13:54 delphij 

Document multiple vulnerabilities found in www/tomcat41

08:00 delphij 

Document dokuwiki spellchecker XSS vulnerabilities

15:09 simon 

Fix last commit: the name tag was empty.

Reported by:    FreshPorts via Dan Langille
Pointyhat to:   delphij

14:10 delphij 

Document lighttpd multiple vulnerabilities

22:27 simon 

Add another reference to mozilla -- multiple vulnerabilities.

21:47 simon 

- Document opera -- multiple vulnerabilities.
- Correct and sort a few links in the latest mozilla entry.

21:23 simon 

Document mozilla -- multiple vulnerabilities.

06:43 delphij 

Document linuxflashplugin critical vulnerabilities.

Reported by:    jamie at bishopston net

14:03 miwi 

- Fix the versions number of typespeed from 4.1.0 to 0.4.1

PR:             114441
Submitted by:   Tor Halvard Furulund <squat@squat.no>

08:27 sat 

- Fix the latest wireshark entries by correcting a typo and adding
  more package names

10:34 miwi 

- Document wireshark - Multiple problems

Reviewed by:    simon@

19:50 gabor 

- Document typespeed arbitrary code execution

Reviewed by:    remko

22:18 miwi 

- Fix a typo vcl -> vlc

Noticed by:     lx@

09:42 miwi 

- Document vlc - format string vulnerability and integer overflow

09:24 miwi 

- Document flac123 - stack overflow in comment parsing

Reviewed by:    simon@

06:06 remko 

Document gd -- multiple vulnerabilities

PR:             ports/114115
Submitted by:   Nick Barkas <snb at threerings dot net> (minor modifications by
me).

07:38 delphij 

Document that CVE-2007-3257 was fixed with evolution-data-server
1.10.2_1.

20:52 sat 

- Fix modified date in mod_perl entry

20:44 erwin 

Mark www/mod_perl2 fixed in version 2.0.3_2,3

10:57 delphij 

Document evolution-data-server remote arbitrary code execution
vulnerability.

Fix at: Evolution SVN changeset 7817 (#447414)

11:34 erwin 

The XMLRPC SQL Injection issue with wordpress was addressed in the
latest release.

17:28 gabor 

Document xpcd buffer overflow vulnerability.

Revieved by:    remko

19:47 remko 

Document clamav -- multiple vulnerabilities.

07:56 delphij 

Document SpamAssassin vulnerability CVE-2007-2873, a local
DoS issue.

18:27 miwi 

- Document cups -- Incomplete SSL Negotiation Denial of Service.

Reviewed by:    simon@

19:47 miwi 

- Fix other duplicate entry.

Reviewed by:    simon

17:46 miwi 

- Document c-ares -- DNS Cache Poisoning Vulnerability

Reviewed by:    simon@

17:44 miwi 

- Fix duplicate entry de-wordpress -> zh-wordpress.

16:13 gabor 

Add zh-wordpress as affected by the last two wordpress entries.

15:07 gabor 

wordpress -- XMLRPC SQL Injection
wordpress -- unmoderated comments disclosure

Reviewed by:    simon

14:07 miwi 

- Document webmin -- cross site scripting

Reviewed by:    simon@

18:34 simon 

- The fixed mplayer version number is 0.99.10_10, mark it as such. [1]
- Add older mplayer package names.
- Break long lines.

Noticed by:     Henrik Brix Andersen <henrik@brixandersen.dk>

08:44 miwi 

- Fix mplayer portversion.

08:42 miwi 

- Document mplayer -- cddb stack overflow.

Reviewed by:    simon@

09:29 gabor 

- Note that plone is also affected by 34414a1e-e377-11db-b8ab-000c76189c4c
  prior to version 2.5.3

Reviewed by:    simon

16:17 gabor 

- gzip 1.3.12 has been patched and is not affected by
  11a84092-8f9f-11db-ab33-000e0c2e438a any more

Reviewed by:    simon

09:38 erwin 

Document an information disclosure vulnerability in mod_jk < 1.2.23.

Reviewed by:    simon

20:56 erwin 

Add an entry for an email header injection vulnerability in
www/typo3 from February.

