13:52 nectar 

Record another PHP security issue.

Approved by:    portmgr

12:52 nectar 

Note that xv should not be used.

Approved by:    portmgr

19:59 nectar 

Note a symlink vulnerability in getmail.

Submitted by:   Shane Kinney <mod6@freebsdhackers.net>
Approved by:    portmgr

17:30 nectar 

Fill in empty topic from previous commit.

Noticed by:     Shane Kinney <mod6@freebsdhackers.net>
Approved by:    portmgr

17:09 nectar 

Record FreeBSD-SA-04:15.syscons.

Approved by:    portmgr

14:01 nectar 

Add missing PORTEPOCH for samba.

Noticed by:     dinoex
Approved by:    portmgr

22:49 nectar 

Note racoon certificate verification bug.

Submitted by:   Jon Passki <cykyc@yahoo.com>
Approved by:    portmgr

15:51 nectar 

Note distcc IP address ACL bug.

Submitted by:   Jon Passi <cykyc@yahoo.com>
Approved by:    portmgr

15:38 nectar 

Remove a duplicate entry.

Submitted by:   Jon Passki <cykyc@yahoo.com>
Approved by:    portmgr

01:40 nectar 

Correct the version number for latest Mozilla entry.
(cut-n-paste damage)

Approved by:    portmgr

01:37 nectar 

Document the last few of the relatively recent Mozilla vulnerabilities.

Approved by:    portmgr

23:32 nectar 

Correct mangled CVE name: s/8983/0903/

Approved by:    portmgr

23:29 nectar 

Add another two older vulnerabilities affecting Mozilla & co.
Continue to try hard to cover past package names:
  - I missed el-linux-mozillafirebird previously.
  - Move all the `obsolete' package names into one place
    for clarity.

Approved by:    portmgr

22:30 nectar 

Don't forget `ja-samba' also.

Approved by:    portmgr

22:26 nectar 

Note samba file disclosure vulnerability.

Approved by:    portmgr

16:48 trhodes 

Fix apache version number entry, bump modified date for apache as well.

Approved by:    portmgr

18:02 nectar 

Make an initial attempt at covering all Mozilla/Firefox/Thunderbird
package names that we've had.  Similar changes need to be made to many
other entries, but let's use this one as a test subject first.

Approved by:    portmgr

15:06 nectar 

Correct spelling of phpnuke package name.

Reported by:    Dan Langille
Approved by:    portmgr

14:31 nectar 

Note BMP decoder flaws in Mozilla/Firefox/Thunderbird.

Approved by:    portmgr

14:28 nectar 

Note stack buffer overflow in Mozilla mail.

Approved by:    portmgr

14:22 nectar 

Document Mozilla/Firefox/Thunderbird heap buffer overflows.

Approved by:    portmgr

13:36 nectar 

Correct the package name for phpMyAdmin.

Reported by:    Matthew Seaman <m.seaman@infracaninophile.co.uk>
Approved by:    portmgr

15:15 nectar 

Add CERT Vulnerability Note references to xpm entry.

Approved by:    portmgr

02:57 nectar 

Note two older vulnerabilities in PHP.

Submitted by:   Jon Passki <cykyc@yahoo.com>
Approved by:    portmgr

18:17 nectar 

Note subversion information disclosure vulnerability.

Submitted by:   lev
Approved by:    portmgr

18:04 nectar 

Add missing PORTEPOCH in a mozilla entry.
Correct package name in an apache entry.

Reported by:    Dan Langille <dan@langille.org>
Approved by:    portmgr

00:59 nectar 

Forgot to add <modified> element for last commit.

Approved by:    portmgr

00:58 nectar 

Add missing PORTEPOCH on one of the mozilla entries.

Noticed by:     Dan Langille <dan@langille.org>
Approved by:    portmgr

15:07 nectar 

Document vulnerabilities in lha.

Reviewed by:    dinoex
Approved by:    portmgr

14:16 nectar 

Lately it seems I like to use dashes in topics... but I should at
least be consistent with how many.  s/---/--/

Approved by:    portmgr

14:10 nectar 

Document mysql buffer overflow.

Reported by:    ale
Approved by:    portmgr

16:39 nectar 

Document Mozilla security icon spoofing vulnerability.

