12:35 wxs 

Add modified for django entry.

Noticed by:	remko@

03:25 wxs 

Add CVE entries for f01292a0-db3c-11e1-a84b-00e0814cab4e.

03:17 wxs 

Document Apache 2.2.x insecure handling of LD_LIBRARY_PATH.
Add patch[1] to address problem to apache port.

[1]:
http://svn.apache.org/viewvc/httpd/httpd/trunk/support/envvars-std.in?view=log&pathrev=1296428

Approved by:	apache@ (pgollucci@)
Obtained from:	Apache SVN

19:04 lwhsu 

- Document django -- multiple vulnerabilities

12:42 zi 

- Update net/isc-dhcp41-server to 4.1-ESV-R6 [1]
- Document vulnerabilities in net/isc-dhcp41-server
- Cleanup formatting in vuxml

PR:		ports/170245 [1]
Submitted by:	Douglas Thrift <douglas@douglasthrift.net> (maintainer) [1]
Security:	c7fa3618-d5ff-11e1-90a2-000c299b62e1

22:10 delphij 

Fix build.

21:34 ohauer 

- security update bugzilla
  new Versions: 3.6.10, 4.0.7, 4.2.2

  4.2.2

  This release fixes two security issues. See the Security Advisory for details.

  In addition, the following important fixes/changes have been made in this
release:

  o A regression introduced in Bugzilla 4.0 caused some login names to be
ignored
    when entered in the CC list of bugs. (Bug 756314)
  o Some queries could trigger an invalid SQL query if strings entered by the
user
    contained leading or trailing whitespaces. (Bug 760075)
  o The auto-completion form for keywords no longer automatically selects the
    first keyword in the list when the field is empty. (Bug 764517)
  o A regression in Bugzilla 4.2 prevented classifications from being used in
    graphical and tabular reports in the "Multiple Tables" field. (Bug 753688)
  o Attachments created by the email_in.pl script were associated to the wrong
    comment. (Bug 762785)
  o Very long dependency lists can now be viewed correctly. (Bug 762783)
  o Keywords are now correctly escaped in the auto-completion form to prevent
any
    XSS abuse. (Bug 754561)
  o A regression introduced in Bugzilla 4.0rc2 when fixing CVE-2011-0046 caused
    the "Un-forget the search" link to not work correctly anymore when restoring
a
    deleted saved search, because this link was lacking a valid token. (Bug
768870)
  o Two minor CSRF vulnerabilities have been fixed which could let an attacker
    alter your default search criteria in the Advanced Search page. (Bugs 754672
    and 754673)

  4.0.7

  This release fixes one security issue. See the Security Advisory for details.

  In addition, the following bugs have been fixed in this release:

  o A regression introduced in Bugzilla 4.0 caused some login names to be
ignored
    when entered in the CC list of bugs. (Bug 756314)
  o Keywords are now correctly escaped in the auto-complete form to prevent any
    XSS abuse. (Bug 754561)
  o A regression introduced in Bugzilla 4.0rc2 when fixing CVE-2011-0046 caused
    the "Un-forget the search" link to not work correctly anymore when restoring
a
    deleted saved search, because this link was lacking a valid token. (Bug
768870)

  3.6.10

  This release fixes one security issue. See the Security Advisory for details.
  http://www.bugzilla.org/security/3.6.9/

Approved by:	implicit skv@ (bugzilla / bugzilla3)
Security:	CVE-2012-1968
		CVE-2012-1969
		https://bugzilla.mozilla.org/show_bug.cgi?id=777398
		https://bugzilla.mozilla.org/show_bug.cgi?id=777586
		vid=58253655-d82c-11e1-907c-20cf30e32f6d

13:20 miwi 

- Whitespace only fixes.

Please care more about formating.

12:39 zi 

- Update to 3.2.13
- Cleanup whitespace
- Document vulnerability in dns/nsd (CVE-2012-29789)

PR:		ports/170208
Submitted by:	Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Security:	17f369dc-d7e7-11e1-90a2-000c299b62e1

03:09 swills 

- Update Rails and friends to 3.2.7
- Add vuxml entry for Rails 3.2.6 [1]

Reviewed by:	zi [1]

17:46 matthew 

Security update to 0.11

ChangeLog:

0.11    2012-07-03  Alex Vandiver
	* Obfuscate passwords in RT's System Configuration page
	* Set an empty CurrentUser on failure, instead of removing it entirely

0.10_01 2012-02-23  Thomas Sibley
	* Escape usernames in filter values so special characters don't die

