Add an additional validation script to the vuxml port.
At this point it is not tied to the validate: target because validation fails.

Reviewed by:	simon, delphij
With Hat:	ports-secteam

Fix typo soccat -> socat

Add vulnerability on OTRS

Fix date for flashpluginwrapper.

Add entry for SA-13:06.mmap.

Security update for apache-xml-security-c.
Dependant ports, especially shibboleth2-sp, opensaml2, xmltooling
and log4shib should all be updated.

Security: CVE-2013-2156

Document Tor bug 9072

- Fix typo in dbus entry

Reported by:	Christoph Mallon <christoph.mallon@gmx.de>

Update to 1.6.12.

I'm not completly sure this affects us, but beter safe then sorry.
While here wordsmith Options description to try to make it clearer.

Security:	CVE-2013-2168

Update to 11.2r202.291

PR:		ports/179502
Submitted by:	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>

- Document vulnerabilities in www/owncloud

Security:	d7a43ee6-d2d5-11e2-9894-002590082ac6
Obtained from:	http://owncloud.org/about/security/advisories/

Update to 5.3.26

Security:	59e7163c-cf84-11e2-907b-0025905a4770

Match only the most recent Bind9* version in the latest vulnerability,
older versions are not affected.

Fix typo in previous revision.

Add entry for the latest Bind vulnerabilities in CVE-2013-3919.

Security upgrade to 4.0.3

Advisory: http://www.phpmyadmin.net/home_page/security/PMASA-2013-6.php

ChangeLog:
http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/4.0.3/phpMyAdmin-4.0.3-notes.html/view

Security:	6b97436c-ce1e-11e2-9cb2-6805ca0b3d42

Update to 0.16.6.

Obtained from:	GNOME dev repo
Security:	CVE-2013-1431

Document vulnerabilities in www/chromium < 27.0.1453.110

Obtained from:	http://googlechromereleases.blogspot.nl/

- Fix build
- Ensure validation

Fix security issues in xorg client libraries.
Most libraries were updated to newer versions, in some cases patches
were backported instead.

Most notably, x11/libX11 was updated to 1.6.0

Security:	CVE-2013-1981
		CVE-2013-1982
		CVE-2013-1983
		CVE-2013-1984
		CVE-2013-1985
		CVE-2013-1986
		CVE-2013-1987
		CVE-2013-1988
		CVE-2013-1989

Update krb5 1.11.2 --> 1.11.3.

This is a bugfix release.

* Fix a UDP ping-pong vulnerability in the kpasswd (password changing)
  service.  [CVE-2002-2443]

* Improve interoperability with some Windows native PKINIT clients.

Security:	CVE-2002-2443

Update to 1.6.2

* Fix buffer overflows in fileserver and ptserver.
* Fix rare file corruption during background sync (Gerrit 8796).
* Fix corrupting clients' metadata cache during certain errors (Gerrit 6957).
* Fix cache corruption when reading from a file another client is simultaneously
writing to (Gerrit 7994).
* Fix fileservers to properly report >2 TiB partitions.

and some other less serious changes.

PR:		ports/179259
Submitted by:	Adam Nowacki <nowak@tepeserwery.pl>
Submitted by:	bjk (maintainer)
Security:	CVE-2013-1794

- Update to 2.7.4.

More info:
https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES

PR:		ports/179167
Submitted by:	ohauer@
Security:	9dfb63b8-8f36-11e2-b34d-000c2957946c

Remove duplicate optipng vulnerability.

It was separately committed in r315254, so remove the version I added
in r318453.

Reported by:	Alexander Milanov <a@amilanov.com>

Add two more URLs to openvpn's vulnerability from March 2013 (CVE-2013-2061)

Security: 92f30415-9935-11e2-ad4c-080027ef73ec

- Backport fix for CVE-2013-2061 to openvpn22 and openvpn20;
  while it is unclear whether it affects OpenSSL-builds at all.
  Let's play it safe.
- Reference CVE-2013-2061 name in OpenVPN's VuXML entry
- Mark 2.0.9_4 <= openvpn < 2.1.0 and 2.2.2_2 < openvpn < 2.3.0 not vulnerable
- Mark openvpn22 deprecated and to expire 2013-09-01.
  (openvpn20 is already marked to expire 2013-07-11.)

Security:	CVE-2013-2061
Security:	92f30415-9935-11e2-ad4c-080027ef73ec

Document passenger vulnerability.

  Update subversion ports to 1.7.10 and 1.6.23.
  It fixes 3 security issues:

    CVE-2013-1968: fsfs repository corruption caused by newline characters in
filenames
    CVE-2013-2088: contrib hook-scripts can allow arbitrary code execution
    CVE-2013-2112: svnserve remotely triggerable DoS.

