09:33 sem 

- Document skype vulnerabilities
- Document PHP vulnerabilities
- Convert first letters in titles from upcase to lowercase
  in my last additions.

08:44 sem 

- Document CVE-2005-3258:
    Squid FTP Server Response Handling Denial of Service

19:03 sem 

- Document a BASE Basic Analysis and Security Engine vulnerability

18:02 simon 

Back out the accidentally committed white-space modification parts of
rev.  1.869, but keep the lynx entry.

Pointy hat to:  naddy
OK'ed by:       naddy

09:04 barner 

Add entry for "fetchmail -- fetchmailconf local password exposure",
which was fixed with fetchmail-6.2.5.2_1 and above.

22:17 naddy 

Document lynx remote buffer overflow in NNTP header handling.

19:40 sem 

- Fix a ruby vulnerabuility in the safe level settings.

Based on:       ports/87816
Submitted by:   Phil Oleson <oz@nixil.net>

Security:      
http://vuxml.FreeBSD.org/1daea60a-4719-11da-b5c6-0004614cc33d.html

19:53 simon 

Add more references to entry net-snmp -- remote DoS vulnerability.

10:00 simon 

- Mark linux-firefox 1.0.7 as fixed
  wrt. 8665ebb9-2237-11da-978e-0001020eed82 (Mozilla/firefox IDN buffer
  overflow) [1].
- Correct some of the the earlier linux-firefox entries to match
  versions before 1.0.7, not after (whoops)...

Prodded by:     Andrew P. <infofarmer@gmail.com> [1]

19:52 lesi 

Add misc/compat5x to "openssl -- potential SSL 2.0 rollback".

Reviewed by:    simon

17:10 simon 

Also mark xli as vulnerable to xloadimage -- buffer overflows in NIFF
image title handling, and latest port version as fixed.

Reported by:    jkoshy

16:50 simon 

For entry libgadu -- multiple vulnerabilities:

- Mark latest centericq port version as fixed.
- Fix cite in description.

09:09 simon 

For entry zope28 -- expose RestructuredText functionality to untrusted
users:

- Do not match zope 2.7.8 which has been fixed. [1]
- Fix typo in topic.
- Add another reference.

Reported by:    Gerhard Schmidt <estartu augusta de> [1]

13:41 simon 

Add another reference to clamav -- arbitrary code execution and DoS
vulnerabilities entry.

13:52 naddy 

Document x11/xloadimage buffer overflows in NIFF image title handling.

18:17 nectar 

Rename all CAN-yyyy-nnnn to CVE-yyyy-nnnn, with the exception of text
inside <blockquote>s.
See <URL:http://www.cve.mitre.org/cve/renumber.html>.

19:45 simon 

For entry: snort -- Back Orifice preprocessor buffer overflow vulnerability:
- Sort references.
- Add ISS advisory to references.

17:42 simon 

- Document snort -- Back Orifice preprocessor buffer overflow vulnerability.
- Use standard topic format for webcalendar entry.
- Fix package name in webcalendar so it matches the actual package
  name.

21:57 sem 

- Document www/webcalendar vulnerability.

21:38 sem 

- Document www/gallery2 vulnerability.

22:53 simon 

Improve last couple of entries:
- Use standard topic format.
- Fix packagename in phpmyadmin and zone entries.
- Fix indention and remove EOL white-space.
- Make lead in a bit more verbose.
- Add more references to phpmyadmin issue.
- Remove some redundant quoted text in zope issue.

14:51 mnag 

Add entry for openssl
Remove entry about safe mode in phpmyadmin

00:24 mnag 

Add entry for phpmyadmin (PMASA-2005-4)

00:12 mnag 

Fix typo with range values

00:01 mnag 

Add entry from zope28

21:03 simon 

For libxine -- format string vulnerability entry:
- Add reference to xine security announcement.
- Fix indention on a few lines.

16:14 nobutaka 

Add an entry for libxine format string vulnerability.

10:14 simon 

Mark older revisions linux_base-suse 9.3 as vulnerable to kdebase --
Kate backup file permission leak.

07:31 sergei 

- Mark cfengine's arbitrary file overwriting vulnerability as fixed in 2.1.6_1
- Add another possible variant of package name - cfengine2

17:44 thierry 

Add an entry for UW-IMAP Mailbox Name Handling Remote Buffer Overflow
Vulnerability (CAN-2005-2933).

15:55 ehaupt 

Add credit for recent ftp/weex incident

Approved by:    novel (mentor)

13:23 garga 

rinetd >= 0.62_1 has no more vulnerabilities

20:10 remko 

Add references to three squid entries.

Submitted by:           Thomas-Martin Seck <tmseck at netcologne dot de>
                        (except for the bid's which i added myself).

17:46 simon 

Use the <freebsdpr> tag to markup a PR in weex -- remote format string
vulnerability entry.

16:11 jylefort 

Document a format string vulnerability in ftp/weex.

07:45 simon 

Document picasm -- buffer overflow vulnerability.

