23:29 shaun 

Document opera -- Data URIs can be used to allow cross-site scripting.

Assume opera-devel is vulnerable too, although snapshots aren't
mentioned in the advisory, and it's months out of date.

Feature safe:   yes

12:54 niels 

- Cancelled movemail symlink vulnerability (doesnt affect our ports)
- Added entry for multiple vulnerabilities in cacti 0.8.7f
- Updated ziproxy entry to satisfy "make tidy"

Approved by:    itetcu (mentor, implicit)
Feature safe:   yes

18:01 beat 

- Document mozilla -- multiple vulnerabilities

Feature safe:   yes
Approved by:    delphij

00:38 delphij 

vuln 4e8344a3-ca52-11de-8ee8-00215c6a37bb has been fixed with
php4-gd-4.4.9_4.

Requested by:   Michael Gmelin <mg bindone de>

12:42 erwin 

Fix typo in previous revision.

12:13 miwi 

- Cleanup, Formating

09:31 dinoex 

add CVE-2009-2347 tiff

19:46 nox 

Document linux-flashplugin -- multiple vulnerabilities.

Reviewed by:    tmclaugh

03:04 miwi 

- Cleanup / Whitespace fixes

17:22 erwin 

Remove empty package in previous revision.

16:44 dinoex 

- report FAX3 decoder buffer overrun

00:10 wxs 

Document sudo secure path vulnerability. We are not vulnerable to this by
default but a user could build sudo with SUDO_SECURE_PATH defined or turn
it on in sudoers.

11:24 pav 

- Update to 3.0.1

PR:             ports/147195
Submitted by:   Pavel Pankov <pankov_p@mail.ru> (maintainer)

06:20 wen 

- Document two mediawiki security vulnerabilities

Approved by:    delphij@(ports-security override)

18:28 decke 

- Document multiple redmine vulnerabilities

Approved by:    miwi (secteam), beat (co-mentor)
Security:       http://www.redmine.org/news/39

09:12 niels 

Updated tomcat entry (CVE-2010-1157) with fixed version information.
This makes sure that the correct older versions are marked vulnerable

Approved by:    itetcu (mentor, implicit)
Security:      
http://www.vuxml.org/freebsd/3383e706-4fc3-11df-83fb-0015587e2cc1.html

09:46 niels 

- Added 109 missing CVE names to 60 VuXML entries
- Fixed Tomcat55 entry to mark current PORTREVISION vulnerable

PR:             ports/146418
Approved by:    itetcu (mentor, implicit)
Security:       http://people.freebsd.org/~niels/vuxml/

19:53 niels 

Added wireshark (DoS) and piwik (XSS) issues

Approved by:    itetcu (mentor, implicit)
Security:       http://www.wireshark.org/security/wnpa-sec-2010-03.html
Security:       http://www.wireshark.org/security/wnpa-sec-2010-04.html
Security:       http://piwik.org/blog/2010/04/piwik-0-6-security-advisory/

19:44 niels 

Added spamass-milter remote command execution vulnerability

Approved by:    itetcu (mentor, implicit)
Security:       CVE-2010-1132
Security:      
http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html

19:12 niels 

- Added mediawiki and lxr vulnerabilities
- Fixed vlc topic format (lower case, portname first)

PR:             ports/146337
Approved by:    itetcu (mentor, implicit)
Security:      
http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
Security:      
http://sourceforge.net/mailarchive/message.php?msg_name=E1NS2s4-0001PE-F2%403bkjzd1.ch3.sourceforge.com

20:46 niels 

Added 38 missing CVE names to 24 VuXML entries
(256 CVE names to go)

Approved by:    itetcu (mentor, implicit)
Security:       http://people.freebsd.org/~niels/vuxml/

15:32 niels 

Added 34 missing CVE names to 24 VuXML entries
(294 CVE names to go)

Approved by:    miwi (secteam)
Security:       http://people.freebsd.org/~niels/vuxml/

00:52 sylvio 

- VideoLAN has released 1.0.6 to address serveral vulnerabilities they discoverd
while working towards the 1.1.0 release. These vulnerabilities could potentially
allow for a specially crafted file to execute code.

PR:             ports/146099
Submitted by:   Joseph S. Atkinson <jsa@wickedmachine.net> (maintainer)

04:25 dinoex 

- fix version for apache+mod_ssl

04:24 dinoex 

- fix info for apache+mod_ssl

21:09 makc 

Mark kdebase3 as safe now.

05:46 niels 

- Documented multiple Joomla! vulnerabilities
- Added new reference to the recent cacti issue

Approved by:    remko (secteam)
Security:       http://developer.joomla.org/security/

21:14 niels 

Documented vulnerabilities in moodle, tomcat55, tomcat66 and cacti

PR:             ports/146021
PR:             ports/146022
Approved by:    remko (secteam)
Security:       http://seclists.org/bugtraq/2010/Apr/200
Security:       http://docs.moodle.org/en/Moodle_1.9.8_release_notes
Security:       http://www.bonsai-sec.com/en/research/vulnerability.php

18:16 niels 

Documented emacs movemail vulnerability and marked the seperate
mail/movemail port vulnerable to an old format string vulnerability.