Security:	CVE-2013-1968
Security:	CVE-2013-2088
Security:	CVE-2013-2112

Actually remove bitchx-devel and add a VuXML entry.

Security:	CVE-2007-4584
Security:	CVE-2007-5839
Security:	CVE-2007-5922

- Document znc null pointer dereference vulnerability.

Adjust range for socat entry.

Document socat FD leak vulnerability.

Security:	CVE-2013-3571

- Add entry for ruby 1.9.3p429

Document couchdb XSS vulnerability.

PR:		ports/178985
Submitted by:	wollman

Update to 2.17.1 as the 2.18 release was postponed / cancelled

Fix entry date, wrongly entered in revision 318453

fix typo in recent otrs vulnerability

Add vulnerabilities

Security:	CVE-2013-2637
		CVE-2013-3551

Security Updates

   - www/rt40 to 4.0.13
   - www/rt38 to 3.8.17 [1]

This is a security fix addressing a number of CVEs:

    CVE-2012-4733
    CVE-2013-3368
    CVE-2013-3369
    CVE-2013-3370
    CVE-2013-3371
    CVE-2013-3372
    CVE-2013-3373
    CVE-2013-3374

Users will need to update their database schemas as described in
pkg-message

Approved by:	flo [1]
Security:	3a429192-c36a-11e2-97a9-6805ca0b3d42

Fix vuxml by using the correct format for CVE names.

Prodded by:	bz on IRC

List vulnerabilities fixed in www/chromium 27.0.1453.93 (which is the
current version in the Ports Collection).

Patch multiple vulnerabilities in x11-toolkits/plib.

PR:		ports/178710
Submitted by:	Denny Lin <dennylin93@hs.ntnu.edu.tw>

- Update to 0.7.4
- Add VuXML entry
- Trim Makefile header
- Add LICENSE

PR:		ports/177206
Submitted by:	Alexander Milanov <a@amilanov.com>
Approved by:	Thomas Hurst <tom@hur.st> (maintainer)
Security:	a8818f7f-9182-11e2-9bdf-d48564727302

Update the recent nginx entry to cover the exact version range and include
information for CVE-2013-2070.

Update to the latest version of Adobe Flash

- update firefox to 21.0
- update firefox-esr and thunderbird to 17.0.6
- WEBRTC now supports PULSEAUDIO
- make linux-firefox work with plugins again (e.g. quakelive)

Security:		4a1ca8a4-bd82-11e2-b7a0-d43d7e0c7c02
In collaboration with:	Jan Beich <jbeich@tormail.org>

Update ranges according latest available information.

Source:	http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html

- Update emacs entry to correct the version ranges for CVE-2012-3479

Update nginx entry to reflect the right version ranges for CVE-2013-2028.

Note that we don't really have nginx 1.3.9 in the ports collection, due
to the recent ports freeze.  The version 1.3.9 is used here just to
better match the original advisory.

Fix typo.

Found by:	ru

Document nginx -- a stack-base buffer overflow.

- fix strongSwan discovery date /2013-05-03/2013-04-30/

- update to version 5.0.4 which fixes CVE-2013-2944.
- add entry to vuxml
- add CVE references to jankins vuxml entry

while I'm here remove .sh from rc script

PR:		ports/178266
Submitted by:	David Shane Holden <dpejesh@yahoo.com>
Approved by:	strongswan@nanoteq.com (maintainer)

Document Jenkins Security Advisory 2013-05-02

- Add the vendor patch for SQUID-2012:1 (CVE-2012-5643) and update VuXML
  information accordingly
- Bump PORTREVISION

PR:		ports/177773
Submitted by:	Kan Sasaki
Approved by:	flo (mentor)
Security:	c37de843-488e-11e2-a5c9-0019996bc1f7

Add entry for SA-13:05.nfsserver

- Document multiple XSS and DDoS vulnerabilities for Joomla!
(2.5.0 <= version < 2.5.10)

Security updae to 3.5.8.1

Four new serious security alerts were issued today by the phpMyAdmin
them: PMASA-2013-2 and PMASA-2013-3 are documented in this commit to
vuln.xml.

 - Remote code execution via preg_replace().

 - Locally Saved SQL Dump File Multiple File Extension Remote Code
   Execution.

The other two: PMASA-2013-4 and PMASA-2013-5 only affect PMA 4.0.0
pre-releases earlier than 4.0.0-rc3, which are not available through
the ports.

- Security update to 1.0.21
Security: CVE-2013-1428

- Security fix
Security: CVE-2011-4517 execute arbitrary code on decodes images
Submitted by:   naddy (Christian Weisgerber)
Obtained from:  Fedora
Feature safe: yes

Document PMASA-2013-1

It turns out that release 3.5.8 (recently updated in ports) was the
cure to an XSS vulnerability.