Reviewed by:    remko
Persuaded by:   cperciva and simon by setting up the
                ports-security team

12:42 miwi 

- Document phppgadmin - Cross Site Scripting Vulnerability.

Reviewed by:    mnag@
Reported by:    dinoex@

19:36 trasz 

- Add entry for findutils -- GNU locate heap buffer overrun.

Revieved by:    simon (secteam)
Approved by:    miwi (mentor)

08:05 delphij 

Mark file < 4.21 as vulnerable to the heap overflow.

00:37 marcus 

Add an entry for the recent Freetype heap overflow vulnerability.

Submitted by:   Nick Barkas <snb@threerings.net>

16:29 remko 

Document FreeBSD-SA-07:04.file (heap overflow in file(1))

Approved by:    portmgr (secteam implicit)

20:08 miwi 

- Document squirrelmail -- Cross site scripting in HTML filter

Approved by:    portmgr (marcus)

21:10 simon 

Document png -- DoS crash vulnerability.

20:22 simon 

Document samba -- multiple vulnerabilities.

Brought to you from Heathrow Airport and BSDCan 2007 Devsummit.

17:31 simon 

Update PHP entry to include the vulnerable version so the entry is
correct for when PHP is updated in ports (yes it's being worked on),
or for people who upgrade "manually".

With hat:       secteam
Requested by:   several

09:12 remko 

Document a lot of PHP vulnerabilities, mark all php4 and php5 (+cli,cgi)
ports as vulnerable till the ports had been upgraded.

08:49 remko 

Bump modification date for the latest mod_perl entry, this was forgotten
by erwin, but there were "massive" changes that warrant a date bump.

16:56 remko 

Standarize the latest entry (qemu) a bit more and add a forgotten 'a'
in the p5-Imager text.

22:49 nox 

Document multiple qemu vulnerabilities

Obtained from:  debian-security-announce@lists.debian.org mailing list
Security:       multiple qemu vulnerabilities

17:51 lbr 

Update to 0.57 - fixes possible overflow vulnerability regarding malformed
BMPs, see vuln.xml for details.

Security:       VuXML ID: 632c98be-aad2-4af2-849f-41a6862afd6a

18:34 remko 

Document FreeBSD -- IPv6 Routing Header 0 is dangerous

19:05 erwin 

Rework the mod_perl entry to note that Mandriva originally released
an advisory.  Also add mod_perl2 to the vulnerable versions.

17:11 erwin 

Minor wordsmithing in the last mod_perl entry.

Submitted by:   simon

17:04 erwin 

Add entry for mod_perl -- remote DOS in PATH_INFO parsing

PR:             111844
Submitted by:   "Philip M. Gollucci" <pgollucci@p6m7g8.com>

14:12 tobez 

p5-Crypt-OpenPGP 1.03_1 should not be vulnerable to CVE-2005-0366.

11:55 sat 

- Mark latest firefox and seamonkey snapshots as safe

10:37 miwi 

- Add entry for claws-mail - APOP vulnerability

15:11 mnag 

lighttpd -- DOS when access files with mtime 0
lighttpd -- Remote DOS in CRLF parsing

15:46 stas 

- Add freeradius-mysql to the list of affected packages of the recent
  freeradius entry.

Submitted by:   David Wood <david@wood2.org.uk>

11:50 flz 

Mark Google Earth >= 4.0.2414 as safe.

08:19 stas 

- Document recent remote dos vulnerability in freeradius.

21:10 simon 

Add an extra reference to the old "gnupg -- OpenPGP symmetric
encryption vulnerability" entry which explains the problem in a more
easy to read way.

Submitted by:   tobez (sort of)

20:05 barner 

Document fetchmail's "insecure APOP authentication" issue (fixed in 6.3.8).

19:58 remko 

Stylify the latest zope entry:

o Use consistent title description
o Use tabs when 8 spaces are hit
o Sort the references list (the alphabet goes from a to z)
o Bump modification date (note: please check the entry date
  so that it matches the correct data of insertion).

Also stylify the latest mcweject entry.

19:45 stefan 

Add entry for exploitable buffer overflow in mcweject.

PR:             111365
Submitted by:   Jeff Forsythe<tornandfilthy2006@yahoo.com>

14:36 stefan 

Add entry for webcalendar "noSet" variable overwrite vulnerability.

