14:47 sat 

- Use >0 for unpatched vulnerabilities

Submitted by:   simon

14:31 sat 

- Document slapd acl selfwrite Security Issue in openldap

14:00 sat 

- Document "System.CodeDom.Compiler" Insecure Temporary Creation in mono

05:24 sat 

- Document open_basedir Race Condition Vulnerability in php

17:10 sat 

- Document NULL byte injection vulnerability in phpbb

10:27 sat 

- Add references and use earlier discovery date in
fffa9257-3c17-11db-86ab-00123ffe8333

12:14 sat 

- Add CVE names to 19b17ab4-51e0-11db-a5ae-00508d6a62df

12:10 sat 

- Document admin section SQL injection in postnuke

12:39 sat 

- Document LWFN Files Buffer Overflow Vulnerability in freetype

12:21 sat 

- Document Buffer Overflow Vulnerabilities in cscope

12:05 sat 

- Document RSA Signature Forgery Vulnerability in gnutls

11:50 sat 

- Document Search Unspecified XSS in MT

11:38 sat 

- Update dokuwiki advisories

06:59 sat 

- Document latest XSRF vulnerabilities in phpmyadmin

07:34 sat 

- Mark gtetrinet 0.7.10 safe

20:52 simon 

Document openssh -- multiple vulnerabilities AKA
FreeBSD-SA-06:22.openssh.

10:25 sat 

- Document multiple vulnerabilities in dokuwiki

09:36 sat 

- Document multiple vulnerabilities in tikiwiki

09:10 sat 

- Document NULL byte injection vulnerability in punbb

18:43 sat 

- Concisify a Secunia report
- Use <gt>0 for an unpatched bug

Suggested by:   simon

06:29 sat 

- Document (another) Denial of Service Vulnerability in freeciv

06:12 sat 

- Document Packet Parsing Denial of Service Vulnerability in freeciv

05:47 sat 

- Document multiple vulnerabilities in plans

05:27 sat 

- Update the unace advisory

19:38 sat 

- Document multiple XSS security bugs in eyeOS

13:05 sat 

- Document restructuredText "csv_table" Information Disclosure in zope

12:23 sat 

- Document stack-based buffer overflow in libmms

07:08 sat 

- Document Opera SSL RSA Signature Forgery

05:59 simon 

Bump modified data which was missed in last commit.

17:07 sat 

- Mark latest linux-{firefox,seamonkey}-devel safe

10:18 simon 

Document mozilla -- multiple vulnerabilities.

14:26 remko 

In the PHP entry, replace mod-php with mod_php [1].

Rewrite the win32-codecs entry to even better explain the vulnerability [2].

Noticed by:             Dan Langille (with FreshPorts.org) [1]
Discussed with:         simon [2]

11:31 remko 

Try to explain a bit better that users who have the Quicktime plugin
as a browser plugin can be directly affected by the remote code
execution.

Also mention that I changed the entry date in the previous entry
(PHP) which I had forgotten to do yesterday and did not mention
in the previous commit.

11:03 remko 

Document win32-codecs -- multiple vulnerabilities

22:07 remko 

Attempt two:

Document php -- multiple vulnerabilities

22:01 remko 

OK, I do not know WHAT went wrong but it went wrong, revert to the old
situation and i will re-adopt the PHP entry.

21:53 remko 

Document php -- multiple vulnerabilities

18:39 novel 

Cancel latest gnutls entry (GNUTLS-SA-2006-3) - it is a false alarm:

http://lists.gnupg.org/pipermail/gnutls-dev/2006-September/001208.html

18:03 brooks 

Upgrade drupal-pubcookie to the latest version fixing a security hole
allowing anyone to bypass the authenication system and become an
arbitrary drupal user.

Security:       vid:c0fd7890-4346-11db-89cc-000ae42e9b93

15:17 novel 

Style neats for the latest gnutls entry.

Reviewed by:    remko

20:48 remko 

correct the tomcat entry (change the ,5 to _5 since we talk about PORTREVISION
instead of PORTEPOCH) [1]

correct the jdk -- jar directory traversal vulnerability entry, the
FreeBSD Foundation uses different package names [2], [3].

