- Add entry for wordpress - SQL injection vulnerability

PR:             153526
Submitted by:   Mark Foster <mark@foster.cc>
Feature safe:   yes

- Cleanup previous commit

Feature safe:   yes

Add vlc - Insufficient input validation in MKV demuxer vulnability.
Feature safe:   yes

- Cleanup previous Entry

Feature safe:   yes

- Document maradns -- denial of service when resolving a long DNS hostname

Submitted by:   n j <nino80 at gmail dot com>
Feature safe:   yes

Adjust range for ISC DHCPv6 server crash.

Feature safe:   yes

Document ISC DHCPv6 server crash.

Feature safe:   yes

Document "bugzilla" - multiple seriuos vulnerabilities.

Feature safe:   yes

Add dokuwiki multiple ACL escalation vulnerabilities.

Feature safe:   yes

Try to unbreak vuxml portaudit build by removing use of HTML entity.
UTF-8 chars should be used.

This is not a fix, just a hack to get it working for now.

Feature safe:   yes (really)

Describe www/chromium vulnerabilities between 8.0.552.215 and 8.0.552.237

Obtained from:  http://googlechromereleases.blogspot.com/
Feature safe:   yes

asterisk-1.8.2.1 is still vulnerable due to a botched merge upstream.

Feature safe:   yes

- fix asterisk16 version string

Approved by:    fjoe (mentor)
Feature safe:   yes

- Document Exploitable Stack Buffer Overflow in asterisk

Approved by:    fjoe (mentor)
Feature safe:   yes

Document tarsnap cryptographic nonce reuse vulnerability.

Discussed with: cperciva@
Feature safe:   yes

Add entry for moinmoin XSS vulnerabilities.

PR:             ports/153898
Submitted by:   Ruslan Mahmatkhanov <cvs-src yandex ru>
Feature safe:   yes

Document tor remote code execution and crash vulnerability.

Submitted by:   Janne Snabb <snabb epipe com>
Feature safe:   yes

security/sudo: document privilege escalation, CVE-2011-0010

PR: 153939
Approved by: delphij (secteam), erwin (mentor)
Feature safe: yes

devel/subversion: document security fixes in 1.6.15

Two DoS conditions:
 - CVE-2010-4539, DoS via walking of SVNParentPath
   collections;
 - CVE-2010-4644, DoS via memory leaks triggered
   by the option "-g" of the blame command.

Approved by: delphij (secteam), erwin (mentor)
Feature safe: yes

Split recent PHP entry into multiple ones

Many reasons:
 - some vulnerabilities were present only in the specific
   PHP modules and not in the core PHP;
 - it is better to group vulnerabilities by-topic (DoS, code
   execution, etc);
 - PHAR vulnerability is present only in 5.3.x;
 - extract() vulnerability was fixed both in 5.2 and 5.3:
   http://www.mail-archive.com/php-cvs@lists.php.net/msg47722.html
 - NULL-byte poisoning was fixed only in 5.3, 5.2.x is still
   vulnerable to this design error;
 - DFS-related fixes are not relevant for FreeBSD, since DFS
   is Windows file system that is unsupported by us.

PR: 153433
Approved by: remko (secteam), erwin (mentor)
Feature safe: yes

Add entry for CVE-2010-4645 (php).

PR:             ports/153766
Submitted by:   Tom Judge <tom@tomjudge.com>

Document CVE-2010-4345: local exim -> root escalation

PR: 152983
Feature safe: yes
Reviewed by: remko (secteam)
Approved by: erwin (mentor), remko (secteam)

- Cleanup

- Document the Clickjacking vulnerabilities of mediawiki

Bump copyright year.

Document webkit-gtk2 multiple vulnerabilities < 1.2.6.

Document some CVE's that didn't make it to release notes from older releases.

Document django multiple vulnerabilities.

Add Drupal views plugin - Cross Site Scripting (XSS).

While here, improve previously added vuln entry by
following style a bit better.

PR:             153474
Submitted by:   rea

- Document redmine -- multiple vulnerabilities

Add Tor remote crash and the possibility of remote code execution.

