issue, 57652765-18aa-11e2-8382-00a0d181e71d, CVE-2012-4524
Feature safe:	yes

 

17:22 sem 

- xinetd vulnerability

Feature safe:	yes

 

14:37 glarkin 

- Updated ZF advisory to include similar XEE vulnerability

Feature safe:	yes

 

14:26 glarkin 

- Document Zend Framework XXE injection vulnerability

Feature safe:	yes

 

16:31 eadler 

Add the CVE for the gitolite vuln.

Feature safe:	yes

 

16:02 swills 

- Actually commit the VuXML entry

PR:		ports/172565
Feature safe:	yes
Pointyhat to:	swills

 

21:05 matthew 

Document the latest security vulnerabilities for phpMyAdmin.
Fix was already committed to the port 6 days ago.

Feature safe:	yes

 

15:30 zi 

- Add in additional package names for recent bind vulnerability

Feature safe:	yes

 

19:15 flo 

- update to 16.0.1
- update vuln.xml entry

Feature safe:   yes

 

22:07 rene 

Document a new vulnerability in www/chromium < 22.0.1229.94

Obtained
from:	http://googlechromereleases.blogspot.nl/search/label/Stable%20updates
Feature safe:	yes

 

21:13 flo 

- Update firefox-esr, thunderbird-esr, linux-firefox and linux-thunderbird to
10.0.8
- Update firefox and thunderbird to 16.0
- Update seamonkey to 2.13
- Update all -i18n ports respectively
- switch firefox 16.0 and seamonkey 2.13 to ALSA by default for better
  latency during pause and seeking with HTML5 video
- remove fedisableexcept() hacks, obsolete since FreeBSD 4.0
- support system hunspell dictionaries [1]
- unbreak -esr ports with clang3.2 [2]
- unbreak nss build when CC contains full path [3]
- remove GNOME option grouping [4]
- integrate enigmail into thunderbird/seamonkey as an option [5]
- remove mail/enigmail* [6]
- enable ENIGMAIL, LIGHTNING and GIO options by default
- add more reporters in about:memory: page-faults-hard, page-faults-soft,
  resident, vsize
- use bundled jemalloc 3.0.0 on FreeBSD < 10.0 for gecko 16.0,
  only heap-allocated reporter works in about:memory (see bug 762445)
- use lrintf() instead of slow C cast in bundled libopus
- use libjpeg-turbo's faster color conversion if available during build
- record startup time for telemetry
- use -z origin instead of hardcoding path to gecko runtime
- fail early if incompatible libxul version is installed (in USE_GECKO)
- *miscellaneous cleanups and fixups*

PR:		ports/171534 [1]
PR:		ports/171566 [2]
PR:		ports/172164 [3]
PR:		ports/172201 [4]
Discussed with:	ale, beat, Jan Beich [5]
Approved by:	ale [6]
In collaboration with:	Jan Beich <jbeich@tormail.org>
Security:	6e5a9afd-12d3-11e2-b47d-c8600054b392
Feature safe:	yes
Approved by:	portmgr (beat)

 

11:54 erwin 

Upgrade to the latest BIND patch level:

A deliberately constructed combination of records could cause named
to hang while populating the additional section of a response.

Security:	 
http://www.vuxml.org/freebsd/57a700f9-12c0-11e2-9f86-001d923933b6.html

 

12:51 rm 

- correct the range in last entry (le/lt typo)

 

12:33 rm 

- update to 2.8.10
- add vuxml entry

This release fixes SQL injection vulnerability.

PR:		172114
Submitted by:	rm (myself)
Approved by:	ports-secteam (eadler)
Security:	dee44ba9-08ab-11e2-a044-d0df9acfd7e5

 

17:01 danfe 

Mark nvidia-driver-173.14.35_1 as not vulnerable.