16:43 nobutaka 

Add an URL to the entry of the japanese/uim.

16:35 nobutaka 

Document japanese/uim privilege escalation vulnerability.

15:21 simon 

Document cfengine -- arbitrary file overwriting vulnerability.

10:17 remko 

Mark zsync <= 0.4.1 vulnerable to the zlib buffer overflow vulnerability.

Inspired by:            gordon's commit

08:40 simon 

Add more references to unace -- multiple vulnerabilities entry.

07:14 simon 

Add CVE name to an older ProZilla entry.

20:01 simon 

Add more references for latest phpmyfaq entry.

19:31 simon 

- Add a note that new entries, per convention, should be added to the
  start of this file.

For latest phpmyfaq entry:

- Use port directory name as first part of topic.
- No need to include information about affected releases in topic
  (it's somewhat redundant and makes the title longer).
- Reindent body with standard FreeBSD Doc Project (more or less)
  style.

22:54 vsevolod 

Document vulnerabilities in www/phpmyfaq

09:22 remko 

Add linux_base-suse-9.3 to the zlib entry.

Inspired by:            trevors commit.

08:31 simon 

Document clamav -- arbitrary code execution and DoS vulnerabilities.

21:44 simon 

- Be consistent and call entries "firefox & mozilla", not the other way
  around.
- Mark latest linux-mozilla port as fixed for recent mozilla
  vulnerabilities.

19:19 simon 

- Document mozilla & firefox -- multiple vulnerabilities.
- Add Mozilla Foundation Security Advisory references to two other
  firefox/mozilla entries.

23:03 simon 

Add real references to urban -- stack overflow vulnerabilities.

22:31 simon 

Document mozilla & firefox -- command line URL shell command injection.

21:59 simon 

Add CVE name for tor -- diffie-hellman handshake flaw.

21:46 simon 

Correct package name for entry bind -- buffer overrun vulnerability.

21:15 simon 

Add CVE name to an older CUPS issue.

16:12 remko 

Fix the htdig entry, the port version and the VuXML version did not
align.

Reported by:            Nic Bellamy <nic at bellamy dot co dot nz>

16:09 remko 

Fix the squirrelmail entry since only versions prior to 1.4.5 were
affected. Bump modification date accordingly.

Reported by:            Avinash Piare <avinash at piare dot org>

19:08 remko 

Document the following items:

o apache -- Certificate Revocation List (CRL) off-by-one vulnerability
o squirrelmail -- _$POST variable handling allows for various attacks

Reviewed by:            simon

20:14 pav 

- Add an entry on possible DOS condition regarding NTLM in squid

PR:             ports/86179
Submitted by:   Thomas-Martin Seck <tmseck@netcologne.de>

22:22 lesi 

Document X11 server -- pixmap allocation vulnerability.

Reviewed by:    simon

20:18 remko 

Document unzip -- permission race vulnerability. [1]

Update the recent htdig entry with it's corrected version.

Reviewed by:            simon [1]

20:55 simon 

Document firefox & mozilla -- buffer overflow vulnerability.

Prodded by:     pav

08:46 lawrance 

Mark the latest version of cups-base fixed for "xpdf -- disk fill DoS
vulnerability"

15:24 remko 

Add forgotten </package> line.

Spotted by:             simon

15:16 remko 

Mark b2evolution prior to 0.9.0.12_2 vulnerable to the XML_RPC remote php code
injection vulnerability.

Inspired by:            pav's commit, updating the port.

09:03 remko 

Document htdig -- cross site scripting vulnerability.

Reviewed by:    simon

07:54 sem 

- Document two squid security related issues.

PR:             ports/85688
Submitted by:   Thomas-Martin Seck <tmseck@netcologne.de> (squid maintainer)

19:05 remko 

Document bind9 -- denial of service.
Also merge the FreeBSD-SA-05:12.bind9 advisory in the entry. [1]

Suggested by:           simon [1]
Reviewed by:            simon

18:06 remko 

Document bind -- buffer overrun vulnerability

13:10 simon 

Add a more or less bogus reference section to the last entry, to make it
a valid entry.  The reference simply references the VuXML entry itself,
but at least it fixes the build for now.

Missed by:      simon

12:59 jylefort 

Document stack overflow vulnerabilities in games/urban.

Approved by:    simon

20:47 simon 

Mark latest evolution port version as fixed wrt. evolution -- remote
format string vulnerabilities.

15:10 kuriyama 

Add entry for fswiki's vuln.

08:11 niels 

Dante 1.1.15 is no longer affected by the fd_set bitmap index overflow.
Updated the version in VuXML (was 0).

Approved by:    nectar (mentor)

20:48 simon 

- Fill out part of the std. VuXML template missed in the last entry.
- Mark acroread 7.0.1 as fixed for acroread -- XML External Entity
  vulnerability. [1]

Reported by:    Sverre H. Huseby [1]

22:25 simon 

Document evolution -- remote format string vulnerabilities.

Approved by:    portmgr (blanket, VuXML)

21:54 simon 

Document pam_ldap -- authentication bypass vulnerability.

