19:27 nectar 

Nit:
- In most recent `unace' entry, replace HTML entity with the Unicode
  character.  We do not use HTML entities so that a VuXML document may
  be processed without using the DTD.  (We also avoid character entity
  references for more natural grep'ing, sed'ing, and editor searching.)

Corrections:
- An invalid UUID was assigned to a FreeRADIUS vulnerability, and went
  undetected since last October.  (>_<)   Correct it.
- A bnc vulnerability was duplicated.  Cancel the older, less informative
  entry and update the newer entry.

15:37 naddy 

Document unace-1.2b vulnerabilities: buffer overflows, directory traversal.

20:51 simon 

For the the recent kdelibs entry; note that dcopidlng is only used at
build time.

Reported by:    lofi

18:53 simon 

Document heap corruption vulnerabilities in putty.

12:49 simon 

Update affected versions of latest postgresql entry now that the ports
have been fixed.

22:37 simon 

Document insecure temporary file creation in kdelibs.

21:55 simon 

Document format string vulnerability in bidwatcher.

20:37 simon 

Document a directory traversal vulnerability in gftp.

20:14 simon 

- Document two Opera vulnerabilities.
- Update information about fixed version for Opera with regard to
  "Window Injection" issues (based on release notes for Opera 7.54u2).

21:45 simon 

Document multiple buffer overflows in postgresql.

23:39 simon 

Fix entry date for last commit.

23:25 simon 

Document vulnerabilities in awstats.  Note that this entry will most
likely be updated soon when more information becomes available.

20:55 simon 

Add a few more references to the awstats entry.

15:44 nobutaka 

Change affected packages version for the emacs movemail format string
vulnerability since I fixed editors/emacs port by adding a patch
instead of upgrading it to 21.4.

00:10 simon 

Document DoS in powerdns.

23:19 simon 

Document format string vulnerability in the Emacs movemail utility.

11:28 danfe 

- Reflect fixing vulnerability in `net/opendchub'
- Print project's name correctly

09:59 simon 

- Fix a cvename that should have been a certvu.
- Delete trailing white space.
- Fix some nearby formatting while I'm here anyway.

09:21 simon 

Document two vulnerabilities in ngircd.

23:53 simon 

Document mod_python information leakage vulnerability.

20:40 simon 

Document mailman directory traversal vulnerability.

23:29 nectar 

Expand HTML entity reference in latest VuXML entry.

21:59 naddy 

Document enscript-{a4,letter,letterdj} vulnerabilities.

13:37 danfe 

Vulnerability in unrtf is fixed now.

21:33 simon 

Document privilege escalation vulnerability in postgresql.

18:14 simon 

Document multiple protocol dissectors vulnerabilities in ethereal.

14:49 nectar 

Add another squid issue.

PR:             ports/76967
Submitted by:   Thomas-Martin Seck <tmseck@netcologne.de>

14:43 nectar 

Add CERT Vulnerability Note reference for one squid issue,
and correct the reference for another one [1].

Reported by:    Thomas-Martin Seck <tmseck@netcologne.de> [1]

13:48 nectar 

Add CVE name for squid confusing empty ACL issue.

20:02 nectar 

Add US-CERT Vulnerability Note references for recent squid issues.

04:26 perky 

Add missing <code> markups in a citation from PSF-2005-001.

04:09 perky 

Add an entry for PSF-2005-001,
"SimpleXMLRPCServer.py allows unrestricted traversal"

22:30 marcus 

Update the entry for CAN-2005-0064 to indicate that gpdf 2.8.3 has a fix
for this vulnerability.

18:59 nectar 

Note that perl does not have a suidperl by default.

17:38 nectar 

Note vulnerabilities in perl.

15:46 nectar 

Add Bugtraq ID for evolution issue.

17:03 nectar 

Add CVE name for squid WCCP issue.

14:14 nectar 

Add a <modified> tag to the perl File::Path issue since the affected
versions were changed.

Forgotten by: tobez

13:38 tobez 

Narrow perl File::Path vulnerability version range a bit.

09:03 niels 

Documented vulnerabilities found in the newspost, newsfetch and newsgrab ports.

http://people.freebsd.org/~niels/issues/newspost-20050114.txt
http://people.freebsd.org/~niels/issues/newsgrab-20050114.txt
http://people.freebsd.org/~niels/issues/newsfetch-20050119.txt

Approved by:    nectar (mentor)

21:44 nectar 

The latest xpdf buffer overflow has been repaired in an update
to pdftohtml.

Submitted by:   erwin

21:40 nectar 

Add CVE names for recent squid vulnerabilities.

21:43 sem 

squid -- buffer overflow in WCCP recvfrom() call

PR:             ports/76827
Submitted by:   squid maintainer

16:38 simon 

Mark cups-base as fixed wrt. to "makeFileKey2() buffer overflow
vulnerability".

20:25 simon 

Document "makeFileKey2()" buffer overflow vulnerability in xpdf (and
programs embedding xpdf).

16:20 nectar 

pdflib has been corrected.

Noticed by:     Hilko Meyer <Hilko.Meyer@gmx.de>

13:50 nectar 

Document a vulnerability in zhcon.

10:51 simon 

Fix last YAMT entry update to actually make sense... Greater than and
less than are not the same...

Pointy hat to:  simon

10:46 simon 

Mark latest YAMT port version as fixed.

00:50 simon 

Document arbitrary code execution vulnerability in evolution.