Approved by:    remko (secteam)
Security:       http://www.ubuntu.com/usn/USN-919-1

20:19 niels 

Added krb5 double free vulnerability

Approved by:    remko (secteam)
Security:       http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt
Security:       CVE-2010-1320

21:03 niels 

Documented the following vulnerabilities:
- png: libpng decompression denial of service
- e107: code execution and XSS vulnerabilities
- pidgin: multiple remote denial of service vulnerabilities
- fetchmail: denial of service vulnerability

PR:             ports/145885
PR:             ports/145857
Approved by:    remko (secteam)
Security:       CVE-2010-0996
Security:       CVE-2010-0997
Security:       CVE-2010-1167
Security:       CVE-2010-0277
Security:       CVE-2010-0420
Security:       CVE-2010-0423
Security:       CVE-2010-0205

19:06 niels 

Documented the following vulnerabilities:
- curl: libcurl buffer overflow vulnerability
- irssi: multiple vulnerabilities
- ejabberd: queue overload denial of service vulnerability

Approved by:    remko (secteam)
Security:       http://curl.haxx.se/docs/adv_20100209.html
Security:       http://support.process-one.net/browse/EJAB-1173
Security:       http://xforce.iss.net/xforce/xfdb/57790
Security:       http://xforce.iss.net/xforce/xfdb/57791

07:13 niels 

- Added three krb5 vulnerabilities
- Fixed indent on mahara entry
- Fixed title of KDM entry

Approved by:    remko (secteam)
Security:       http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt
Security:       http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-002.txt
Security:       http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt

19:00 niels 

Document mahara sql injection vulnerability

Approved by:    remko (secteam)
Security:       http://www.debian.org/security/2010/dsa-2030

02:25 wxs 

Correct CVE entry. The advisory from Todd[0] says CVE 2010-0426, which is
the entry assigned to the original sudoedit vulnerability[1]. The new
one (CVE-2010-1163) was just assigned. I believe the one assigned by CVE
folks is the proper one to use.

[0]: http://sudo.ws/sudo/alerts/sudoedit_escalate2.html
[1]: 018a84d0-2548-11df-b4a3-00e0815b8da8

20:53 wxs 

- Document sudo privilege escalation bug. This is similar to
  018a84d0-2548-11df-b4a3-00e0815b8da8.

21:46 avilla 

- Do not match x11/kdebase4 in latest KDM vulnerability.

Approved by:    tabthorpe (mentor)

19:04 avilla 

- Document KDM local privilege escalation vulnerability.

Approved by:    tabthorpe (mentor), delphij (secteam)

17:53 glarkin 

- Document dojo - cross-site scripting and other vulnerabilities
- Document ZendFramework - security issues in bundled Dojo library

Approved by:    secteam (remko)
Security:      
http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/
Security:       http://framework.zend.com/security/advisory/ZF2010-07

07:36 beat 

- Document firefox -- Re-use of freed object due to scope confusion

Submitted by:   Florian Smeets <flo AT smeets.im>
Approved by:    miwi

22:25 beat 

- Document mozilla -- multiple vulnerabilities

Approved by:    delphij

21:45 delphij 

Document postgresql bitsubstr overflow vulnerability

18:48 naddy 

Document a buffer overflow in gtar's rmt client functionality.

08:36 beat 

- Document firefox -- WOFF heap corruption due to integer overflow

Approved by:    miwi

21:31 niels 

Updated the xzgv entry: 0.9 version (now in portstree) is not vulnerable

Approved by:    itetcu (mentor), miwi (secteam)
Security:      
http://www.vuxml.org/freebsd/a813a219-d2d4-11da-a672-000e0c2e438a.html
Security:       http://www.gentoo.org/security/en/glsa/glsa-200604-10.xml

10:16 miwi 

- Fix build

07:39 beat 

- Document mozilla -- multiple vulnerabilities
- Fix a typo

Approved by:    miwi

01:45 delphij 

Document eGroupware vulnerabilities.

Submitted by:   wenheping

22:50 miwi 

- Document drupal -- multiple vulnerabilities

Feature safe:   yep

17:47 wxs 

- Document sudo privilege escalation vulnerability when using
  pseudo-command sudoedit

Feature safe:   yes

20:25 nox 

Attempt to properly take care of the ooo3 -RC and -devel ports too (doh!)

Feature safe:   yes

13:07 beat 

- Document thunderbird3 vulnerabilities

Approved by:    miwi
Feature safe:   yes

21:20 nox 

Document openoffice -- multiple vulnerabilities

Reviewed by:    delphij
Feature safe:   yes

10:02 beat 

- Document mozilla -- multiple vulnerabilities

Approved by:    miwi (secteam)
Feature safe:   yes

18:06 delphij 

Document lighttpd remote DoS vulnerability.

Reported by:    Dan Rowe <dan dracosplace com>
Feature safe:   yes

06:29 delphij 

Update www/squid and www/squid30 to address Squid HTCP Packet Processing
NULL Pointer Dereference vulnerability (SQUID-2010:2)

21:55 nox 

Document linux-flashplugin -- multiple vulnerabilities.

