06:54 rea 

Document CVE-2010-4345: local exim -> root escalation

PR: 152983
Feature safe: yes
Reviewed by: remko (secteam)
Approved by: erwin (mentor), remko (secteam)

07:01 miwi 

- Cleanup

06:35 wen 

- Document the Clickjacking vulnerabilities of mediawiki

14:31 erwin 

Bump copyright year.

17:13 kwm 

Document webkit-gtk2 multiple vulnerabilities < 1.2.6.

Document some CVE's that didn't make it to release notes from older releases.

19:50 delphij 

Document django multiple vulnerabilities.

06:34 remko 

Add Drupal views plugin - Cross Site Scripting (XSS).

While here, improve previously added vuln entry by
following style a bit better.

PR:             153474
Submitted by:   rea

14:12 decke 

- Document redmine -- multiple vulnerabilities

16:10 remko 

Add Tor remote crash and the possibility of remote code execution.

Submitted by:   Janne Snabb <snabb at epipe dot com>

18:11 delphij 

Update to properly cover php52.

Noticed by:     Chris St Denis <chris smartt com>

23:48 glarkin 

- Document JavaScript injection exploits in Yahoo UI (YUI) library

23:44 delphij 

Document PHP multiple vulnerabilities

11:48 beat 

- Document mozilla -- multiple vulnerabilities

01:02 stas 

- Document recent MIT krb5 checksum handling vulnerabilities.

18:02 rene 

Document the known vulnerabilities for www/chromium.

The [numbers] in the entry represent bug numbers which are clickable at
the referenced site, but most of them give a 403.

04:29 osa 

Document ProFTPD compromised source packages backdoor security issue.

03:00 sunpoet 

- Document phpMyAdmin XSS attack in database search

18:27 wxs 

Document net/isc-dhcp41-server DHCPv6 DoS. The update to the port is coming
shortly.

06:07 danfe 

Add entry for CVE-2010-4168: denial of service (server/client) via invalid
read in OpenTTD.

PR:             ports/152529
Submitted by:   kwm

04:54 danfe 

- Kill EOL whitespace and reformat to fit in standard terminal width better
- Clean up the way <p>...</p> tags are used throughout the file for consistency

19:02 thierry 

Add an entry for www/horde-base VCARD attachments XSS vulnerability.

Security:       VuXML: a3314314-f731-11df-a757-0011098ad87f

17:42 simon 

Fix discovery date in last entry.

Pointy hat to:  remko

16:38 remko 

Add proftpd remote root vulnerability.

Based on:       Vladimir Nikolic <vladimir dot nikolic at amis dot net>
Feature proof:  yes
With hat:       secteam

11:09 dinoex 

- add security/openssl CVE-2010-3864

17:55 nox 

- Update to 10.1r102 resp. 9.0r289.
- Drop MD5 hashes from distinfos

Security:      
http://www.freebsd.org/ports/portaudit/76b597e4-e9c6-11df-9e10-001b2134ef46.html
Reported by:    Matthias Apitz on -emulation

04:08 delphij 

Add wireshark CVE-2010-3445.

PR:             ports/151891
Submitted by:   Eygene Ryabinkin

01:50 sunpoet 

- Limit affected version of dovecot to 1.2.* before 1.2.8
  (vid: 30211c45-e52a-11de-b5cd-00e0815b8da8)

Reported by:    Adam McDougall <mcdouga9@egr.msu.edu>
Reference:     
http://www.dovecot.org/list/dovecot-news/2009-November/000143.html

20:29 wxs 

Document mailman XSS.

PR:             ports/151918
Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>

15:45 skv 

Document "otrs" - multiple XSS and denial of service vulnerabilities.

09:17 beat 

- Document mozilla -- Heap buffer overflow mixing document.write and DOM
  insertion

16:46 dinoex 

- www/opera
PR:             151471
Submitted by:   Arjan van Leeuwen

16:03 sunpoet 

- Add bzip2 integer overflow vulnerability

Approved by:    pgollucci (mentor, implicit)

14:58 wxs 

Add the missing FreeBSD SA entries. We used to add these but stopped a while
back. This should catch us up.

According to cperciva@ the reason we stopped was that it was causing a lot of
false positives. I ran portaudit with these changes and did not see any false
positives but if it turns out to be too noisy I will remove them.

Submitted by:   Christopher J. Umina (private mail)
Approved by:    cperciva@

17:08 rene 

Add monotone denial of service.

