Document a virus detection evasion in p5-Archive-Zip.

Document mod_include vulnerability in apache and related ports.

Document an insecure temporary file creation in postgresql-contrib.

Bump modified date in the entry for the last commit.

Update latest mpg123 entry to note that the port is fixed in the most
recent port version.

There was a gd 1.X port with portepoch 2 for a while, so let the gd
entry also match that.

Document an integer overflow in the GD Graphics Library.

Correct entry date for the putty entry.

OK'ed by:       josef

Document vulnerability in putty

Reviewed by:    simon

Add an entry for a wzdftpd remote DoS.

Updates to the bogofilter entry:

- Improve information about which versions are vulnerable. [1]
- Add a few more references.

Submitted by:   Matthias Andree <matthias.andree@gmx.de> [1]

Update linux-openmotif to 2.2.4 to fix the security.

http://vuxml.freebsd.org/ef253f8b-0727-11d9-b45d-000c41e2cdad.html

Document rssh format string vulnerability.

Approved by:    nectar

Create a VuXML entry for Horde XSS help window vulnerability to replace
the portaudit-db entry.

Document a denial-of-service issue in bogofilter.
This entry is slightly modified from one that was
Submitted by:   Matthias Andree <matthias.andree@gmx.de>

Fix integer overflow vulnerabilities.

Patch made by:  Chris Evans, Dirk Muller, Sebastian Krahmer,
                Derek Noonburg and Marcus Meissner
Submitted by:   nectar

Document xpdf 2 and xpdf 3 vulnerabilities.

Document several security issues in gaim, fixed in various versions from
0.82 through 1.0.2.  While I'm here, notice that there have been ru-,
ko-, and ja- flavors of gaim, as well as a fairly short-lived range of
version numbers based on dates (snapshots).

Note that the Red Hat based linux_base ports contain
vulnerable libXpm.so files.

Noticed by:     maho

Document SSL_Cypherbypass vulnerability in mod_ssl
and buffer overflow vulnerability in gaim.

- Document more buffer overflows in mpg123.
- Fix package name in two older mpg123 entries.

Approved by:    nectar

I suck.    (Correct a typo that would have been readily detected if
            I would have run `make validate' before committing.)

Add CVE name for cabextract issue.

Fix a copy/paste typo in last commit.

Document DoS in Apache 2 SSL handling.

Approved by:    nectar

Note that xpm has been fixed.
Also, it appears that Motif itself is affected, so add related packages.

Update entry regarding INN 2.4.x buffer overflow:
 - The email archive referenced is no longer available.  Use
   marc.theaimsgroup.com archive instead.
 - Note that only 2.4.x versions are affected (earlier ones
   are not).

Reported by:    leeym

Document remote command execution vulnerability in phpMyAdmin.

Approved by:    nectar

Document insecure directory handling in cabextract.

Approved by:    nectar

Set correct entry date for the a2ps issue.

Noticed by:     nectar
Pointy hat to:  simon

Document insecure command line argument handling in a2ps.

Approved by:    nectar

Document a vulnerability in ifmail.  (There does not exist
an appropriate public reference yet--- this entry should be
updated when the port is updated.)

Reported by:    Niels Heinen <niels.heinen@ubizen.com>

Document a vulnerability in imwheel.

Add CVE names for FreeRADIUS vulnerabilities.

Document NTLM authentication vulnerability in squid

Approved by:    nectar

Document a SQL command injection in Cacti.

The status of the PHP configuration option magic_quotes_gpc was
confirmed by:   ale

Approved by:    nectar

Document a format string vulnerability in the apache13 mod_ssl proxy
support.

Approved by:    nectar

- Change a few uses of <url> into <mlist>.

OK'ed by:       nectar

Additional comment to the Tor entry from v. 1.302, it was:

Submitted by:   rik <freebsd-security@rikrose.net> (original version)

- Document remote DoS and loss of anonymity in Tor.
- Update a Samba entry with new information about vulnerable versions.

Approved by:    nectar

lesstif has been upgraded to a version that is not affected by the
libXpm vulnerability.

Recommit my changes from 1.298 which was accidently removed in 1.299.

Pointy hat to:  josef (who also noticed the problem)

Document two seperate security vulnerabilities in
icecast1 and icecast2.

Approved by:    nectar

Change the Xerces-C++ entry to match the xerces-c2 port.

Noticed by:     nectar

Document vulnerability in freeradius.

Approved by:    nectar

- Document DoS in Xerces-C++.
- Fix typo in a mozilla entry.

Approved by:    nectar

It turns out that lesstif has libXpm sneakily embedded.  There are at
least three files with this comment at the top:

  * This file contains most of the source files of Xpm, concatenated and with
  * the public names changed (to have an _LtXpm prefix).

Document XSS in wordpress.

Approved by:    nectar

Document integer overflows in libtiff.

- Document a CUPS local information disclosure.
- Note the impact of the sharutils buffer overflows.

Approved by:    nectar

Document a vulnerability in Zinf (freeamp).

Approved by:    nectar

Document libtiff RLE decoder issues.

The sharutils buffer overflows has been fixed in sharutils 4.2.1_2.

Document a vulnerability in sharutils.