For both entries the modification date was bumped.

Reported by:            Gabor Kovesdan (on #bsdports) [1]
                        David Robillard <david dot robillard at gmail dot com>
[2]
                        Tim Zingelman <zingelman at fnal dot gov>

20:31 simon 

Document linux-flashplugin7 -- arbitrary code execution vulnerabilities.

13:02 lawrance 

Mark jakarta-tomcat5 as fixed since 5.0.30,5 regarding minor XSS issue.

17:50 novel 

Add an info about GNUTLS-SA-2006-3.

14:59 mnag 

- mailman -- Multiple Vulnerabilities

14:24 garga 

Bump modification date for last jabber entry change

Noted by:       remko

12:51 garga 

Fix jabber entry

19:47 remko 

Document hlstats -- multiple cross site scripting vulnerabilities.

19:27 remko 

Document gtetrinet -- remote code execution

18:32 remko 

Bump modified date in the entry changed by garga.

Forgotten by:   garga

17:14 garga 

net-im/jabber -- Mark the correct versions with fd_set vulnerability, author
fixed the problem on trunk and 2 new releases (1.4.3.1 and 1.4.4.1) is comming
soon

18:14 remko 

Update the latest FreeBSD-SA entry, ppp got replaced by sppp.
Also implement a suggestion from Simon, mark all versions before
the latest version vulnerable.

12:32 remko 

Document joomla -- multiple vulnerabilities

Note that I only documented the high level
threats, there are several others which can
be found at the link provided [1]

Reference:      http://www.joomla.org/content/view/1841/78/ [1]

23:09 remko 

Document FreeBSD-SA-06:18.ppp

10:40 remko 

Minor whitespace cleanup (we need a blank line every after </entry>
so that we can easily see the different entries).

02:31 shaun 

- Add imp to the previous entry.
- Add some SecurityFocus BIDs too.

22:54 shaun 

Document horde -- Phishing and Cross-Site Scripting Vulnerabilities.

21:26 remko 

Convert 8 spaces to tab as per the FDP for the latest
entry.

21:09 brooks 

Add entry for globus tmpfile creation bugs.

20:07 brueffer 

The lang/f2c port has been updated, update affected versions.

Reviewed by:    simon

20:33 remko 

Document x11vnc -- authentication bypass vulnerability.

The 1.1111th commit, yay.

19:28 remko 

Document alsaplayer -- multiple vulnerabilities.

16:44 remko 

Document postgresql -- encoding based SQL injection.

Reported by:            Radim Kolar <hsn at netmag dot cz>

15:33 remko 

Bump modified date in the older entry I just corrected.

Spotted by:     simon (again)

15:25 remko 

Document postgresql -- multiple vulnerabilities.

These are all older vulnerabilities which had not yet been documented
by the Security Team.

Also fix a minor mistake in an older PostgreSQL entry.

14:14 remko 

Fix the discovery date in the latest MySQL entry.

Spotted by:     simon

13:40 remko 

Document mysql -- format string vulnerability.

19:44 remko 

OK after some more discussions with Simon it appeared that the ,2
marked all future releases of squirrelmail as vulnerable.

The negative side-effect of PORTEPOCH.  Split the previous entry
into two seperated entries again, restoring the old entry for
squirrelmail, and having the 'new' entry for ja-squirrelmail.

This would grab any future versions of ja-squirrelmail if it were
to be readded, and does not conflict with future versions of
squirrelmail.

For more information about the portepoch discussion etc:
http://lists.freebsd.org/pipermail/freebsd-vuxml/2006-July/000185.html

18:36 remko 

Simon provided me with the necessary clue to mark the appropriate ports
as vulnerable.  I was soo close..

17:10 remko 

Document squirrelmail -- random variable overwrite vulnerability.

Note that I marked all ja-squirrelmail entries as vulnerable, it
does no longer exist on it's own and the portepoch is giving me
matching problems.

21:06 simon 

Document rubygem-rails -- evaluation of ruby code.

Submitted by:   Marius Nuennerich <marius.nuennerich@gmx.net>

20:01 simon 

Add CVE name to recent ClamAV entry.