Approved by:    portmgr (blanket, VuXML)

18:17 simon 

Mark phpgroupware as vulnerable to pear-XML_RPC -- remote PHP code
injection vulnerability.

Reported by:    olgeni
Approved by:    portmgr (blanket, VuXML)

21:24 simon 

Document pcre -- regular expression buffer overflow.

Approved by:    portmgr (blanket, VuXML)

20:26 simon 

Mark latest awstats port as fixed for awstats -- arbitrary code
execution vulnerability.

Approved by:    portmgr (blanket, VuXML)

19:07 sem 

Document mail/elm remote buffer overflow vulnerability.

PR:             ports/85225
Submitted by:   Kevin Day <toasty@dragondata.com> (elm maintainer)
Approved by:    portmgr (blanket, VuXML)

09:58 remko 

Document four vulnerabilities in openvpn:

* openvpn -- multiple TCP clients connecting with the same certificate at the
same time can crash the server
* openvpn -- denial of service: malicious authenticated "tap" client
can deplete server virtual memory
* openvpn -- denial of service: undecryptable packet from authorized client can
disconnect unrelated clients
* openvpn -- denial of service: client certificate validation can disconnect
unrelated clients

Approved by:    portsmgr (blanket VuXML)
Submitted by:   Matthias Andree <matthias dot andree at gmx dot de>

20:01 simon 

Also mark phpAdsNew as affected by "pear-XML_RPC -- remote PHP code
injection vulnerability".

Approved by:    portmgr (blanket, VuXML)

19:46 remko 

Add the fixed version so that people do not get a stale portaudit when the
update is there.
Also fix some indentation that i overlooked.

Noticed by:             simon (both of the items)
Approved by:            portsmgr (blanket VuXML)

19:34 remko 

Document tor -- diffie-hellman handshake flaw.

Submitted by:           Michal Bartkowiak <michal at nonspace dot net>
Approved by:            portsmgr (blanket VuXML)

21:19 simon 

gpdf has been fixed for "xpdf -- disk fill DoS vulnerability", mark it
as such.

Approved by:    portmgr (blanket, VuXML)

20:56 simon 

Add eGroupWare to the list of packages affected by "pear-XML_RPC --
remote PHP code injection vulnerability".

Approved by:    portmgr (blanket, VuXML)

18:43 simon 

Document acroread -- plug-in buffer overflow vulnerability.

Approved by:    portmgr (blanket, VuXML)

20:38 simon 

Add phpmyfaq and drupal to the "pear-XML_RPC -- remote PHP code
injection vulnerability" entry since they contain an embedded version of
pear-XML_RPC.

Fix typo in body of the latest xpdf entry (note: no modified date bump
as this is a minor typo fix which does change <affects>).

Approved by:    portmgr (blanket, VuXML)

13:20 simon 

Document pear-XML_RPC -- remote PHP code injection vulnerability.

Submitted by:   hrs
Approved by:    portmgr (blanket, VuXML)

21:09 simon 

Document awstats -- arbitrary code execution vulnerability.

Approved by:    portmgr (blanket, VuXML)

16:38 simon 

After further examination it turns out that gnugadu does not include
libgadu, at least not any in any current version, and from looking at
the gnugadu code there is no direct indication that this code should
actually be vulnerable to the other libgadu vulnerabilities. [1]

The gaim part of libgadu -- multiple vulnerabilities was fixed in
1.4.0_1. [2]

Polish translation clue:        pjd [1]
General clue by:                markus [2]
Not enough checking:            simon
Approved by:                    portmgr (blanket, VuXML)

14:45 simon 

Remove pl-gnugadu2 and kadu from being affected by libgadu -- multiple
vulnerabilities, since it turns out that they use libgadu from the ekg
port.

Approved by:    portmgr (blanket, VuXML)

14:21 simon 

Document libgadu -- multiple vulnerabilities.

Approved by:    portmgr (blanket, VuXML)

11:26 simon 

Document gaim -- AIM/ICQ away message buffer overflow and gaim --
AIM/ICQ non-UTF-8 filename crash.

Approved by:    portmgr (blanket, VuXML)

10:42 simon 

Remove pdftohtml from the list of packages affected by xpdf -- disk
fill DoS vulnerability, since it includes xpdf 2, which should not be
affected.

Approved by:    portmgr (blanket, VuXML)

22:18 simon 

Document xpdf -- disk fill DoS vulnerability.

Approved by:    portmgr (blanket, VuXML)

12:40 simon 

Mark apache 1.3.33_2 as fixed for apache -- http request smuggling.

Approved by:    portmgr (blanket, VuXML)

11:51 simon 

Document gforge -- XSS and email flood vulnerabilities.

Approved by:    portmgr (blanket, VuXML)

22:19 simon 

Document postnuke -- multiple vulnerabilities.

Approved by:    portmgr (blanket, VuXML)

13:32 simon 

Document mambo -- multiple vulnerabilities.

Approved by:    portmgr (blanket, VuXML)