 

21:49 rene 

Document vulnerabilities in www/chromium < 22.0.1229.79

Obtained
from:	http://googlechromereleases.blogspot.nl/search/label/Stable%20updates

 

15:37 glarkin 

- Document remote code execution in ePerl (all versions)
- Deprecate and schedule removal in month - no upstream fix available and
  no active development since 1998

Security:	73efb1b7-07ec-11e2-a391-000c29033c32
Security:	CVE-2001-0733
Security:	http://www.shmoo.com/mail/bugtraq/jun01/msg00286.shtml

 

21:41 glarkin 

- Documented PNG file DoS vulnerability in ImageMagick and GraphicsMagick
- Added -nox11 suffixes to various ImageMagick entries

 

12:27 eadler 

Update vuxml to indicate which versions are vulnerable.

 

03:02 bdrewery 

- Update php52 backports patch to 20120911
- Add and update relevant vuxml entries

Changes:
  - CVE-2011-1398 - The sapi_header_op function in main/SAPI.c in PHP
    before 5.3.11 does not properly handle %0D sequences
  - CVE-2012-0789 - Memory leak in the timezone functionality in PHP
    before 5.3.9 allows remote attackers to cause a denial of service
    (memory consumption) by triggering many strtotime function calls,
    which are not properly handled by the php_date_parse_tzfile cache.
  - CVE-2012-3365 - The SQLite functionality in PHP before 5.3.15 allows
    remote attackers to bypass the open_basedir protection mechanism via
     unspecified vectors
  - Timezone database updated to version 2012.5 (2012e) (from 2011.13 (2011m))
  - Minor improvements (CVE-2012-2688, compilation issues with old GCC)

PR:		ports/171583
Submitted by:	Svyatoslav Lempert <svyatoslav.lempert@gmail.com>
Approved by:	Alex Keda <admin@lissyara.su> (maintainer)

 

01:09 bdrewery 

- CVE-2012-2688 was addressed by php52-5.2.17_10

PR:		ports/170063
PR:		ports/171583
Reported by:	Svyatoslav Lempert <svyatoslav.lempert@gmail.com>
Security:	bdab0acd-d4cd-11e1-8a1c-14dae9ebcf89

 

03:46 dougb 

Upgrade to the latest BIND patch level:

Prevents a crash when queried for a record whose RDATA exceeds
65535 bytes.

Prevents a crash when validating caused by using "Bad cache" data
before it has been initialized.

ISC_QUEUE handling for recursive clients was updated to address
a race condition that could cause a memory leak. This rarely
occurred with UDP clients, but could be a significant problem
for a server handling a steady rate of TCP queries.

A condition has been corrected where improper handling of
zero-length RDATA could cause undesirable behavior, including
termination of the named process.

For more information: https://kb.isc.org/article/AA-00788

 

18:46 lwhsu 

Document Jenkins Security Advisory 2012-09-17

 

21:25 eadler 

include newly 'awarded' CVE

 

17:22 nox 

Add vuxml for older versions of multimedia/vlc .

PR:		ports/169985
Submitted by:	"Anders N." <wicked@baot.se>

 

02:19 eadler 

Tell the world about the recent bacula vuln

 

03:35 swills 

- Update to 0.10.22.6 which fixes two security issues
- Document security issues in vuxml [1]

Reviewed by:	bdrewery [1]
Security:	178ba4ea-fd40-11e1-b2ae-001fd0af1a4c

 

07:31 danfe 

Update NVIDIA arbitrary memory access vulnerability with CVE-2012-4225.

 

11:38 zi 

- Update entry for net/freeradius2 to reflect local patch to address
cve-2012-3547

 

08:46 rea 

VuXML: document remote code execution in freeRADIUS

 

07:51 rea 

www/moinmoin: fix CVE-2012-4404, wrong processing of group ACLs

Using upstream patch from
  http://hg.moinmo.in/moin/1.9/raw-rev/7b9f39289e16

PR:		171346
QA page:	http://codelabs.ru/fbsd/ports/qa/www/moinmoin/1.9.4_1
Approved by:	khsing.cn@gmail.com (maintainer)
Security:	http://www.vuxml.org/freebsd/4f99e2ef-f725-11e1-8bd8-0022156e8794.html

 

02:37 eadler 

Add vim specific modeline to help users write correct vuxml

Submitted by:	bdrewery

 