14:46 garga 

Document clamav and clamav-devel vulnerability

Reviewed by:    secteam (mnag)

14:03 mnag 

- Fix discovery date in latest entry
- Remove extra "." in latest entry

22:24 brooks 

Update drupal to 4.6.9 to fix yet another XSS vulnerability.

Security:       vuxml vid c905298c-2274-11db-896e-000ae42e9b93

01:40 kuriyama 

Add recent gnupg issue.

14:07 remko 

We are not affected by: CAN-2005-0018 in the
f2c entry (43cb40b3-c8c2-11da-a672-000e0c2e438a).  We do not have
the shellscript, and it is not installed.

Reported by:            thierry

13:58 simon 

Unbreak latest ruby entry by adding missing </lt>.

13:32 simon 

Run make tidy to clean up some style issues.

09:58 sem 

- The last vulnerabilities was fixed in ruby18 port

20:58 remko 

OK, I misunderstood Simon with this one.  The <gt>1.8.*</gt> entry
should have stayed and I interpreted that wrong.

Pointyhat:              remko

20:40 remko 

Fix my previous version commit.  The two entries matched twice when you
have ruby installed.  You learn something new everyday...

Noticed/discussed with:         simon

17:41 remko 

Mark all 1.6 and 1.8 versions as vulnerable, we do not have a fix
yet and are unable to tell what the naming scheme will be with
those patches.  We can narrow down the scope later, we should
not do so before we know the mentioned scheme.

Triggered by:           sem

16:54 remko 

Add a BID to the latest vuxml entry.
Some minor changes to the markup of the entry.

16:34 shaun 

- Document Ruby vulnerability. [1]
- Fix URL in previous mutt entry while here.

Reported by:    Joel Hatton via freebsd-ports [1]

12:48 simon 

Add linux-thunderbird to mozilla -- multiple vulnerabilities entry.

Prodded by:     sat

21:59 simon 

Document apache -- mod_rewrite ldap buffer overflow vulnerability.

Thanks to remko for doing initial list of apache package names in an
earlier VuXML entry.

23:51 simon 

Fix error in latest mozilla entry which marked all firefox version as
vulnerable.

Reported by:    Craig Leres

13:59 simon 

Document mozilla -- multiple vulnerabilities.

Note I assume that linux-firefox-devel 3.0.a2006.07.26 is fixed, I
haven't actually checked (way to many issues to check for).

11:03 garga 

Add "zope -- information disclosure vulnerability" entry

Reviewed by:    simon

10:57 simon 

For latest drupal entry:
 - Unbreak vuln.xml format by adding content to the references section.
 - Remove vulnerabilities already documented in
   40a0185f-ec32-11da-be02-000c6ec775d9.

16:19 brooks 

Add entry for drupal issues.

13:23 erwin 

Add shoutcast crosssite scripting.

Submitted by:   gabor
Reviewed by:    simon

12:24 simon 

Cancel VID 0a4cd819-0291-11db-bbf7-000c6ec775d9 / opera -- JPEG
processing integer overflow vulnerability, since it turns out that the
issue does not affect the FreeBSD or Linux versions of Opera.

Source: http://www.opera.com/support/search/supsearch.dml?index=834

11:23 simon 

Correct dates in latest mambo entry by resetting entry date and adding
a modified date.

OK'ed by:       itetcu

11:04 itetcu 

Bump modified date for previous commit.

Requested by:   simon

10:19 itetcu 

The two two SQL injection vulnerabilities in Mambo described in
vid f70d09cb-0c46-11db-aac7-000c6ec775d9 are fixed in 4.5.4

PR:             ports/100044
Submited by:    maintainer

22:59 simon 

Fix markup breakage that slipped in just before commit of the latest
samba entry.

22:38 simon 

Document samba -- memory exhaustion DoS in smbd.

11:48 simon 

- For the latest trac entry include information from the release
  announcements about setups which are not affected.  To avoid having
  to reference two documents simply reference the release notes for
  all the information (it's basically the same as the changelog with
  slightly different wording).
- Add a modified date tag.