21:13 nectar 

Add references to Konqueror password disclosure bug: CVE name, CERT
Vulnerability Note, and KDE security advisory.

20:52 nectar 

Update phpBB command execution entry references:
- Convert some <url>s into the appropriate <certvu> and <uscertta>
  elements.
- Add CVE name
- Add a couple of mailing list posts

20:42 nectar 

For the latest three Squid issues, add references to the Squid bug
tracking database.  Also, rework the description of the empty ACL issue.

20:26 nectar 

Add a better reference and description of the jabberd vulnerability.

20:04 nectar 

Oops, add missing closing tag for Bugtraq ID which I recently added.

20:02 nectar 

Add CVE name for up-imapproxy issue.

19:53 nectar 

Add CVE names to greed buffer overflows issue.  Re-indent <references>
children.

19:51 nectar 

For mpg123 playlist issue, add CVE name, Bugtraq ID, and X-Force
references.  Correct a double slash (`//') in a URL.  Re-ident the
<references> children.

19:46 nectar 

Add a CVE name for VIM modeline handling issue.

19:39 nectar 

Cancel VID 14e8f315-600e-11d9-a9e7-0001020eed82 "tiff -- stripoffsets
integer overflow vulnerability", as it was a subset of VID
3897a2f8-1d57-11d9-bc4a-000c41e2cdad "tiff -- multiple integer
overflows".  This is another case of iDEFENSE ``discovering'' a
vulnerability months after it had already been made public and
corrected.  I've preserved the iDEFENSE advisory reference by moving it
to the older entry, so that someone won't get misled by it again later.

19:09 nectar 

Add CVE name for tnftp mget vulnerability.  Re-indent <references>
children while I'm here.

18:41 nectar 

For recent squid WCCP DoS issue, correct the URL used in <blockquote>
"cite" attribute and <url> content.  It referenced the wrong squid
patch description.

18:03 nectar 

Document Mozilla NNTP handler vulnerability.

16:10 simon 

- Document a vulnerability in mpg123.
- Add mpg123-nas to an earlier mpg123 entry.
- Make title for exim entry more accurate.
- Fix invalid modification date in latest xpdf entry.

22:37 simon 

- Integrate vendor patches as published on
  <http://www.squid-cache.org/Versions/v2/2.5/bugs/> for the following
  issues:
  + Prevent a possible denial of service attack via WCCP messages (squid bug
    #1190), classified as security issue by the vendor
  + Fix a buffer overflow in the Gopher to HTML conversion routine (squid bug
    #1189), classified as security issue by the vendor
  + Fix a null pointer access and plug memory leaks in the fake_auth NTLM
    helper (squid bug #1183) (this helper app is not installed by default by
    the port)
  + Stop closing open filedescriptors beyond stdin, stdout and stderr on
    startup (squid bug #1177)

- Unbreak the port on NO_NIS systems (thanks to "Alexander <freebsd AT
  nagilum.de>" for reporting this)

- Document the two security issues in VuXML.

PR:             ports/76173
Submitted by:   Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
Approved by:    erwin (mentor)

14:39 nectar 

- Document some older security issues in libxine.
- Cancel VID bef4515b-eaa9-11d8-9440-000347a4fa7d in favor of a more
  complete, new entry.  (A xine security announcement covered the same
  issue and others.)
- Add references to xine security announcements and iDEFENSE
  Security Advisories.

22:41 nectar 

Document HylaFAX authentication bypass vulnerability.

22:18 naddy 

Document xshisen buffer overflows.

16:39 nectar 

Add CERT Vulnerability Note reference for tiff issue.

14:31 nectar 

Bump copyright for 2005.

00:33 simon 

Mark pdftohtml as vulnerable to recent xpdf vulnerability.

22:20 niels 

Documented two vulnerabilities in the helvis port

18:34 nectar 

Add CVE names for exim issue.

20:18 simon 

Document format string vulnerability in dillo.

17:47 sem 

- Shorten exim entry

Thanks to:      simon

17:39 simon 

Fix typo in latest tiff entry.

Noticed by:     bmah

00:20 simon 

- Document that two older tiff vulnerabilities also affects
  linux-tiff. [1]
- Add an extra reference to each of the two entries while I'm here
  anyway.
- In one of the tiff title elements do s/---/--/ for consistency.

Discussed with: nectar [1]
Approved by:    portmgr (implicit, VuXML)

15:34 nectar 

The tnftp port has been updated.

