security/vuxml: document gitlab vulnerabilities

security/vuxml: Adjust affected kea versions

CVE-2025-40779 doesn't affect Kea 2.6.x, which is the version present on
quarterly branch.  On net/kea, it only affects 3.0.0 while it affects
3.1.0 and 2.7.x on net/kea-devel.

security/vuxml: Add net/kea vulnerability

* CVE-2025-40779

security/vuxml: Add devel/qt6-base < 6.9.2

security/vuxml: Add www/qt6-webengine < 6.9.2

security/vuxml: Fix entry

Fixes:	35f7214f7a9ec

security/vuxml: Add SQLite vulnerability

 * CVE-2025-29088

security/vuxml: add p5-Catalyst-Authentication-Credential-HTTP

security/vuxml: Add Mozilla vulnerabilities

 * CVE-2025-9187
 * CVE-2025-9184
 * CVE-2025-9185
 * CVE-2025-9183
 * CVE-2025-9182
 * CVE-2025-9181
 * CVE-2025-9180
 * CVE-2025-9179

security/vuxml: add www/nginx-devel < 1.29.1

Obtained from:	https://my.f5.com/manage/s/article/K000152786

security/vuxml: add www/*chromium < 139.0.7258.127

Obtained
from:	https://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desktop_12.html

security/vuxml: Add vulnerabilities for PostgreSQL

security/vuxml: document gitlab vulnerabilities

security/vuxml: Document www/varnish7 DoS condition

security/vuxml: add security/p5-Authen-SASL

security/vuxml: add www/*chromium < 139.0.7258.66

Obtained
from:	https://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desktop.html

security/vuxml: Document Apache httpd vulnerability

security/vuxml: add FreeBSD SA issued on 2025-08-08

FreeBSD-SA-25:07.libarchive affects all supported versions of FreeBSD.

security/vuxml: Add Sqlite vulnerability

 * CVE-2025-3277

security/vuxml: navidrome < 0.56.0 CVE-2025-48948

This wasn't mentioned along with the other navidrome < 0.56
vuln and also has a wider affected version range.

Security:	CVE-2025-48948
Security:	95480188-6ebc-11f0-8a78-bf201f293bce

security/vuxml: fixup linux_base -> linux_base-rl9

security/vuxml: clean up sqlite3 version range mess

Several sqlite3 entries mentioned wrong version ranges
with respect to PORTEPOCH and/or forgot the linux-*-sqlite
or, more recently, linux_base port.

While auditing this, I saw several implausible tags that used <gt>
(greater-than) in ranges where I believe that <ge> (greater-or-equal)
would be more adequate.

Add relevant reminders to vuxml's Makefile.

Fix up sqlite3's 2025 entries.

linux_base-rl9 currently ships 3.34.1-7.el9_3, see
emulators/linux_base-rl9/Makefile.version - I don't know if that's
vulnerable or was patched inside Rocky Linux, but let's err on the safe side.
I'll leave it up to emulation@ to clean up this particular entry.

security/vuxml: fix up range for sqlite3's CVE-2025-7458

Security:	f51077bd-6dd7-11f0-9d62-b42e991fc52e
Security:	CVE-2025-7458

security/vuxml: Add Sqlite vulnerability

CVE_ID=CVE-2025-7458

security/vuxml: Use of Cryptographically Weak Pseudo-Random Number Generator in
p5-Crypt-CBC

Also, fix typo missing space in previous report.

security/vuxml: Add devel/viewvc-devel entry

security/vuxml: Document possible DoS valnerability in rubygem-resolv

security/vuxml: Add Mozilla vulnerabilities

 * CVE-2025-8027
 * CVE-2025-8028
 * CVE-2025-8029
 * CVE-2025-8030
 * CVE-2025-8031
 * CVE-2025-8032
 * CVE-2025-8033
 * CVE-2025-8034
 * CVE-2025-8035
 * CVE-2025-8036
 * CVE-2025-8037
 * CVE-2025-8038
 * CVE-2025-8039
 * CVE-2025-8040
 * CVE-2025-8043
 * CVE-2025-8044

security/vuxml: document gdk-pixbuf2 vulnerability

security/vuxml: add dns/powerdns-recursor entry for CVE-2025-30192

PR:		288384
Reported by:	Ralf van der Enden <tremere@cainites.net>
Obtained from:	https://blog.powerdns.com/powerdns-security-advisory-2025-04

security/vuxml: document gitlab vulnerabilities

security/vuxml: Add sqlite3 vulnerability

CVE-2025-6965

security/vuxml: Document 7-zip vulnerability

Prompted by:	asomers@

security/vuxml: Adjust affected versions for openh264 (CVE-2025-27091)

Adjust range to since port uses PORTEPOCH

Fixes:		13dd451

security/vuxml: document libwasmtime vulnerability

security/vuxml: document unbound cache poisoning via the ECS-enabled rebirthday
attack

PR:		288276
Reported by:	Jaap Akkerhuis <jaap@NLnetLabs.nl>

security/vuxml: Fix ranges for Tomcat vulnerabilities

Approved by:	otis (mentor), jbeich, vvd (maintainer)
Differential Revision:	https://reviews.freebsd.org/D51323

security/vuxml: libxml2 fixed version is 2.14.5.