PR:             110585
Submitted by:   Greg Larkin <glarkin@sourcehosting.net>

11:16 stefan 

Add entry for Zope2 cross-site scripting vulnerability.

Inspired by:    Yasushi Hayashi<yasi@yasi.to> (in PR 111119)

16:30 sem 

Remove f951cf4a-a1fe-11db-98f9-0004aca3703d entry. It's duplicate to
41da2ba4-a24e-11db-bd24-000f3dcc6a5d.

02:27 sat 

- Fix versions and dates in latest squid entry

Pointy hat to:  miwi

17:07 remko 

Standarise the latest Squid entry.

13:04 miwi 

- Add entry for squid  TRACE method handling denial of service

16:57 simon 

Fix range for sql-ledger entry which I missed in my original review.

11:48 lth 

Document sql-ledger vulnerability

PR:             ports/110350
Submitted by:   Antoine Beaupre <anarcat@koumbit.org>

07:35 remko 

Document cacti -- remote injection exploit

PR:             ports/107838
Submitted by:   Dan Langille <dan at langille dot org>

07:31 remko 

Correct two tdiary entries:

o correct the affected version numbers
o package name of www/tdiary-devel is "tdiary-devel", not "tdiary"
o add ja-tdiary and ja-tdiary-devel to affected packages

PR:             ports/109086
Submitted by:   KOMATSU Shinichiro <koma2 at lovepeers dot org>

07:28 remko 

Document two long forgotten Samba vulnerabilities.

PR:             ports/109049
Submitted by:   KOMATSU Shinichiro <koma2 at lovepeers dot org>

23:00 markus 

ktorrent -- multiple vulnerabilities:
- Add CVE references
- Bump modification date

08:39 remko 

Spell out multiple vulnerabilities instead of specifying the exact
amount (we always do that). Also bump the modification date for
this entry and the PHP entry that had been touched

01:16 markus 

Fix typo in PHP entry

01:11 markus 

Document ktorrent -- two vulnerabilities

02:19 kuriyama 

Add ja-trac-*.

15:52 miwi 

- fix typo

15:48 miwi 

- Add entry for mplayer -- DMO File Parsing Buffer Overflow Vulnerability

Reviewed by:    simon (secteam)

14:34 miwi 

- Add entry for Trac "download wiki page as text" Cross-Site Scripting
Vulnerability.

Reviewed by:    simon@

07:18 simon 

Correct affected versions in "mod_jk -- long URL stack overflow
vulnerability" entry.

Noticed by:     Nick Barkas

23:17 simon 

Document mod_jk -- long URL stack overflow vulnerability.

18:34 simon 

For recent "mozilla -- multiple vulnerabilities" entry:

- Mark Seamonkey 1.1.1 as safe.  While mozilla.org does not clearly
  state this, it does seem to be the case. [1]
- Add another critical vulnerability which wasn't on the web site when
  the vuxml entry was initially added.

Reported by:    Volodymyr Kostyrko [1]

20:10 remko 

Document bind -- Multiple Denial of Service vulnerabilities
Now all Security Advisories are merged again in VuXML.

20:00 remko 

Document FreeBSD -- Jail rc.d script privilege escalation

19:50 remko 

Document: gtar -- name mangling symlink vulnerability

19:46 remko 

Document FreeBSD -- Kernel memory disclosure in firewire(4).

21:08 remko 

Document libarchive -- Infinite loop in corrupt archives handling in
libarchive.

This is also FreeBSD SA-06:24.libarchive, FreeBSD systems are not
affected, only specific STABLE versions which are not released!!

20:24 remko 

Document FreeBSD SA 06:23 OpenSSL - Multiple problems in crypto (3).

21:27 simon 

- Bump modified date for last update in mozilla entry.
- Bump file copyright year.

21:16 ahze 

Extend the latest gecko vulnerabilities to mail/lightning.

18:50 simon 

Fix whitespace which I forgot before committing the last update.

18:30 simon 

Document mozilla -- multiple vulnerabilities.

Note that Seamonkey 1.1 is marked vulnerable under the "better safe than
sorry" principle, since it's not yet clear if Seamonkey 1.1 is
vulnerable to this batch of vulnerabilities.

22:17 simon 

Document snort -- DCE/RPC preprocessor vulnerability.