Reviewed by:    miwi

10:29 kwm 

Add CVE-2010-0414 and CVE-2010-0422 for gnome-screensaver.

Reviewed by:    miwi@

14:25 mandree 

Fix range for fetchmail CVE-2010-0562.

Approved by: miwi@ (mentor)

09:56 mandree 

Add CVE-2010-0562 entry for mail/fetchmail.

Approved by: miwi (mentor).

00:47 delphij 

Document wireshark lwres buffer overflow vulnerability.

Reported by:    Andreas <akoga hawaii edu>

16:38 skv 

Document "otrs" - SQL injection.

23:25 pgollucci 

- add the rest of the apache 1.3.x packages to the list
  that are vulnerable
- add a missing ) to the <topic>

Reviewed by:    secteam (miwi)

22:24 pgollucci 

- document chunk-size integer overflow in apache 1.3.x

21:47 pgollucci 

- remove extraneou '>' as reported by make tidy

22:42 miwi 

- Mark squid30 now as safe

09:44 miwi 

- Update 296ecb59-0f6b-11df-8bab-0019996bc1f7 entry and makr squid3* as safe

20:25 delphij 

Security patch for Squid advisory 2010:1, denial of service.

Submitted by:   maintainer (Thomas-Martin Seck <tmseck web de>)

16:45 skv 

Document "bugzilla" - information leak.

21:20 miwi 

- Correct fixed version from previous entry

21:15 miwi 

- Document irc-ratbox -- multiple vulnerabilities

PR:             based on 143242
Submitted by:   moggie <moggie@elasticmind.net>

19:52 beat 

- Document thunderbird3 vulnerabilities

Reviewed by:    miwi

17:45 delphij 

Document dokuwiki multiple vulnerabilities.

03:32 glarkin 

- Added entry for multiple vulnerabilities in www/zend-framework
- Cleaned up some entries reported by "make tidy"

Reviewed by:    secteam (delphij via email)
Approved by:    secteam (delphij via email)
Security:       http://framework.zend.com/security/advisory/ZF2010-06
Security:       http://framework.zend.com/security/advisory/ZF2010-05
Security:       http://framework.zend.com/security/advisory/ZF2010-04
Security:       http://framework.zend.com/security/advisory/ZF2010-03
Security:       http://framework.zend.com/security/advisory/ZF2010-02
Security:       http://framework.zend.com/security/advisory/ZF2010-01
Security:       http://framework.zend.com/security/advisory/ZF2009-02
Security:       http://framework.zend.com/security/advisory/ZF2009-01

10:55 delphij 

Document powerdns-recursor multiple vulnerabilities.

23:23 delphij 

Document pear-Net_Ping and pear-Net_Traceroute arbitrary command execution
vulnerability.

16:29 erwin 

Bump copyright year to 2010

19:19 miwi 

- Document drupal -- multiple cross-site scripting

21:48 stas 

- Document sysutils/fuser privileges check vulnerability.

18:19 delphij 

Document monkey remote DoS vulnerability.

10:45 miwi 

- Fix a typo (s/opensll/openssl)

Reported by:    pluknet <pluknet@gmail.com>

22:40 delphij 

Document php multiple vulnerabilities.

Sponsored by:   iXsystems, Inc.

00:24 delphij 

Document PostgreSQL multiple vulnerabilities.

Sponsored by:   iXsystems, Inc.

00:04 delphij 

Add tptest pwd remote buffer overflow vulnerability.

Submitted by:   Mark Foster <mark foster cc>
PR:             ports/131938

10:44 miwi 

- Document mozilla -- multiple vulnerabilities

02:27 delphij 

Make the problem more visible by choosing a more descriptive subject.

00:39 delphij 

Document freeradius remote packet of death exploit (CVE 2009-3111)

Submitted by:   "Danilo G. Baio" <dbaio bs2 com br>
PR:             ports/141318

16:12 beat 

- Mark Seamonkey 2.0 as safe

Reviewed by:    miwi

18:12 beat 

- Mark linux-firefox-devel as safe

Reviewed by:    miwi

11:08 miwi 

- Fix build

10:58 wen 

- Document pligg -- Cross-Site Scripting and Cross-Site Request Forgery

15:27 miwi 

- Document piwik -- php code execution

Requested by:   wen

15:14 miwi 

- Fix previous entrys (formating etc)

15:27 wxs 

- Document dovecot insecure directory permissions

00:32 nox 

Document linux-flashplugin -- multiple vulnerabilities.

Reviewed by:    miwi

23:39 stas 

- Document ruby 1.9.1 heap overflow vulnerability.

15:07 skreuzer 

Document session fixation vulnerability in RequestTracker < 3.8.6

Reviewed by:    simon@, wxs@

01:44 kuriyama 

- Add two CVE entries for expat2.

20:09 miwi 

- Document opera -- multiple vulnerabilities

Request by:     itetcu

22:48 kwm 

Fix the libtool entry to include 2.2.6a as vulnerable.