Security:	abbc8912-5efa-11f0-ae84-99047d0a6bcc

security/vuxml: Document liboqs vulnerability

security/vuxml: Document GnuTLS SA 2025-07-08

security/vuxml: extend libxml2/libxslt vuln to linux-* ports

textproc/libxml2, textproc/libxslt: vulnerable

Note that libxslt is vulnerable, unfixed, and without maintainer.
Two of four vulnerabilities have been fixed.

Note that libxml2 in our ports is vulnerable and there is no upstream
release fixing these bugs, they need cherry-picks.

Deprecate textproc/xmlto and textproc/minixmlto,
which both depend on the unmaintained and vulnerable libxslt.
I have filed https://pagure.io/xmlto/issue/15 to ask the xmlto
upstream to switch to different XML/XSLT libraries.

Two issues are undisclosed and do not seem to have a CVE assigned yet.

security/vuxml: Document mod_http2 vulnerabilities

security/vuxml: Document Apache httpd vulnerabilities

security/vuxml: document tomcat vulnerabilities

security/vuxml: document gitlab vulnerabilities

security/vuxml: Add multiple git vulnerabilities

* CVE-2025-27613
* CVE-2025-27614
* CVE-2025-46835
* CVE-2025-48384
* CVE-2025-48385
* CVE-2025-48386

Sponsored by:	Rubicon Communications, LLC ("Netgate")

security/vuxml: Fix mongodb entry

Remove mongodb80 entry since it is not affected.

Reported by:	ronald-lists@klop.ws
Fixes:		fbefcec73997

security/vuxml: Add mongodb* vulnerabilities

 * CVE-2025-6711
 * CVE-2025-6712
 * CVE-2025-6713
 * CVE-2025-6714
 * CVE-2025-7259

security/vuxml: Add ModSecurity vulnerability

 * CVE-2025-52891

security/vuxml: Document multiple vlunerabilities in redis and valky

security/vuxml: add FreeBSD SA issued on 2025-07-02

FreeBSD-SA-25:06.xz affects FreeBSD 13.5 and FreeBSD 14.2

security/vuxml: Document multimedia/gstreamer1-plugins-bad < 1.26.3

security/vuxml: Add Mozilla vulnerabilities

 * CVE-2025-6425
 * CVE-2025-6427
 * CVE-2025-6429
 * CVE-2025-6430
 * CVE-2025-6432
 * CVE-2025-6433
 * CVE-2025-6434
 * CVE-2025-6435
 * CVE-2025-6436

security/vuxml: Add CVE for php8*

security/vuxml: Add Mozilla vulnerability

security/vuxml: add www/*chromium < 138.0.7204.96

Obtained
from:	https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html
Obtained
from:	https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_24.html

security/vuxml: sudo<1.9.17p1 privilege escalation

PR:		287938
Security:	24f4b495-56a1-11f0-9621-93abbef07693
Security:	CVE-2025-32462
Security:	CVE-2025-32463

security/vuxml: Add entries for xorg/xwayland latest vulnerabilities

security/vuxml: document sysutils/podman vulnerability

security/vuxml: Add mongodb vulnerabilities

 * CVE-2025-6706
 * CVE-2025-6707
 * CVE-2025-6709
 * CVE-2025-6710

security/vuxml: Add kanboard vulnerability

 * CVE-2025-52560
 * CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

security/vuxml: document gitlab vulnerabilities

security/vuxml: fix spelling mistakes

Fixes: 986be61969

Pull Request:	https://github.com/freebsd/freebsd-ports/pull/396

security/vuxml: Add openh264 vulnerability

Document CVE-2025-27091

security/vuxml: adjust affected textproc/libxml2 versions

Account for all branches' minor versions with fixes and local
backports to 2.11.