Feature safe:  yes

Document roundcube arbitrary file disclosure vulnerability.

Reported by:	Marcelo Gondim <gondim bsdinfo com br>
Feature safe:	yes

- add jasper
Feature safe: yes

- Update to 2.7.3 due a vulnerability that affect all versions 2.x. [1]
- Update MASTER_SITES.
- Convert to optionsNG.
- Trim header.

More info:
https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES

Reported by:    olli hauer <ohauer@gmx.de> [1]
Approved by:    portmgr (bdrewery)
Security:       2070c79a-8e1e-11e2-b34d-000c2957946c

- Update to 0.85
- Convert to new options framework

sieve-connect was not actually verifying TLS certificate identities matched
the expected hostname. Changes with new version:

Fix TLS verification; find server by own hostname & SRV.

* TLS hostname verification was not actually happening.

* IO::Socket::SSL requirement bumped to 1.14 (was 0.97).

* By default, if no server specified, before falling back to localhost try to
use the current hostname and SRV records in DNS to figure out if Sieve is
available. Checks for sieve, imaps & imap protocol SRV records and honours

Replace duplicate vids with a newly generated GUID.
Older duplicates kept their own number.

Approved by:	portmgr (implicit)
With Hat:	ports-secteam

Oops, fix the cite URL.

Approved by:	portmgr (tabthorpe)

Edit OpenVPN 2.3.1 entry:

 - Replace links to changelog and commit with a link to the official
   announcement (which also links to the commit)

 - Replace the description with a sentence lifted from the
   announcement.

Approved by:	portmgr (tabthorpe)

Update flash to 11.2r202.280

Security:	15236023-a21b-11e2-a460-208984377b34
Reviewed by:	delphij
Approved by:	portmgr (bdrewery)

- Add url reference to 1431f2d6-a06e-11e2-b9e0-001636d274f3

Approved by:	portmgr (implicit)
Requested by:	jgh

- Update to 3.2.13 to fix security vulnerabilities
- Update rubygem-mail to 2.5.3 as rubygem-actionmailer-3.2.13 requires it

PR:		ports/177709
Submitted by:	Geoffroy Desvernay <dgeo@centrale-marseille.fr>
With hat:	ruby
Approved by:	portmgr (implicit)
Reviewed by:	miwi
Security:	db0c4b00-a24c-11e2-9601-000d601460a4

- Document CVE-2013-0131 for nvidia-driver

Submitted by:	danfe
Approved by:	portmgr (implicit)

Typo fix for the typo fix. Validated with make validate this time.

Reported by:	bz
Approved by:	portmgr (implicit)

Fix a typo in the recent mozilla entry

Reported by:	pluknet
Approved by:	portmgr (tabthorpe)

- Security udpate to 12.15
Security: http://www.opera.com/docs/changelogs/unified/1215/
Security: http://www.opera.com/security/advisory/1046
Security: http://www.opera.com/security/advisory/1047
PR:		177654
Approved by:	portmgr

- fix subversion range

Approved by:	portmgr (implizit)

- Subversion 1.7.9 security update [1]
- Subversion 1.6.21 security update [2]

This release addesses the following issues security issues:
[1][2]  CVE-2013-1845: mod_dav_svn excessive memory usage from property changes
[1][2]  CVE-2013-1846: mod_dav_svn crashes on LOCK requests against activity
URLs
[1][2]  CVE-2013-1847: mod_dav_svn crashes on LOCK requests against non-existant
URLs
[1][2]  CVE-2013-1849: mod_dav_svn crashes on PROPFIND requests against activity
URLs
[1]     CVE-2013-1884: mod_dav_svn crashes on out of range limit in log REPORT
request

More information on these vulnerabilities, including the relevent advisories
and potential attack vectors and workarounds, can be found on the Subversion
security website:
    http://subversion.apache.org/security/

PR:		177646
Submitted by:	ohauer
Approved by:	portmgr (tabthorpe, erwin), lev
Security:	b6beb137-9dc0-11e2-882f-20cf30e32f6d

Vulnerability in OTRS

Approved by:	portmgr
Security:	eae8e3cf-9dfe-11e2-ac7f-001fd056c417

The PostgreSQL Global Development Group has released a security
update to all current versions of the PostgreSQL database system,
including versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update
fixes a high-exposure security vulnerability in versions 9.0 and
later. All users of the affected versions are strongly urged to apply
the update *immediately*.

A major security issue (for versions 9.x only) fixed in this release,
[CVE-2013-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899),
makes it possible for a connection request containing a database name
that begins with "-" to be crafted that can damage or destroy files
within a server's data directory. Anyone with access to the port the
PostgreSQL server listens on can initiate this request. This issue was
discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source
Software Center.