Approved by:    nectar

Document 2 DoS attacks possible against
older versions of mail-notifier.

Based on the security advisories
mentioned in the reference links.

Approved by:    nectar

ale@ reports that the only ports affected are php[45], php[45]-cgi,
and mod_php[45].

Note squid SNMP DoS.  Based on an entry that was
Submitted by:   Thomas-Martin Seck <tmseck@netcologne.de>

The documented xv vulnerabilities were fixed by dinoex@

Approved by:    portmgr

Note that the image decoding vulnerabilities in gdk-pixbuf have been
fixed.

Reported by:    marcus
Approved by:    portmgr

Document older cyrus-sasl bug affecting DIGEST-MD5.

Submitted by:   simon
Approved by:    portmgr

Update the description of and list of packages affected by the PHP file
upload processing bug.

Submitted by:   Jon Passki <cykyc@yahoo.com>
Approved by:    portmgr

Document unsafe use of environmental variable SASL_PATH in cyrus-sasl.

Approved by:    portmgr

Add some more apache ports.
Fix two errors found by nectar.

Approved by:    portmgr

Add imp3 issue, add apache13-ssl issue, correct a tag.

Approved by:    portmgr

Note that older packages of bmon were dangerously installed set-user-ID.

Approved by:    portmgr

Document GnuTLS denial-of-service (already mentioned in portaudit's
database).

Approved by:    portmgr

Record another PHP vulnerability.

Approved by:    portmgr

Record another PHP security issue.

Approved by:    portmgr

Note that xv should not be used.

Approved by:    portmgr

Note a symlink vulnerability in getmail.

Submitted by:   Shane Kinney <mod6@freebsdhackers.net>
Approved by:    portmgr

Fill in empty topic from previous commit.

Noticed by:     Shane Kinney <mod6@freebsdhackers.net>
Approved by:    portmgr

Record FreeBSD-SA-04:15.syscons.

Approved by:    portmgr

Add missing PORTEPOCH for samba.

Noticed by:     dinoex
Approved by:    portmgr

Note racoon certificate verification bug.

Submitted by:   Jon Passki <cykyc@yahoo.com>
Approved by:    portmgr

Note distcc IP address ACL bug.

Submitted by:   Jon Passi <cykyc@yahoo.com>
Approved by:    portmgr

Remove a duplicate entry.

Submitted by:   Jon Passki <cykyc@yahoo.com>
Approved by:    portmgr

Correct the version number for latest Mozilla entry.
(cut-n-paste damage)

Approved by:    portmgr

Document the last few of the relatively recent Mozilla vulnerabilities.

Approved by:    portmgr

Correct mangled CVE name: s/8983/0903/

Approved by:    portmgr

Add another two older vulnerabilities affecting Mozilla & co.
Continue to try hard to cover past package names:
  - I missed el-linux-mozillafirebird previously.
  - Move all the `obsolete' package names into one place
    for clarity.

Approved by:    portmgr

Don't forget `ja-samba' also.

Approved by:    portmgr

Note samba file disclosure vulnerability.

Approved by:    portmgr

Fix apache version number entry, bump modified date for apache as well.

Approved by:    portmgr

Make an initial attempt at covering all Mozilla/Firefox/Thunderbird
package names that we've had.  Similar changes need to be made to many
other entries, but let's use this one as a test subject first.

Approved by:    portmgr

Correct spelling of phpnuke package name.

Reported by:    Dan Langille
Approved by:    portmgr

Note BMP decoder flaws in Mozilla/Firefox/Thunderbird.

Approved by:    portmgr

Note stack buffer overflow in Mozilla mail.

Approved by:    portmgr

Document Mozilla/Firefox/Thunderbird heap buffer overflows.

Approved by:    portmgr

Correct the package name for phpMyAdmin.

Reported by:    Matthew Seaman <m.seaman@infracaninophile.co.uk>
Approved by:    portmgr

Add CERT Vulnerability Note references to xpm entry.

Approved by:    portmgr

Note two older vulnerabilities in PHP.

Submitted by:   Jon Passki <cykyc@yahoo.com>
Approved by:    portmgr

Note subversion information disclosure vulnerability.

Submitted by:   lev
Approved by:    portmgr

Add missing PORTEPOCH in a mozilla entry.
Correct package name in an apache entry.

Reported by:    Dan Langille <dan@langille.org>
Approved by:    portmgr

Forgot to add <modified> element for last commit.

Approved by:    portmgr

Add missing PORTEPOCH on one of the mozilla entries.

Noticed by:     Dan Langille <dan@langille.org>
Approved by:    portmgr

Document vulnerabilities in lha.

Reviewed by:    dinoex
Approved by:    portmgr

Lately it seems I like to use dashes in topics... but I should at
least be consistent with how many.  s/---/--/

Approved by:    portmgr

Document mysql buffer overflow.

Reported by:    ale
Approved by:    portmgr

Document Mozilla security icon spoofing vulnerability.

Approved by:    portmgr

Document Mozilla vulnerability involving NULL bytes in FTP URLs.

Also, correct s/firebird/firefox/ in a previously documented issue.

Approved by:    portmgr

Document Mozilla automatic file upload vulnerability.

Approved by:    portmgr