0.10 2012-02-17  Thomas Sibley
     * Silence confusing log messages when $ExternalInfoPriority is empty

0.09_03 2012-01-27	 Thomas Sibley
	* Fetch the necessary attributes when group_attr_value is used
	* Test escaping of commas during the group check

0.09_02 2012-01-26	Thomas Sibley
	* Improved logging inside the LDAP group membership check

0.09_01 2012-01-23 Thomas Sibley
	* Improved logic when dealing with Disabled/disabling users
	* Configurable group membership attribute values
	* Group membership tests

Security Advisory:

   
http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html

Approved by:	shaun (mentor)
Security:	cdc4ff0e-d736-11e1-8221-e0cb4e266481

02:32 zi 

- Document vulnerabilities in net/isc-dhcp42-server

19:23 dougb 

Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure
in BIND9

High numbers of queries with DNSSEC validation enabled can cause an
assertion failure in named, caused by using a "bad cache" data structure
before it has been initialized.

CVE: CVE-2012-3817
Posting date: 24 July, 2012

01:12 delphij 

/ is not allowed in package name, fix the entry by removing the
databases/ prefix.

00:56 swills 

- Document activerecord security issues

14:39 flo 

- update to 5.3.15
- document php vulnerabilities

Security:	http://www.vuxml.org/freebsd/bdab0acd-d4cd-11e1-8a1c-14dae9ebcf89.html

22:40 eadler 

Fix nit:
	blockquote citations should be listed as a reference as citation isn't user
visible.

14:53 crees 

Document nsd vulnerability

The referenced PR contains a fix that bumps PORTREVISION, so the entry will
not match fixed versions.

PR:		ports/170024
Obtained from:	http://www.nlnetlabs.nl/downloads/CVE-2012-2978.txt
Security:	CVE-2012-2978

15:20 eadler 

The changelog indicates the bug can be found in versions prior to 1.2.1

Fix nit: references section should include urls used in citation.

20:28 cs 

Document buffer overflow in jpeg-turbo

PR:		ports/169963
Submitted by:	Denis E Podolskiy <bytestore@yandex.ru>
Security:	CVE-2012-2806

20:08 delphij 

Document dokuwiki XSS vulnerability.

01:47 swills 

- Document puppet security issue

Obtained from:
http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.18

19:00 eadler 

openx reported a new security issue but does not provide any details: inform
users of this.

18:08 flo 

Document asterisk vulnerabilities.

04:09 sunpoet 

- Document typo3 4.5.x, 4.6.x and 4.7.x XSS vulnerability

Security:      
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-003/

20:05 wxs 

Document phplist SQL injection and XSS.

Submitted by:   Krzysztof Stryjek <wtp@bsdserwis.com>

21:04 rene 

Document vulnerabilities for www/chromium < 20.0.1132.43

Obtained from: 
http://googlechromereleases.blogspot.nl/search/label/Stable%20updates

15:34 zi 

- Document recent FreeBSD SA's for 2012: SA-12:04.sysret, SA-12:03.bind,
SA-12:02.crypt, SA-12:01.openssl

Reviewed by:    wxs

16:06 jgh 

- update to 2.6

PyCrypto before 2.6 does not produce appropriate prime numbers when using an
ElGamal
scheme to generate a key, which reduces the signature space or public key space
and
makes it easier for attackers to conduct brute force attacks to obtain the
private key.

PR:     ports/169146
Approved by:    portmgr

03:48 sunpoet 

- Remove PORTEPOCH for de-wordpress and zh-wordpress

05:42 jgh 

- fix range for f5f00804-a03b-11e1-a284-0023ae8e59f0
- add url
- adjust modified accordingly

PR:     ports/169152
Submitted by:   Trond.Endrestol@ximalas.info

12:02 rm 

- fix spelling of `php-fpm' in entry description

16:16 scheidell 

- fix package name

Submitted by:   scheidell@ (me)

15:59 scheidell 

- Add entry for www/joomla25, needs min version 2.5.5

Submitted by:   scheidell@ (me)

05:08 eadler 

Fix some nits:
        - cvename gets automatically expanded to the MITRE url

13:35 zi 

- Document recent vulnerabilities in security/clamav: CVE-2012-1419,
CVE-2012-1457, CVE-2012-1458, CVE-2012-1459

22:57 flo 

Document asterisk vulnerability.

21:41 nox 

Add vuxml for older version of graphics/ImageMagick.

PR:             ports/166686 (related to)
Submitted by:   4721@hushmail.com (the vuxml, via irc)

20:16 wxs 

Update 55587adb-b49d-11e1-8df1-0004aca374af with more information.