Approved by:    portmgr

16:16 nectar 

Document Mozilla vulnerability involving NULL bytes in FTP URLs.

Also, correct s/firebird/firefox/ in a previously documented issue.

Approved by:    portmgr

15:59 nectar 

Document Mozilla automatic file upload vulnerability.

Approved by:    portmgr

15:44 nectar 

Document mozilla certificate import denial-of-service vulnerability.

Approved by:    portmgr

22:04 nectar 

Note a file name disclosure issue in rssh.

Reported by:    leeym
Approved by:    portmgr

20:13 nectar 

Add entry describe GNU Radius denial-of-service vulnerability.

Approved by:    portmgr

20:06 nectar 

Add sudoedit vulnerability.

Approved by:    portmgr

23:36 nectar 

In latest CVS entry, remove the reference to the exploit.  It does
not apply to any of these vulnerabilities, but to the previous CVS
vulnerability (CAN-2004-0396).

Approved by:    portmgr

23:32 nectar 

Oh yeah, add affected FreeBSD versions for CVS issues.

Approved by:    portmgr

23:23 nectar 

Update CVS entry with some details.

Approved by:    portmgr

17:38 trhodes 

Add an entry for the mod_proxy buffer overflow existant in apache13.

Approved by:    portmgr

15:42 nectar 

Note some fixes for XPM image decoding vulnerabilities.

Submitted by:   lesi

Add references to Chris Evans's advisories while I'm at it.

Approved by:    portmgr

02:12 marcus 

Update to gdk-pixbuf vulnerability to reflect the fixed version of gtk20.

Approved by:    portmgr( implicit)

19:54 nectar 

Note that a patched version of webmin 1.150 is now available, thanks
to olengi@.

Submitted by:   olengi

Add a paragraph introducing the Webmin blockquote while I'm here.

Approved by:    portmgr

18:05 nectar 

Note gdk-pixbuf image decoding issues.

Approved by:    portmgr

17:39 nectar 

clement@ has patched Apache 2.

Approved by:    portmgr

16:31 nectar 

Note CUPS printer queue browser denial-of-service.

Approved by:    portmgr

15:57 nectar 

Note Apache 2 IPv6 address parsing bug.

Approved by:    portmgr

15:16 nectar 

Note new libXpm vulnerabilities.

Approved by:    portmgr

14:47 nectar 

I appear to have deleted a line at the last minute.  Restore it.

Approved by:    portmgr

14:45 nectar 

Add mod_dav denial-of-service issue.

Approved by:    portmgr

14:20 nectar 

Oops, forgot to note that the previous issue affects only the Apache 2.x
series.

Approved by:    portmgr

14:18 nectar 

Add Apache 2 vulnerability concerning environmental variables in
configuration files.

Approved by:    portmgr

13:52 nectar 

Repair three <freebsdpr> elements.  The content of these elements
must be e.g. "ports/46613", not just "46613".

Reported by:    Matthew Seaman <m.seaman@infracaninophile.co.uk>
Approved by:    portmgr

03:03 nectar 

Note that some versions of OpenOffice have been corrected.

Approved by:    portmgr

03:38 trhodes 

Fix botched date entry and correct iDefense URL.

Approved by:    portmgr

03:19 trhodes 

Really add Samba 3 vulnerability.
Remove incorrect URL in mpg123 entry.

Approved by:    portmgr
URL noticed:    nectar

03:01 trhodes 

Correct version.  Note my last commit here was for mpg123 instead of
samba3.

Noticed by:     nectar
Approved by:    portmgr

02:21 nectar 

- There is a WITHOUT_X11 version of ImageMagick that needs to be
  taken into account.
- Fix transposed characters in `isakmpd'.

Noticed by:     Dan Langille <dan@langille.org>

- Add CVE name reference for ImageMagick.
- Add webmin temporary file handling issue.
- Add OpenOffice temporary file handling issue.
- Widen the `KDE frame injection' issue to cover Mozilla, Firebird,
  Netscape, and Opera as well
- Add Mozilla/Firebird/Netscape SOAPParameter vulnerability
- Add Mozilla/Thunderbird/Netscape POP client vulnerability

Approved by:    portmgr

02:02 trhodes 

Update for recent Samba3 vulnerabilities.