Approved by:    portmgr (implicit, VuXML)

13:59 nectar 

Fix up last commit (tnftp entry):
- Malformed XML
    - mismatched tags (<packages></package>)
    - invalid entity reference &content-type= (ampersand should have
      been replaced with &amp;)
- Replace <range> so that it matches all possible versions for now,
  until a fixed version is available in the ports tree
- <entry> date was in the past

Approved by:    portmgr (implicit, VuXML)
Pointy hat to:  ahze  (hint: make validate)

07:09 ahze 

Document vulnerabilites in tnftp

PR:             ports/75782
Submitted by:   Tom McLaughlin
Approved by:    portmgr (krion)

22:41 simon 

Document several vulnerabilites in tiff.

Approved by:    portmgr (implicit, VuXML)

17:05 nectar 

Fill in forgotten `cite' attribute value.

Noticed by:     simon
Approved by:    portmgr (implicit, VuXML)

16:54 nectar 

Document a local vulnerability in VIM's modeline handling.

Approved by:    portmgr (implicit, VuXML)

14:46 nectar 

Add a CERT VU reference for the latest Acrobat Reader vulnerability.

Add old package names (acroread4, acroread5) for an older Acrobat Reader
vulnerability.

Approved by:    portmgr (implicit, VuXML)

00:26 simon 

Document buffer overflow vulnerabilities in pcal.

Approved by:    portmgr (implicit, VuXML)

20:41 simon 

Add (now deleted) exim-ldap package to latest exim entry.

Approved by:    portmgr (implicit, VuXML)

02:12 sem 

s/le/lt/ on my last commit. it's "<", not "<=".

Approved by:    portmgr (implicitly)

02:03 sem 

exim -- two relatively minor security issues

Approved by:    portmgr (implicitly, VuXML)

20:28 simon 

For the "kdelibs3 -- konqueror FTP command injection vulnerability"
entry: replace references to Debian and KDE bugtracking systems with a
KDE advisory which basically contains the same information but is more
readable.

Approved by:    portmgr (implicit, VuXML)

21:48 josef 

Document security issues in golddig, greed, mpg123.

Submitted by:   niels
Approved by:    portmgr(implicit, VuXML)

23:54 simon 

Mark open-motif-2.2.3_1 as fixed with regard to the "xpm -- image
decoding vulnerabilities" entry.

PR:             misc/75726
Submitted by:   Hilko Meyer <hilko.meyer@gmx.de>
Approved by:    portmgr (implicit, VuXML)

12:37 simon 

- Note that the port update to up-imapproxy 1.2.2 included a patch to
  fix the security vulnerability.
- Mark pop3proxy as vulnerable to the up-imapproxy vulnerability,
  since pop3proxy is derived from up-imapproxy.

Reported by:    mbr
Approved by:    portmgr (implicit, VuXML)

10:53 simon 

Document vulnerabilities in up-imapproxy.

Approved by:    portmgr (implicit, VuXML)

00:59 simon 

Add two bugtraq ids to the latest a2ps entry.

Approved by:    portmgr (implicit, VuXML)

15:55 simon 

Document FTP command injection vulnerability in kdelibs3.

Approved by:    portmgr (implicit, VuXML)

20:20 simon 

Improve topic for latest phpbb vulnerability to highlight the main
problem (arbitrary command execution).

Prodded by:     remko

17:55 simon 

Document insecure temporary file creation in a2ps.

14:11 simon 

Add more references to two older entries.

17:48 josef 

Add m odified date to my last commit.

Spotted by:     simon

17:34 josef 

libxine is also affected by the mplayer vulnerabilities.

Add cvenames.

16:26 josef 

Document vulnerability in libxine.

20:51 josef 

Document vulnerability in jabberd1

23:49 josef 

s/kpdf/kdegraphics

13:48 josef 

Add ports to xpdf report that come with own xpdf in distfile.

For kdegraphics:
Reported by:    lofi

11:03 simon 

Remove duplicate word in the latest squid entry.

Noticed by:     josef

00:58 simon 

Document potentially confusing results results on empty ACL
declarations in squid.

PR:             ports/75403 (part of)
Submitted by:   Thomas-Martin Seck <tmseck@netcologne.de>

00:39 simon 

Document multiple vulnerabilities in ethereal.

00:04 simon 

Document a buffer overflow vulnerability in xpdf.

12:17 delphij 

Document phpBB vulnerability that exists on phpBB < 2.0.11

Submitted by:   Kang LIU <liukang bjut edu cn>

22:37 simon 

Document a vulnerability in acroread.

22:10 simon 

Document a vulnerability in ecartis.