15:27 wxs 

Document mantis vulnerabilities. The information is a bit light on details
but I'm unable to track down better.

PR:             ports/168984
Submitted by:   Dan Langille <dan@langille.org>

06:42 eadler 

Update to 11.1.r202.236 and inform community of security issues

Security:       38195f00-b215-11e1-8132-003067b2972c

21:16 delphij 

Correct names for BIND 9.6.x and BIND 9.7.x.

13:09 wxs 

Fix my previous commit by adding a accidentally removed <p>.

12:52 wxs 

Remove unnecesarry <p> tags from 47f13540-c4cb-4971-8dc6-28d0dabfd9cd.

07:30 eadler 

Fix some nits:
        - Improve wording of Sympa vuln description
        - The url used as a citation for the description must also be a
reference for the user.

20:10 beat 

- Document mozilla -- multiple vulnerabilities

15:15 sem 

- Document the last quagga vulnerability

10:47 crees 

Document sympa vulnerability

03:19 eadler 

Fix some nits:
        The url in the cite attribute must appear as a reference

21:51 dougb 

Upgrade to 9.6-ESV-R7-P1, 9.7.6-P1, 9.8.3-P1, and 9.9.1-P1, the latest
from ISC. These patched versions contain a critical bugfix:

  Processing of DNS resource records where the rdata field is zero length
  may cause various issues for the servers handling them.

  Processing of these records may lead to unexpected outcomes. Recursive
  servers may crash or disclose some portion of memory to the client.
  Secondary servers may crash on restart after transferring a zone
  containing these records. Master servers may corrupt zone data if the
  zone option "auto-dnssec" is set to "maintain". Other unexpected
  problems that are not listed here may also be encountered.

All BIND users are strongly encouraged to upgrade.

17:27 thierry 

Add the quoted url as a reference for nut.

Requested by:   eadler

16:53 miwi 

- Fix formating in previous entrys

16:40 jgh 

- better define ranges for a8864f8f-aa9e-11e1-a284-0023ae8e59f0 and add another
vendor note

22:26 jgh 

- Address postgresql*-servers for crypt vulnerability (CVE-2012-2143)

http://www.postgresql.org/about/news/1397/

With hat: pgsql

20:46 thierry 

Add an entry for CVE-2012-2944 in sysutils/nut.

03:47 eadler 

Fix some nits:
        The url in the cite attribute must appear as a reference
        References should be sorted

23:08 flo 

Document asterisk vulnerabilities.

22:45 rene 

Document vulnerabilities before www/chromium 19.0.1084.52 (the port is safe).

Obtained from: 
http://googlechromereleases.blogspot.com/search/label/Stable%20updates
Security:       CVE-2011-[3103-3115]

00:59 gavin 

Correct spelling mistake, FreeSD -> FreeBSD

Reviewed by:    nox

23:46 jgh 

- document security issue for haproxy

PR:     ports/165035
Submitted by:   jgh@
Security:       CVE-2012-2391

19:55 flo 

Document RT vulnerabilities.

(I'm only committing this as matthew is still waiting for mentor approval, and
we found it important enough to commit it right now)

Submitted by:   matthew

16:43 jgh 

- inspircd 1.2.9 is not vulnerable

PR:     ports/167975
Spotted by: feld@feld.me

13:15 rm 

Add an entry for mail/sympa < 6.1.11 (CVE-2012-2352)

06:57 rm 

Add www/foswiki < 1.1.5 entry (CVE-2012-1004)

05:31 miwi 

- Correct b8ae4659-a0da-11e1-a294-bcaec565249c entry [1]
- Formating and cleanup

Submitted by:   Neal Dias <ndias@cisco.com> [1]

11:51 kwm 

Document and fix a off-by-one vulnability in libxml2.

Obtained from:  libxml upstream
Security:       b8ae4659-a0da-11e1-a294-bcaec565249c

17:31 jgh 

- fix date in 725ab25a-987b-11e1-a2ef-001fd0af1a4c

17:12 jgh 

- revert unintentional date change in aa71daaa-9f8c-11e1-bd0a-0082a0c18826
- update date in f5f00804-a03b-11e1-a284-0023ae8e59f0
- adjust dates in 3d55b961-9a2e-11e1-a2ef-001fd0af1a4c
a1d0911f-987a-11e1-a2ef-001fd0af1a4c for ordering

16:52 jgh 

- Update inspircd to 2.0.5 [1]
- document CVE-2012-1836 [2]

PR:     ports/167975
Submitted by:   maintainer, feld@feld.me [1], jgh@ [2]
Security:       CVE-2012-1836

05:56 eadler 

Fix some nits:
        The url in the cite attribute must appear as a reference
        The CVE automatically gets expanded to a url so the mitre url is not
needed

05:44 jgh 

- fix spelling in b3435b68-9ee8-11e1-997c-002354ed89bc

19:41 dougb 

Versions 3.2.0 and earlier of the pidgin-otr plugin contain
a format string security flaw. This flaw could potentially be
exploited by a remote attacker to cause arbitrary code to be
executed on the user's machine.