Security:       http://www.monotone.ca/NEWS

21:13 pgollucci 

- Add devel/apr0 to list of packages that is affect.

15:12 beat 

- Document mozilla -- multiple vulnerabilities

12:42 kwm 

Add multiple vulnabilities in webkit-gtk2.

05:44 pgollucci 

- set modified date

05:41 pgollucci 

- these 2 urls are covered by the <cvename/> tags

Suggested by:   stas

05:36 pgollucci 

- Fix a minor typo

Reported by:    stas

05:29 pgollucci 

Document devel/apr1's apr-util vunerabilities

Security:       http://secunia.com/advisories/41701
Reviewed by:    secteam (cperciva) via irc

11:16 niels 

Documented phpMyFaq XSS vulnerability

PR:             ports/151055
Submitted by:   Florian Smeets <flo@smeets.im>
Approved by:    itetcu (mentor, implicit)
Security:       http://www.phpmyfaq.de/advisory_2010-09-28.php

18:04 thierry 

Report an XSS vulnerability in ftp/horde-gollem.

17:48 thierry 

Report a XSS vulnerability in mail/horde-dimp.

17:30 thierry 

Report a XSS vulnerability in mail/horde-imp.

17:09 thierry 

Report 2 vulnerabilities in www/horde-base.

13:32 niels 

Documented remote code execution vulnerability in OpenX

PR:             ports/150610
Approved by:    itetcu (mentor, implicit)
Security:       ttp://blog.openx.org/09/security-update/

20:24 niels 

Documented squid denial of service vulnerability

PR:             ports/150364
Submitted by:   Thomas-Martin Seck <tmseck@web.de>
Approved by:    itetcu (mentor, implicit)
Security:       CVE-2010-3072
Security:       http://www.squid-cache.org/Advisories/SQUID-2010_3.txt

17:45 nox 

Update to 10.1r85 resp. 9.0r283 [1].

Security:      
http://www.freebsd.org/ports/portaudit/8a34d9e6-c662-11df-b2e1-001b2134ef46.html
PR:             ports/150832 [2]
Submitted by:   pointyhat via pav [1], Tsurutani Naoki
                <turutani@scphys.kyoto-u.ac.jp> [2]

20:07 delphij 

Correct discovery date, my bad :(

19:31 delphij 

Document django XSS vulnerability.

15:37 decke 

- Add libxul as affected package to the latest mozilla entry

Approved by:    beat (co-mentor)

13:41 jadawin 

- Fix CVE name for webkit-gtk2

13:03 kwm 

Document webkit-gtk2 - multiple vulnerabilities.

Also add 1 extra CVE to the previous webkit-gtk2 entry that was fixed but
didn't make it to the release notes.

03:13 shaun 

Belatedly (and perhaps pointlessly) document [1]:

  vim6 -- heap-based overflow while parsing shell metacharacters

While here, prepare this old port for termination with DEPRECATED.

PR:             ports/129300 [1]
Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru> [1]

06:51 beat 

- Document mozilla -- multiple vulnerabilities

18:11 wxs 

Document sudo Runas group vulnerability.

16:20 bapt 

- wget 1.12_1 is also concerned

13:57 bapt 

- Add wget entry CVE-2010-2252
- Add lftp entry CVE-2010-2251

14:53 jadawin 

 - Document p5-libwww vulnerability (remote servers can create .(dot) files)

07:49 niels 

Documented quagga vulnerabilities (stack overflow, DoS)

Approved by:    itetcu (mentor,implicit)
Security:       http://www.openwall.com/lists/oss-security/2010/08/24/3
Security:       http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100

16:26 skv 

Document "bugzilla" - information disclosure, denial of service.

07:12 lwhsu 

- Fix version range of phpMyAdmin

Submitted by:   Marko Njezic <mr.max AT maxempire.com>

17:19 danfe 

Adjust the version range in previous entry: 1.0.1 is also vulnerable, and
fix minor whitespace nit while here.

12:30 kwm 

Add entry for OpenTTD denial of server vulnability.

Reviewed by:    danfe@ (OpenTTD maintainer)

21:30 niels 

- Added corkscrew: overflow condition due to insecure sscanf usage
- Fixed SLiM title: /SLiM/slim/

Approved by:    itetcu (mentor, implicit)
Security:       http://people.freebsd.org/~niels/issues/corkscrew-20100821.txt

12:42 lwhsu 

- Add phpMyAdmin's CVE-2010-3056 entry

23:34 stas 

- Fix date of the latest ruby entry.