Approved by:    portmgr

12:02 nectar 

Adjust the affected version for imlib now that the 2nd instance of BMP
loader has been corrected.

17:12 nectar 

The recent commit to the krb5 port brought the version to 1.3.4_1 but
did not correct one of the existing vulnerabilities.  Update the
affected range to compensate.

20:52 nectar 

Note recent MIT Kerberos 5 vulnerabilities.

14:55 nectar 

Document imlib2 BMP decoder bug.

14:34 nectar 

Document BMP decoder bugs in imlib1 and ImageMagick.

14:23 nectar 

Correct bogus date in mysql entry. (It should be YYYY-MM-DD, not
DD-MM-YYYY.)

Reported by:    robert@openbsd.org

14:21 nectar 

Add more references (particularly CVE names) for issues affecting
SpamAssassin, tnftpd, ruby, mysql.

Place text taken from another source inside <blockquote cite="...">
for ruby issue.

11:08 eik 

correct/add some references

15:29 nectar 

Document NSS SSLv2 server buffer overflow (already referenced in
portaudit.txt).

14:43 nectar 

Document ripMIME decoding bug (already referenced in portaudit.txt).

04:29 marcus 

Remove <modified/> from the gnomevfs vulnerability since it was the same
as <entry/> and it needed to be last anyway.

Suggested by:   nectar

01:48 marcus 

Update the gnomevfs entry to reflect the fixed versions.

22:30 trhodes 

Add entry for moinmoin ACL bypass.

22:10 nectar 

Note sanitize_path bug in rsync (already referenced in portaudit.txt).

21:12 nectar 

Unsafe URI handling in gnome-vfs, MidnightCommander.

20:34 nectar 

Document buffer overflows in SoX (already referenced in portaudit.txt).

20:15 nectar 

Document cookie bug in Konqueror (already referenced in portaudit.txt).

19:18 trhodes 

Place port name in the description.

Suggested by:   eik

16:08 nectar 

Add libxine vcd URL handling issue.

14:51 nectar 

Add DoS in SpamAssassin.

13:06 nectar 

Add <modified> date for previous commit.

13:05 nectar 

fidogate-ds was also affected by the ``write files as `news' user''
issue.

23:14 nectar 

Off-by-one error in courier-imap entry.

Noticed by:     oliver

22:58 nectar 

Add a more useful reference for the Qt issue.

22:56 nectar 

Add Qt heap overflow issue.

22:39 nectar 

Add a security issue affected courier-imap when run with certain debug
flags.

22:28 nectar 

Add fidogate issue.

22:07 nectar 

Add an issue covering a vulnerability in mysqlhotcopy.

Reported by:    robert@openbsd.org

21:44 nectar 

Cancel a VuXML entry for an Apache vulnerability that does not affect
FreeBSD.

Reminded by:    recent conversations :-)

08:29 eik 

cancelled 6fd9a1e9-efd3-11d8-9837-000c41e2cdad: does not affect FreeBSD
  <http://docs.FreeBSD.org/cgi/mid.cgi?20040817123651.GB930>

21:18 nectar 

Add a pointer to Przemyslaw Frasunek's advisory.

18:30 nectar 

For the lukemftpd/tnftpd issue, add a reference to NetBSD security
advisory now that it is available.

18:01 nectar 

Note a vulnerability in lukemftpd/tnftpd.

12:07 eik 

multiple CVS vulnerabilities

06:46 knu 

Correct the version numbers and dates in the last entry.

06:40 knu 

Add an entry for:
  Ruby insecure file permissions in the CGI session management

22:38 nectar 

Document a setgid "games" security issue in xonix.  Based on a VuXML
entry that was

Submitted by:   robert@OpenBSD.org

15:51 nectar 

Correct the version number range affected for ja-samba.
Correct the version number range affected for Mozilla 1.8 alphas.

Problem hinted at by:   eik

14:31 nectar 

Correct the version number range affected for Mozilla 1.8 alphas.

Problem hinted at by:   eik

While I'm here, add a CVE name reference and a couple of other relevant
Bugzilla links.  It is interesting that this security issue was reported
as early as 1999.  Also, replace the text plagiarized from the Secunia
advisory without attribution with a more helpful (maybe?) description of
the issue.