23:07 rakuco 

Document the vulnerability that led to emacs 24.2

 

20:25 swills 

- Update to 3.4.2 [1] [2] [3]
- Document security issue [4]

PR:		ports/171397 [1]
PR:		ports/171404 [2]
PR:		ports/171405 [3]
Submitted by:	Yuan-Chung Hsiao <ychsiao@ychsiao.org> (maintainer) [1]
Submitted by:	Joe Horn <joehorn@gmail.com> (maintainer) [2] [3]
Reviewed by:	eadler [4]
Security:	30149157-f926-11e1-95cd-001fd0af1a4c

 

06:10 rea 

VuXML: add <modified> tag for Wireshark's entry for CVE-2012-3548

 

16:02 marcus 

Change the wireshark version for the DRDA fix.

 

10:42 rea 

VuXML: document XSS in MoinMoin before 1.9.4 via RST parser

 

09:47 rea 

VuXML: document wrong group ACL processing in MoinMoin

 

06:29 rea 

PHP 5.x: document header splitting vulnerability

There is a related CVE number (CVE-2012-4388), but there is no current
consensus about it:
  http://article.gmane.org/gmane.comp.security.oss.general/8303

 

21:05 mandree 

Modify fetchmail vuln' URLs to established site.
While at it, adjust the two oldest topics to current format, for uniformity,
on, for instance, http://www.vuxml.org/freebsd/pkg-fetchmail.html.

 

13:45 rea 

security/squidclamav: fix DoS and XSS vulnerabilities

Apply upstream patches for CVE-2012-3501 and CVE-2012-4667.

Security:	http://www.vuxml.org/freebsd/ce680f0a-eea6-11e1-8bd8-0022156e8794.html
Security:	http://www.vuxml.org/freebsd/8defa0f9-ee8a-11e1-8bd8-0022156e8794.html
PR:		171022
QA page:	http://codelabs.ru/fbsd/ports/qa/security/squidclamav/5.7_1
Approved by:	maintainer timeout (1 week)

 

02:57 eadler 

Inform the community about a recent bitcoin DoS vuln.

Reviewed by:	swills

 

20:16 ohauer 

- update bugzilla bugzilla3 and bugzilla42
- use new bugzilla@ address (members skv@, tota@, ohauer@)
- patch russian/japanese/german bugzilla and bugzilla templates
  so the reflect the security updates in the original templates
- patch german/bugzilla42 templates
- adopt new Makefile header

	vuxml: 6ad18fe5-f469-11e1-920d-20cf30e32f6d
	CVE: CVE-2012-3981
	https://bugzilla.mozilla.org/show_bug.cgi?id=785470
	https://bugzilla.mozilla.org/show_bug.cgi?id=785522
	https://bugzilla.mozilla.org/show_bug.cgi?id=785511

 

18:50 rea 

VuXML: document CVE-2012-3534, DoS via large number of connections

 

17:40 eadler 

vuxml matches on PKGNAME, not on the port directory.
mediawiki118 has PKGNAME mediawiki-1.18.4

 

17:16 rea 

Add "modified" tag to the Java 7 entry

Forgot to do it at r303435.

Spotted by:	wxs
Pointyhat to:	rea

 

12:44 wen 

- Update www/mediawiki to 1.19.2
- Update www/mediawiki118 to 1.18.5
- Document the security bugs

 

16:58 rea 

VuXML: update Java 7 entry with Oracle-provided details

Oracle's Java 7 update 7 fixes CVE-2012-4681.

 

15:17 mandree 

Tidy up paragraph formatting (it passed "make validate" before).