21:00 niels 

Added CVE to SLiM vulnerability

Approved by:    itetcu (mentor, implicit)
Security:       CVE-2010-2945

21:11 niels 

- Document SLiM insecure PATH assignment issue
- Removed space from vlc title

Approved by:    itetcu (implicit, mentor)
Security:       http://seclists.org/oss-sec/2010/q3/198

06:36 stas 

- Document recent WEBrick XSS vulnerability in ruby.

12:50 bapt 

- Add security/isolate entry

PR:             ports/148911
Submitted by:   Steve Wills <steve _at_ mouf.net> (maintainer)
Approved by:    tabthorpe (mentor)

17:10 shaun 

Fix krb5 entry (86b8b655-4d1a-11df-83fb-0015587e2cc1) version range
mark-up.

Submitted by:   Peggy Wilkins via freebsd-ports

22:43 gabor 

- Fix last entry by adding the forgotten package name.
  (Hint: always run make validate before committing to this file)

Forgotten by:   jsa, kwm

20:51 jsa 

Document VLC CVE-2010-2937.

Approved by:    kwm (mentor)

20:15 nox 

Update to 10.1r82 resp. 9.0r280.

Security:      
http://www.freebsd.org/ports/portaudit/e19e74a4-a712-11df-b234-001b2134ef46.html

15:23 shaun 

Document opera -- multiple vulnerabilities.

09:10 beat 

- Belatedly document firefox -- Dangling pointer crash regression from plugin
  parameter array fix

Approved by:    miwi

14:47 wxs 

Whitespace fixes.

09:32 lwhsu 

- Fix Piwik entry's <name> tag

Pointed out by: jadawin

09:18 lwhsu 

- Add Piwik CVE-2010-2786 entry

12:00 kuriyama 

Previous vuln affects only apache-2.2.x

23:03 gabor 

- Document libmspack and cabextract vulnerability

01:42 kuriyama 

Add entry for apache.

00:37 wxs 

Document buffer overflow when parsing gitdir.
While here, tidy up a whitespace problem.

22:25 glarkin 

- Document www/codeigniter file upload class vulnerability

Approved by:    secteam (timeout - 1 week)
Security:       http://codeigniter.com/news/codeigniter_1.7.2_security_patch/

12:46 beat 

- Document mozilla -- multiple vulnerabilities

Approved by:    remko

00:07 kwm 

Add vte as package name, instead of empty.

23:28 kwm 

Document vte title set+query attack vulnerability.

While here add the CVE numbers to the webkit-gtk2 entry I forgot in the
previous commit.

PR:             ports/148678
Submitted by:   Janne Snabb <snabb@epipe.com>

22:44 kwm 

Document webkit-gtk2 vulnerabilities.

Security:       http://blog.kov.eti.br/?p=116

08:34 decke 

- Document redmine vulnerabilities

Approved by:    miwi (secteam)
Security:       http://www.redmine.org/news/41

09:13 nemoliu 

- Update to 3.1.1
- VuXML entry for PNG decoder security vulnerability
- License information

PR:     ports/147871
Approved by:    Pavel Pankov <pankov_p@mail.ru> (maintainer)
Feature safe:   yes

21:39 delphij 

Add bogofilter heap underrun on malformed base64 input.

Submitted by:   mandree
PR:             ports/148408
Feature safe:   yes

04:38 miwi 

- Cleanup a bit

Feature safe:   yes

15:41 skv 

Document "bugzilla" - information disclosure.

Feature safe:   yes

21:00 makc 

Document multiple vulnerabilities in irc/kvirc*

Approved by:    remko@
Feature safe:   yes

17:38 delphij 

Add bid reference for libpng entry.

Feature safe:   yes

16:18 dinoex 

- graphics/png CVE-2010-1205
Feature safe:   yes

00:46 wen 

- Document moodle -- multiple vulnerabilities

Reviewed by:    delphij@, miwi@
Feature safe:   yes

21:14 rene 

Document mDNSResponder -- corrupted stack crash when parsing bad resolv.conf

This only happens on a system where one has a system where
resolv.conf is writable by an untrusted user or where mdnsd is setuid
and can be tricked into opening an alternate resolv.conf.
PR:             ports/147007
Submitted by:   jmallett@
Approved by:    tabthorpe (mentor)
Feature safe:   yes