19:38 simon 

Document multiple vulnerabilities in mplayer.

02:09 simon 

Document a heap buffer overflow vulnerability in MIT Kerberos 5.

00:34 simon 

Document an integer overflow vulnerability in samba.

09:55 niels 

Corrected typo (blockquote in wrong place).
Approved by:    nectar (implicit)

12:49 simon 

- Update the corrected version number for recent phpMyAdmin entry to match
  the actual ports version number for phpMyAdmin 2.6.1-rc1.
- Bump modification date for the updated entries.

18:53 simon 

Updates for the latest PHP entry:
- Correctly match the www/mod_php4 port (it was missing PORTEPOCH).
- Add a few more references.
- Bump modified date.

14:56 simon 

Correct recent php entry, 4.3.10 and 5.0.3 are fixed.

10:56 sem 

Fix VID for the last commit.

09:32 sem 

Multiple vulnerabilities in PHP. From Secunia report.

10:51 niels 

Added 5 MySQL vulnerabilities
Approved by: nectar (mentor)

22:21 simon 

Document two vulnerabilities in phpMyAdmin.

17:55 simon 

Document multiple vulnerabilities in wget.

22:15 simon 

- Add bugtraqid references to several entries.
- Fix typo in msgid for a samba entry.
- Bump modification date for updated entries.

21:14 josef 

Document security issue in Konqueror.

16:22 simon 

Document a NULL pointer dereference vulnerability in mod_access_referer.

Submitted by:   Niels Heinen <niels.heinen@ubizen.com>

23:16 sem 

Integrate the following vendor patches as published on
http://www.squid-cache.org/Versions/v2/2.5/bugs/:

- a malformed hostname can cause squid to return random data as error messages,
  possibly leaking internal information from former requests (squid bug #1143).
  (This is classified as a minor security issue by the squid developers, so
  maintainer cc'ed security-team@. See VuXML entry.)
- the "httpd_accel_port 0" directive does not work on its own (squid bug #1121)
- fix crashes occuring when using cachemgr's "vm_objects" operation (squid
  bug #1149)

PR:             ports/74859
Submitted by:   maintainer

23:38 simon 

Document information leakage in viewcvs.

13:35 simon 

Document a symlink attack vulnerability in cscope.

06:53 glewis 

. Put the topic in the same format all other recent topics have been in for
  the Java plugin vulnerability.
. Note that the diablo-jdk and diablo-jre packages are vulnerable to the
  plugin issue. [1]

Prodded by:     simon [1]

21:12 simon 

Add cvename to bnc vulnerability.

20:47 simon 

Document a remote code execution vulnerability in bnc.

18:21 simon 

Fix grammar nit in ImageMagick entry.

Submitted by:   Daniel Seuffert <DS@praxisvermittlung24.de>

18:09 simon 

For the Java plugin vulnerability, also match the linux-jdk package
(old name for linux-jdk-sun).

17:24 glewis 

. Note that although linux-sun-jdk13 had one plugin vulnerability fixed
  in 1.3.1.13, it contained another problem.  This is fixed in 1.3.1.14.

08:22 rushani 

Document vulnerability that allows arbitrary command execution in rssh
and scponly.

Approved & reviewed by:    josef (security team)

21:04 naddy 

Document buffer overflows in rockdodger.

20:08 simon 

Add CVE to zip vulnerability.

19:38 simon 

Document a long path buffer overflow in zip.

15:30 simon 

Document signal delivery vulnerability in sudoscript.

21:54 josef 

Document vulnerability in net/jabberd.

21:05 josef 

Document vulnerability in net/opendchub.

Based on submission by: Niels Heinen <niels.heinen@ubizen.com>

17:03 simon 

Add Bugtraq ID for SA-04:16.fetch entry.

20:41 simon 

Document two vulnerabilities in unarj.

19:29 glewis 

. Mark linux-ibm-jdk as also vulnerable to the Java plugin vulnerability.

18:43 glewis 

. Fix the range and add an additional range for the jdk vulnerability.
. Note that linux-sun-jdk and linux-blackdown-jdk are also vulnerable.

17:56 glewis 

. Fix whitespace.

16:10 glewis 

. Add an entry for the problem in the Java plugin.

15:32 simon 

Update ruby CGI DoS entry to note that the most recent version in
ports is fixed.  Also remove ruby-static as vulnerable, since it does
not contain cgi.rb.

13:38 josef 

Document vulnerability in ftp/prozilla.

Submitted by:   Niels Heinen <niels.heinen@ubizen.com>