22:25 nectar 

The previous commit was

Submitted by:   Thomas-Martin Seck <tmseck@netcologne.de>

22:24 nectar 

Correct the entry date for 4e4bd2c2-6bd5-11d9-9e1e-c296ac722cb3
``squid -- HTTP response splitting cache pollution attack''.

20:12 nectar 

Document a local vulnerability in mod_dosevasive.

19:39 nectar 

Document a possible cache-poisoning issue affecting squid.

Submitted by:   Thomas-Martin Seck <tmseck@netcologne.de>

18:45 nectar 

Document Bugzilla XSS issue.

18:38 nectar 

Oops, forgot to set <discovery> date.

17:35 nectar 

Document window injection vulnerabilities affecting several web browsers.

15:29 nectar 

Cancel duplicate phpbb entry e8c6ade2-6bcc-11d9-8e6f-000a95bc6fae.  It
was already documented as e3cf89f0-53da-11d9-92b7-ceadd4ac2edd.
Useful references and descriptions were merged.

Noticed by:     simon

23:52 simon 

Document a vulnerability in YAMT.

14:37 simon 

Add squid security advisories for two recent squid entries.

Submitted by:   Thomas-Martin Seck <tmseck@netcologne.de>

09:35 edwin 

squid bug #1200:

        squid -- HTTP response splitting cache pollution attack

PR:             ports/76550
Submitted by:   Thomas-Martin Seck <tmseck@netcologne.de>

01:13 simon 

Fix typo in last commit.

00:55 simon 

Document XSS in Horde.

18:30 nectar 

Oops, I accidently changed an <entry> date when I should have
added a <modified> date.

17:48 nectar 

Document vulnerabilities in older versions of Midnight Commander.

17:34 nectar 

Document a race condition in Perl's File::Path module.

17:01 nectar 

Document phpBB vulnerabilities.

16:50 nectar 

Document vulnerabilities in the Opera web browser's Java implementation.

16:38 nectar 

Document that older versions of sudo lack CDPATH environmental variable
handling.

16:30 nectar 

Document vulnerabilities in fcron.

16:07 nectar 

Document vulnerabilities in RealPlayer.

15:54 nectar 

Add CVE name and iDEFENSE advisory references to xzgv issue.

15:37 nectar 

Grr, get the imlib version number right!

15:31 nectar 

Oops, imlib 1.9.15 is still affected.  Adjust version number to reflect
upcoming fix.

15:16 nectar 

Document xpm heap overflows and integer overflows affecting imlib and imlib2.

14:53 nectar 

Document a vulnerability in eGroupWare.

14:42 nectar 

Document Quake II vulnerabilities reported by Richard Stanway.

13:53 nectar 

Add CVE names for konversation bugs.

20:47 josef 

Document security issue in irc/konversation.

Pointed out by: markus

16:39 nectar 

Correct several instances where the "msgid" attribute content had an
extraneous trailing greater-than character ">", e.g.

   <mlist msgid="some-message@id>">some-url</mlist>

These were probably the result of off-by-one errors during
cut-and-paste.

16:19 nectar 

Eliminate character entity references.  They are technically fine of
course, but I prefer to use the UTF-8 character directly: it makes
grep'ing and the like easier.

14:13 nectar 

Update entries with 12 new CVE name references.

11:52 edwin 

Fix date (was YYYY-MM-DD, now 2005-01-19)

Thanks for Chimera@#bsdports

11:05 edwin 

squid -- no sanity check of usernames in squid_ldap_auth

(My first attempt to update this thing. Hope all goes fine!)

PR:             ports/76364
Submitted by:   Thomas-Martin Seck <tmseck@netcologne.de>

20:25 simon 

Document remote DoS in CUPS.

Heads-ups by:   Hilko Meyer <hilko.meyer@gmx.de>
Description by: nectar

17:47 nectar 

During last year's bumpercrop of vulnerabilities in libtiff, a 2004 CVE
name was assigned to what was actually a much older (circa March 2002)
denial-of-service issue.  Document it, since occassionally the CVE name
crops up and then I wonder why we missed it.

17:23 nectar 

Document exploitable vulnerabilities in zgv and xzgv.

16:59 nectar 

Document bug in Mozilla-based software that may leave downloaded files
or attachments world-readable.

16:02 simon 

Add more references to exim entry.

15:23 nectar 

pdflib contains libtiff, and thus is affected by several vulnerabilities
that affected libtiff.

12:29 simon 

Document remote command execution vulnerability in awstats.

01:02 simon 

Document security vulnerability in ImageMagick.

17:44 simon 

Update "cups-base -- HPGL buffer overflow vulnerability" entry to
reflect the fix in the latest port version.

17:20 nectar 

Spelling corrections.

13:42 nectar 

Regarding CUPS lppasswd entry: Add the CVE names for each issue inline
with the excerpt from Bernstein's message.  Note that the third issue
does not effect users of FreeBSD 4.6 or later.

23:15 simon 

Document two vulnerabilities in CUPS.

Heads up by:    Hilko Meyer <hilko.meyer@gmx.de>

20:46 simon 

Document mysqlaccess insecure temporary file creation.

18:47 simon 

Document buffer overflow vulnerability in unrtf.

17:18 simon 

Correct recent squid entry: WCCP is in fact enabled by default.

Submitted by:   Thomas-Martin Seck <tmseck@netcologne.de> (squid maintainer)

21:22 nectar 

For mod_access_referer issue:
- Correct spelling.
- `null' in `null pointer' should not be all caps
- Correct the secunia.com URL (it did not identify this particular bug)