Suggested by:	wxs

 

10:59 rea 

VuXML: document CVE-2012-3548, DoS in Wireshark

 

23:08 rene 

Document vulnerabilities in www/chromium < 21.0.1180.89

Obtained
from:	http://googlechromereleases.blogspot.nl/search/label/Stable%20updates

 

22:14 flo 

- Update net/asterisk to 1.8.15.1
- Update net/asterisk10 to 10.7.1
- Document vulnerabilities in vuln.xml
- Fix URLs in the pervious asterisk vuln.xml entry

Security:	http://www.vuxml.org/freebsd/4c53f007-f2ed-11e1-a215-14dae9ebcf89.html

 

11:40 jase 

- Update to 1.5.20
- Update MASTER_SITES
- Convert to optionsNG and add DOCS option
- Document security vulnerabilities [1]

PR:		ports/169558
Requested by:	Alexey <alexey@kouznetsov.com> (submitter)
Security:	6dd5e45c-f084-11e1-8d0f-406186f3d89d [1]
Approved by:	flo (mentor)

 

09:03 rea 

VuXML: document CVE-2012-4681, security manager bypass in Java 7.x

 

06:23 mandree 

Add a vuln' entry for fetchmail's CVE-2011-3389 vulnerability.

 

17:44 mandree 

Update fetchmail to 6.3.21_1, fixing CVE-2012-3482.
Adjust VuXML database entry from < 6.3.22 to < 6.3.21_1.

PR:		ports/170613
Approved by:	maintainer timeout (14 days)
Security:	http://www.vuxml.org/freebsd/83f9e943-e664-11e1-a66d-080027ef73ec.html
Security:	CVE-2012-3482

21:31 rea 

VuXML entry c906e0a4-efa6-11e1-8fbf-001b77d09812: fix port epoch

Pointyhat to: rea

21:26 rea 

VuXML: document XSS in RoundCube Web-mail application

Branch 0.8.x before 0.8.1 is prone to XSS attack via incoming
HTML messages.

17:33 rea 

news/inn: fix plaintext command injection, CVE-2012-3523

Relevant only for INN installations that are using encryption.

PR:		171013
Approved by:	fluffy@FreeBSD.org (maintainer)
Security:	http://www.vuxml.org/freebsd/a7975581-ee26-11e1-8bd8-0022156e8794.html

01:44 avilla 

- Document Calligra input validation failure.

22:17 bdrewery 

- Document that CVE-2012-3386 only affects automake >= 1.5.0

Verified this by inspecting the automake14 source, as well as
official release tarballs and git history.

Approved by:	bapt (mentor)

11:38 rea 

VuXML: document cross-site scripting in SquidClamav

10:07 rea 

VuXML: document DoS in SquidGuard

SquidGuard can be crashed via the specially-crafted URL
when external URL checker is used.

20:13 rea 

VuXML: document INN plaintext command injection vulnerability

21:10 rea 

VuXML: document CVE-2012-3525 in jabberd 2.x

20:01 rea 

VuXML: fix whitespace in my previous rssh entry

20:00 rea 

VuXML: document rssh vulnerabilities fixed in version 2.3.3

20:56 rea 

rssh: document arbitrary code execution, CVE-2012-3478

01:40 wxs 

Put libotr entry back. I added the cited URL to the references.

21:47 dougb 

Remove the improperly formatted libotr entry. Someone with more knowledge
and experience needs to take care of this, I'm clearly not competent.

08:39 dougb 

14 August 2012 libotr version 3.2.1 released

Versions 3.2.0 and earlier of libotr contain a small heap write overrun
(thanks to Justin Ferguson for the report), and a large heap read overrun
(thanks to Ben Hawkes for the report).

Add a vuxml entry, and tune up the notes about adding a new entry.

03:07 wxs 

Document OpenTTD DoS.

02:30 wxs 

Document multiple wireshark vulnerabilities.

Two are from 1.8.1 (CVE-2012-4048 and CVE-2012-4049). The remaining are
from 1.8.2 which is not in ports yet.

19:39 jgh 

The PostgreSQL Global Development Group today released security updates for all
active branches
of the PostgreSQL database system, including versions 9.1.5, 9.0.9, 8.4.13 and
8.3.20. This
update patches security holes associated with libxml2 and libxslt, similar to
those affecting
other open source projects. All users are urged to update their installations at
the first
available opportunity.