PR: 287391

security/vuxml: Add clamav vulnerabilities

 * CVE-2025-20234
 * CVE-2025-20260

PR:		287672
Reported by:	Christos Chatzaras <chris@cretaforce.gr>

x11/yelp: update to 42.3

Update to 42.3 and fix CVE-2025-3155 vulnerability

PR:		287543
MFH:		2025Q2
Security:	0e200a73-289a-489e-b405-40b997911036

textproc/yelp-xsl: Upgrade to 42.4

Upgrade yelp-xsl to 42.4 and fix CVE-2025-3155 vulnerability.

PR:		287542
MFH:		2025Q2
Security:	9449f018-84a3-490d-959f-38c05fbc77a7

security/vuxml: add www/*chromium < 137.0.7151.119

Obtained
from:	https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_17.html

security/vuxml: Add multimedia/navidrome CVE-2025-48949

security/vuxml: Add grafana vulnerability

While here, correct versions for a previous grafana entry.

PR:		287634
Reported by:	Boris Korzun <drtr0jan@yandex.ru>

security/vuxml: Add firefox vulnerabilities

 * CVE-2025-49709
 * CVE-2025-49710

security/vuxml: add www/*chromium < 137.0.7151.103

Obtained
from:	https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_10.html
Obtained
from:	https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html

security/vuxml: Fix file validation

Reformat a couple of entries

security/vuxml: Add Mozilla vulnerabilities

 * CVE-2025-2817

security/vuxml: Document CVE-2024-12828 (CGI Command Injection RCE in webmin)

security/vuxml: Fix make validate

After a clean.

PR:		287479
Reported by:	dvl@ lwhsu@
Fixes:		3c9a11c9111b

security/vuxml: Fix syntax of entry 2a220a73-4759-11f0-a44a-6cc21735f730

Fixes:	47f0fcd2cc49 security/vulxml: Add entry for PostgreSQL JDBC Driver
Sponsored by:	The FreeBSD Foundation

security/vuxml: document gitlab vulnerabilities

security/vulxml: Add entry for PostgreSQL JDBC Driver

security/vuxml: Add mod_security vulnerabilities

 * CVE-2025-47947
 * CVE-2025-48866

security/vuxml: Correct roundcube entry

Flavored ports should include all package names in the VuXML entry.

PR:		287306
Reported by:	Tomáš Čiernik <tomas@ciernik.sk>

security/vuxml: Add Mozilla vulnerabilities

 * CVE-2025-5267
 * CVE-2025-5266
 * CVE-2025-5264
 * CVE-2025-5263

security/vuxml: add electron{34,36} out of bounds read and write in V8

security/vuxml: Add Chromium vulnerability

 * CVE-2025-5419

security/vuxml: document electron35 out of bounds read and write in V8

Obtained from:	https://github.com/electron/electron/releases/tag/v35.5.1

security/vuxml: add entry for roundcube.

PR:		287208
Submitted by:	Christos Chatzaras <chris@cretaforce.gr>

security/vuxml: Fix make vuln-flat.xml

According to the documentation, we should be able to type:

make vuln-flat.xml

(https://docs.freebsd.org/en/books/porters-handbook/book/#security-notify-vuxml-testing)

But after 87748de634d7b the target name includes the PKGDIR which is not right.

Fixes:	87748de634d7b

security/vuxml: Add Gimp vulnerabilities

 * CVE-2025-2760
 * CVE-2025-2761

security/vuxml: Add entry for ftp/curl

 * CVE-2025-4947
 * CVE-2025-5025

PR:		287219
Reported by:	chris@cretaforce.gr

security/vuxml: Fix libxml2 CVE-2025-32414 entry

xmlsoft is the vendor name, replace it with libxml2
For some reason it go picked up while adding the this entry

Reported by:	fernape

security/vuxml: Document libxml2 vulnerabilities

Document CVE-2024-56171, CVE-2025-24928 and CVE-2025-32414

security/vuxml: Fix librewolf entries

librewolf does not have PORTEPOCH.

PR:		286455
Reported by:	ax61@disroot.org

security/vuxml: add www/*chromium < 137.0.7151.55

Obtained
from:	https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_27.html

security/vuxml: Add chromium vulnerability

 * CVE-2025-5063

security/vuxml: Add Mozilla vulnerabilities

 * CVE-2025-5268
 * CVE-2025-5269
 * CVE-2025-5270
 * CVE-2025-5271
 * CVE-2025-5272

security/vuxml: Add mod_security DoS vulnerability

 * CVE-2025-47947

PR:	278180

security/vuxml: Fix entry 34744aab-3bf7-11f0-b81c-001b217e4ee5

Block-level elements such as <ul> are not allowed as children of <p>.

Fixes:		26d54384e9ef (security/vuxml: document kea vulnerabilities)
Sponsored by:	The FreeBSD Foundation

security/vuxml: Document vulnerability in net/traefik