- update thunderbird, firefox-esr, linux-thunderbird and linux-firefox to
  17.0.5
- update firefox to 20.0
- update seamonkey and linux-seamonkey to 2.17
- update nspr to 4.9.6
- remove mail/thunderbird-esr, Mozilla stopped providing 2 versions of
  thunderbird
- prune support for old FreeBSD versions; users of 8.2, 7.4 or earlier
  are advised to upgrade - http://www.freebsd.org/security/
- add vuln.xml entry

Security:	94976433-9c74-11e2-a9fc-d43d7e0c7c02
Approved by:	portmgr (miwi)
In collaboration with:	Jan Beich <jbeich@tormail.org>

Document two latest FreeBSD security advisories.

Approved by:	portmgr (bdrewery)

- update japanes/bugzilla templates
- update vuxml to reflect bugzilla templates
- fix typo in vuxml

Approved by:	portmgr (miwi)
Sponsored by:

security upgrade to OpenVPN 2.3.1; upstream release notes are

  "This release adds supports for PolarSSL 1.2. It also adds a fix to
  prevent potential side-channel attacks by switching to a constant-time
  memcmp when comparing HMACs in the openvpn_decrypt function. In
  addition, it contains several bugfixes and documentation updates, as
  well as some minor enhancements."

Full ChangeLog:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>

The port upgrade also offers an option to use the GPLv2+-licensed
PolarSSL instead of OpenSSL (which brings in a license mix).

PR:		ports/177517
Reviewed by:	miwi
Approved by:	portmgr (miwi)
Security:	92f30415-9935-11e2-ad4c-080027ef73ec

Update to 2.8.0. [1]
Add patch to fix CVE-2013-0338 and CVE-2013-0339. [2]
Convert to OptionsNG, rename patches to standard form. [1]

Notified by:	swills@ [2]
Obtained from:	gnome team repo [1]
Security:	843a4641-9816-11e2-9c51-080027019be0

Update asterisk ports to:

net/asterisk 1.8.20.2
net/asterisk10 10.12.2
net/asterisk11 11.2.2

Security:	daf0a339-9850-11e2-879e-d43d7e0c7c02

Explicitly use -E for sed(1).

Submitted by:	des
Reviewed by:	eadler

Add entry for latest Bind advisory CVE-2013-2266

In validate target, use unexpand and sed to make sure that we are using
consistent space style.

Reviewed by:	stas, simon

Document vulnerabilities in www/chromium < 26.0.1410.43

Obtained from:	http://googlechromereleases.blogspot.nl/search/Stable%20Updates

Remove trailing space, no content change.

unexpand vuln.xml.

firebird vulnerability entry (CVE-2013-2492)

Security:	6adca5e9-95d2-11e2-8549-68b599b52a02

- Document vulnerability in graphics/optipng (CVE-2012-4432)

PR:		ports/177206
Submitted by:	Alexander Milanov <a@amilanov.com>
Security:	8818f7f-9182-11e2-9bdf-d48564727302

Update to 5.3.23

Security:	1d23109a-9005-11e2-9602-d43d7e0c7c02

- Document recent vulnerabilities in www/piwigo: CVE-2013-1468, CVE-2013-1469
Reported by:	Ruslan Makhmatkhanov <cvs-src@yandex.ru>
Security:	edd201a5-8fc3-11e2-b131-000c299b62e1

Fix typo in the libpurple entry.

Submitted by:	Derek Schrock <dereks@lifeofadishwasher.com>

- Perl vulnerability (CVE-2013-1667) also applies to perl-threaded

Reported by:	Alexandre Krasnov <freebsd@tern.ru>
Security:	68c1f75b-8824-11e2-9996-c4850808617

- graphics/libexif:
  * Update to 0.6.21
  * Add LICENSE
  * Switch to OptionsNG and PORTDOCS
- Document libexif 2012-07-12 vulnerabilty
- Bump PORTREVISION for libexif related ports
- Trim headers while here

PR:		ports/175910
Approved by:	swills (mentor)
Security:	d881d254-70c6-11e2-862d-080027a5ec9a

Update flash the latest (hopefully) secure version.

PR:		ports/176904
Submitted by:	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Security:	http://www.vuxml.org/freebsd/5ff40cb4-8b92-11e2-bdb6-001060e06fd4.html

- Update puppet to 3.1.1 resolving multiple security issues
- Update puppet27 to 2.7.21 resolving multiple security issues
- Document multiple puppet security issues

Security:	cda566a0-2df0-4eb0-b70e-ed7a6fb0ab3c