Submitted by:   Janne Snabb <snabb at epipe dot com>

Update to properly cover php52.

Noticed by:     Chris St Denis <chris smartt com>

- Document JavaScript injection exploits in Yahoo UI (YUI) library

Document PHP multiple vulnerabilities

- Document mozilla -- multiple vulnerabilities

- Document recent MIT krb5 checksum handling vulnerabilities.

Document the known vulnerabilities for www/chromium.

The [numbers] in the entry represent bug numbers which are clickable at
the referenced site, but most of them give a 403.

Document ProFTPD compromised source packages backdoor security issue.

- Document phpMyAdmin XSS attack in database search

Document net/isc-dhcp41-server DHCPv6 DoS. The update to the port is coming
shortly.

Add entry for CVE-2010-4168: denial of service (server/client) via invalid
read in OpenTTD.

PR:             ports/152529
Submitted by:   kwm

- Kill EOL whitespace and reformat to fit in standard terminal width better
- Clean up the way <p>...</p> tags are used throughout the file for consistency

Add an entry for www/horde-base VCARD attachments XSS vulnerability.

Security:       VuXML: a3314314-f731-11df-a757-0011098ad87f

Fix discovery date in last entry.

Pointy hat to:  remko

Add proftpd remote root vulnerability.

Based on:       Vladimir Nikolic <vladimir dot nikolic at amis dot net>
Feature proof:  yes
With hat:       secteam

- add security/openssl CVE-2010-3864

- Update to 10.1r102 resp. 9.0r289.
- Drop MD5 hashes from distinfos

Security:      
http://www.freebsd.org/ports/portaudit/76b597e4-e9c6-11df-9e10-001b2134ef46.html
Reported by:    Matthias Apitz on -emulation

Add wireshark CVE-2010-3445.

PR:             ports/151891
Submitted by:   Eygene Ryabinkin

- Limit affected version of dovecot to 1.2.* before 1.2.8
  (vid: 30211c45-e52a-11de-b5cd-00e0815b8da8)

Reported by:    Adam McDougall <mcdouga9@egr.msu.edu>
Reference:     
http://www.dovecot.org/list/dovecot-news/2009-November/000143.html

Document mailman XSS.

PR:             ports/151918
Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>

Document "otrs" - multiple XSS and denial of service vulnerabilities.

- Document mozilla -- Heap buffer overflow mixing document.write and DOM
  insertion

- www/opera
PR:             151471
Submitted by:   Arjan van Leeuwen

- Add bzip2 integer overflow vulnerability

Approved by:    pgollucci (mentor, implicit)

Add the missing FreeBSD SA entries. We used to add these but stopped a while
back. This should catch us up.

According to cperciva@ the reason we stopped was that it was causing a lot of
false positives. I ran portaudit with these changes and did not see any false
positives but if it turns out to be too noisy I will remove them.

Submitted by:   Christopher J. Umina (private mail)
Approved by:    cperciva@

Add monotone denial of service.

Security:       http://www.monotone.ca/NEWS

- Add devel/apr0 to list of packages that is affect.

- Document mozilla -- multiple vulnerabilities

Add multiple vulnabilities in webkit-gtk2.

- set modified date

- these 2 urls are covered by the <cvename/> tags

Suggested by:   stas

- Fix a minor typo

Reported by:    stas

Document devel/apr1's apr-util vunerabilities

Security:       http://secunia.com/advisories/41701
Reviewed by:    secteam (cperciva) via irc

Documented phpMyFaq XSS vulnerability

PR:             ports/151055
Submitted by:   Florian Smeets <flo@smeets.im>
Approved by:    itetcu (mentor, implicit)
Security:       http://www.phpmyfaq.de/advisory_2010-09-28.php

Report an XSS vulnerability in ftp/horde-gollem.

Report a XSS vulnerability in mail/horde-dimp.

Report a XSS vulnerability in mail/horde-imp.

Report 2 vulnerabilities in www/horde-base.