This security release fixes a vulnerability in the built-in XML functionality,
and a vulnerability
in the XSLT functionality supplied by the optional XML2 extension. Both
vulnerabilities allow
reading of arbitrary files by any authenticated database user, and the XSLT
vulnerability
allows writing files as well. The fixes cause limited backwards compatibility
issues.
These issues correspond to the following two vulnerabilities:

CVE-2012-3488: PostgreSQL insecure use of libxslt
CVE-2012-3489: PostgreSQL insecure use of libxml2
This release also contains several fixes to version 9.1, and a smaller number of
fixes to older versions, including:

Updates and corrections to time zone data
Multiple documentation updates and corrections
Add limit on max_wal_senders
Fix dependencies generated during ALTER TABLE ADD CONSTRAINT USING INDEX.
Correct behavior of unicode conversions for PL/Python
Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT).
Fix syslogger so that log_truncate_on_rotation works in the first rotation.
Only allow autovacuum to be auto-canceled by a directly blocked process.
Improve fsync request queue operation
Prevent corner-case core dump in rfree().
Fix Walsender so that it responds correctly to timeouts and deadlocks
Several PL/Perl fixes for encoding-related issues
Make selectivity operators use the correct collation
Prevent unsuitable slaves from being selected for synchronous replication
Make REASSIGN OWNED work on extensions as well
Fix race condition with ENUM comparisons
Make NOTIFY cope with out-of-disk-space
Fix memory leak in ARRAY subselect queries
Reduce data loss at replication failover
Fix behavior of subtransactions with Hot Standby

07:27 matthew 

Document the latest phpMyAdmin vulnerability PMSA-2012-4

19:45 bdrewery 

- Update www/typo3 to 4.7.4 [1]
- Convert to new options framework [1]
- Update www/typo345 to 4.5.19 [2]
- Update www/typo346 to 4.6.12 [3]
- Changes: https://typo3.org/news/article/typo3-4519-4612-and-474-released/
- Document security vulnerabilities [4]
 
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-004/

PR:		ports/170650 [1]
PR:		ports/170647 [2]
PR:		ports/170649 [3]
Submitted by:	Helmut Schneider <jumper99@gmx.de> (maintainer)
Security:	48bcb4b2-e708-11e1-a59d-000d601460a4 [4]
Approved by:	eadler (mentor)

23:17 mandree 

Document CVE-2012-3482 for fetchmail, one DoS and one information disclosure
vulnerability in non-default NTLM code.

Also see ports/170613 which is pending maintainer feedback.

17:57 jkim 

Belatedly add an entry for the recent IcedTea-Web updates.

17:41 novel 

Document libcloud MITM vuln.

Security:	CVE-2012-3446

08:11 matthew 

Document the latest phpmyadmin security problem.

14:38 rene 

- Document vulnerabilities in www/chromium 20.0.1132.57 and 21.0.1180.60.
- Keep the latest chromium vulnerabilies on top.

08:08 rene 

Document two vulnerabilities in www/chromium < 21.0.1180.75 related to the
builtin PDF viewer.

Obtained
from:	http://googlechromereleases.blogspot.com/search/label/Stable%20updates

02:50 swills 

- Update rails and friends to 3.2.8
- Document security issue in 3.2.7 [1]

Submitted by:	bdrewery [1]
Reviewed by:	swills [1]
Security:	31db9a18-e289-11e1-a57d-080027a27dbf

15:43 wxs 

Document old sudosh buffer overflow.

Noticed by:	Diego Linke

15:57 wxs 

Fix up whitespace in 10f38033-e006-11e1-9304-000000000000.
Replace broken vid in 10f38033-e006-11e1-9304-000000000000 with one that is
correct.

02:02 zi 

- Document FreeBSD-SA-12:05.bind

22:44 bdrewery 

Document CVE-2012-3386 for devel/automake

Approved by:	eadler (mentor)

21:24 flo 

Belatedly add an entry for the recent Mozilla updates

Security:	http://www.freebsd.org/ports/portaudit/dbf338d0-dce5-11e1-b655-14dae9ebcf89.html

12:59 zi 

- Cleanup whitespace

12:48 wxs 

Whitespace fixes.