The flaw is in pidgin-otr, not in libotr. Other applications
that use libotr are not affected.

14:24 wxs 

Document sudo netmask vulnerability. Patch for port forthcoming.

07:40 dinoex 

- Security update OpenSSL 1.0.1c

18:39 rene 

Document vulnerabilities for www/chromium < 19.0.1084.46

Security:       CVE-2011-[3083-3097], CVE-2011-[3099-3100]

21:18 zi 

- Document vulnerability in net/socat (CVE-2012-0219)

20:37 eadler 

Fix pivotx vuln.xml

21:48 zi 

- 59b68b1e-9c78-11e1-b5e0-000c299b62e1 also applies to lang/php52

21:35 zi 

- Document recent vulnerabilities in PHP (CVE-2012-2311 and CVE-2012-2329)

16:24 marcus 

Add an entry for CVE-2012-2214 for an XMPP crash in libpurple.

14:23 sbz 

- Document CVE-2012-2274 for port www/pivotx

PR:             ports/167819
Submitted by:   Fumiyuki Shimizu <fumifumi at abacustech.jp>
Security:       CVE-2012-2274

08:53 danfe 

Belated VuXML entry for recent NVIDIA Unix driver arbitrary system memory
access vulnerability.

Reviewed by:    eadler, delphij
Security:       CVE-2012-0946

23:27 swills 

- Add entry for rubygem-mail

20:53 rm 

Revert my "correction" for php52. All the 5.2.x still affected to NULL
poison bug. Just tested both latest 5.2 and 5.3 with the script from here:
https://bugs.php.net/bug.php?id=39863
Sorry.

20:23 rm 

Mark php52 >= 5.2.15 as not vulnerable to NULL byte poisoning [1]. This problem
was fixed in 5.3.4 and 5.2.15 simultaneously.

[1] http://www.vuxml.org/freebsd/3761df02-0f9c-11e0-becc-0022156e8794.html

Reported by:     Svyatoslav Lempert <svyatoslav.lempert at gmail dot com>

02:20 swills 

- Add entry for www/node

01:54 swills 

- Add entry for p5-Config-IniFiles

15:45 eadler 

Add references for the portupgrade advisory. Some code actually expects content
in this section.

Reported by:    dvl
Reviewed by:    wxs,zi

13:53 simon 

Unbreak vuln.xml format.
While here fix a long line.

Pointyhat:      scheidell

13:21 scheidell 

- Account for repocopy of php5 -> php53
- Account for php52 backport fix
- Add entry for php54 (which will be named php5)

Submitted by:   scheidell@ (me)

11:12 scheidell 

- Third time the charm. remove extra (

Submitted by:   scheidell@ (me)

11:02 scheidell 

- All versions of PHP between 2004 release and May 3rd, 2012 are vulnerable to
cmdarg attacks
- Note:  PHP 5.2.12 and 5.4.2 were created to address this issue, but did not.
- See WWW: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
- An additional, unreleased version is needed.

Submitted by:   scheidell@ (me)
Obtained from:  WWW:www.php.net/archive/2012.php#id2012-05-03-1
Security:       CVE-2012-1823

02:04 eadler 

Fix PHP entry to match the actual package name

Submitted by:   simon

15:33 glarkin 

- Document www/webcalendar-devel - multiple vulnerabilities

Requested by:   eadler, Hanno Boeck <hanno@hboeck.de>

12:56 rene 

Document vulnerabilities in www/chromium < 18.0.1025.168

Obtained from: 
http://googlechromereleases.blogspot.com/search/label/Stable%20updates
Security:       CVE-2011-[3078-3081], CVE-2012-1521

22:03 swills 

- Document vulnerability in lang/php5

17:51 delphij 

Document samba incorrect permission checks vulnerability.

03:03 eadler 

Inform users that ports-mgmt/portupgrade-devel had unchecked distinfo

02:45 zi 

- Document vulnerability in net-mgmt/net-snmp (CVE-2012-2141)

17:51 beat 

- Document mozilla -- multiple vulnerabilities