Documented remote code execution vulnerability in OpenX

PR:             ports/150610
Approved by:    itetcu (mentor, implicit)
Security:       ttp://blog.openx.org/09/security-update/

Documented squid denial of service vulnerability

PR:             ports/150364
Submitted by:   Thomas-Martin Seck <tmseck@web.de>
Approved by:    itetcu (mentor, implicit)
Security:       CVE-2010-3072
Security:       http://www.squid-cache.org/Advisories/SQUID-2010_3.txt

Update to 10.1r85 resp. 9.0r283 [1].

Security:      
http://www.freebsd.org/ports/portaudit/8a34d9e6-c662-11df-b2e1-001b2134ef46.html
PR:             ports/150832 [2]
Submitted by:   pointyhat via pav [1], Tsurutani Naoki
                <turutani@scphys.kyoto-u.ac.jp> [2]

Correct discovery date, my bad :(

Document django XSS vulnerability.

- Add libxul as affected package to the latest mozilla entry

Approved by:    beat (co-mentor)

- Fix CVE name for webkit-gtk2

Document webkit-gtk2 - multiple vulnerabilities.

Also add 1 extra CVE to the previous webkit-gtk2 entry that was fixed but
didn't make it to the release notes.

Belatedly (and perhaps pointlessly) document [1]:

  vim6 -- heap-based overflow while parsing shell metacharacters

While here, prepare this old port for termination with DEPRECATED.

PR:             ports/129300 [1]
Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru> [1]

- Document mozilla -- multiple vulnerabilities

Document sudo Runas group vulnerability.

- wget 1.12_1 is also concerned

- Add wget entry CVE-2010-2252
- Add lftp entry CVE-2010-2251

 - Document p5-libwww vulnerability (remote servers can create .(dot) files)

Documented quagga vulnerabilities (stack overflow, DoS)

Approved by:    itetcu (mentor,implicit)
Security:       http://www.openwall.com/lists/oss-security/2010/08/24/3
Security:       http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100

Document "bugzilla" - information disclosure, denial of service.

- Fix version range of phpMyAdmin

Submitted by:   Marko Njezic <mr.max AT maxempire.com>

Adjust the version range in previous entry: 1.0.1 is also vulnerable, and
fix minor whitespace nit while here.

Add entry for OpenTTD denial of server vulnability.

Reviewed by:    danfe@ (OpenTTD maintainer)

- Added corkscrew: overflow condition due to insecure sscanf usage
- Fixed SLiM title: /SLiM/slim/

Approved by:    itetcu (mentor, implicit)
Security:       http://people.freebsd.org/~niels/issues/corkscrew-20100821.txt

- Add phpMyAdmin's CVE-2010-3056 entry

- Fix date of the latest ruby entry.

Added CVE to SLiM vulnerability

Approved by:    itetcu (mentor, implicit)
Security:       CVE-2010-2945

- Document SLiM insecure PATH assignment issue
- Removed space from vlc title

Approved by:    itetcu (implicit, mentor)
Security:       http://seclists.org/oss-sec/2010/q3/198

- Document recent WEBrick XSS vulnerability in ruby.

- Add security/isolate entry

PR:             ports/148911
Submitted by:   Steve Wills <steve _at_ mouf.net> (maintainer)
Approved by:    tabthorpe (mentor)

Fix krb5 entry (86b8b655-4d1a-11df-83fb-0015587e2cc1) version range
mark-up.

Submitted by:   Peggy Wilkins via freebsd-ports

- Fix last entry by adding the forgotten package name.
  (Hint: always run make validate before committing to this file)

Forgotten by:   jsa, kwm

Document VLC CVE-2010-2937.

Approved by:    kwm (mentor)

Update to 10.1r82 resp. 9.0r280.

Security:      
http://www.freebsd.org/ports/portaudit/e19e74a4-a712-11df-b234-001b2134ef46.html

Document opera -- multiple vulnerabilities.

- Belatedly document firefox -- Dangling pointer crash regression from plugin
  parameter array fix

Approved by:    miwi

Whitespace fixes.