17:22 romain 

Update sysutils/puppetserver5 entry

Puppetlabs released version 5.3.8 of Puppet Server which address the issue:
https://puppet.com/docs/puppetserver/5.3/release_notes.html#puppet-server-538

With hat:	puppet

 

20:48 mfechner 

Documented gitlab vulnerability.

 

07:58 brnrd 

security/vuxml: Document Apache httpd vulnerabilities

 

19:29 danilo 

- Document sysutils/kubectl CVE-2019-1002101

 

13:50 dbaio 

security/vuxml: Document irc/znc issue

Security:	CVE-2019-9917

 

16:36 sunpoet 

Document py-notebook vulnerability

 

14:17 sunpoet 

Update openjpeg status

 

12:21 ler 

vuxml: Document mail/dovecot buffer overflow.

 

08:26 joneum 

Add modified line for drupal after r496987

Sponsored by:	Netzkommune GmbH

 

21:51 acm 

- Update 94d63fd7-508b-11e9-9ba0-4c72b94353b5 entry

 

19:23 sunpoet 

Update Python vulnerability (d74371d2-4fee-11e9-a5cd-1df8a848de3d)

 

17:44 joneum 

Add entry for www/drupal7

Sponsored by:	Netzkommune GmbH

 

18:12 sunpoet 

Document Python vulnerability

 

04:08 zeising 

Update the libXdmcp entry to make it clearer.

 

09:36 joneum 

Add entry for wordpress

Sponsored by:	Netzkommune GmbH

 

08:15 mfechner 

Documented gitlab vulnerability.

 

02:03 zeising 

Add entry for x11/libXdmcp vulnerabilty.

Add entry for x11/libXdmcp vulnerabilty, insufficient entripy generating
session keys.  It is unknown if this actually affects FreeBSD.

Security:	CVE-2017-2625

 

14:04 mfechner 

Documented security vulnerability for gitlab < 11.8.2.

 

11:30 joneum 

Add entry for www/gitea

PR:		236563

 

20:22 jbeich 

security/vuxml: mark firefox < 66 as vulnerable

 

14:51 swills 

Document PowerDNS issue

PR:		236634
Reported by:	Dani <i.dani@outlook.com>

 

18:25 sunpoet 

Document Rails vulnerability

 

14:16 mandree 

Record PuTTY security vulnerabilities in versions before 0.71.

 

23:23 sunpoet 

Document py-notebook vulnerability

 

21:42 sunpoet 

Document ruby-gems vulnerability

 

06:14 riggs 

Document CVE fixes in libsndfile-1.0.28_2

PR:		227669
Reported by:	p5B2E9A8F@t-online.de

 

02:26 cy 

Fill in the actual URL for March 2019 ntp-4.2.8p13 NTP Release and
Security Vulnerability Announcement

 

19:33 brnrd 

security/vuxml: Document OpenSSL 1.1.1 vulnerability

 

13:32 cy 

Document crafted ull dereference ntp attack.

Security:	CVE-2019-8936
Obtained from:	nwtime.org

 

19:56 kai 

security/vuxml: Document shells/rssh < 2.3.4_2 vulnerabilities

PR:		235121
Approved by:	tcberner (mentor)
Differential Revision:	https://reviews.freebsd.org/D19473

 

07:31 matthew 

Document a jQuery related XSS security fix in rt4.4.4 and rt4.2.16

Note: the release notes also mention 3 other security issues in perl
modules depended on by these packages.  Of those, vulnerabilities in
the Email::Address and Email::Address::List perl modules have already
been addressed in their respective ports, while the third: HTML::Gumbo
is not currently in the ports at all.

 

15:00 0mp 

Document a slixmpp < 1.4.1 vulnerability

Reviewed by:	krion, mat
Approved by:	krion (mentor), mat (mentor)
MFH:		2019Q1

 

10:23 mfechner 

Doucumented several www/gitlab-ce security vulnerabilities.

 

06:20 tobik 

Document www/py-gunicorn vulnerability

 

10:54 joneum 

Update mybb entry

Sponsored by:	Netzkommune GmbH

 

00:03 bhughes 

security/vuxml: document Node.js February 2019 Security Releases

https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

Sponsored by:	Miles AS

 

10:29 joneum 

Document vulnerability in www/mybb

Sponsored by:	Netzkommune GmbH

 

08:57 madpilot 

Document new asterisk vulnerability.

Security:	CVE-2019-7251

 

07:33 brnrd 

security/vuxml: Update OpenSSL 1.0.2r entry

 

19:59 kwm 

Document webkit-gtk CVE's

Security:	CVE-2019-6212, CVE-2019-6215, CVE-2019-6216, CVE-2019-6217, \
		CVE-2019-6226, CVE-2019-6227, CVE-2019-6229, CVE-2019-6233, \
		CVE-2019-6234.

 

17:58 pi 

security/vuxml: dokument rdesktop < 1.8.4 vulnerabilities

PR:		235885, 229029

 

19:49 romain 

Document sysutils/puppetserver* vulnerabilities.

PuppetServer bundles Bouncy Castle, so add affected ports to the Bouncy Castle
entry.

sysutils/puppetserver is EOL and will likely never get a fix;
sysutils/puppetserver5 may get fixed in a future release of the 5.x branch;
sysutils/puppetserver6 was fixed in the latest release.

With hat:	puppet

 

14:45 acm 

- Add drupal8 vulnerability entry

 

10:13 brnrd 

security/vuxml: Document announced OpenSSL vulnerability

 - To be updated with more specifics on 2019-02-26

 

15:06 novel 

Document mail/msmtp certificate verification issue

 

11:27 cmt 

fix firefox-esr PORTEPOCH in latest entry

Submitted by:	jbeich

 

11:09 cmt 

add more mozilla products to latest entry

https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/
(same CVEs as mfsa2019-04, so not creating another entry)

 

09:57 cmt 

document firefox vulnerabilities

https://www.mozilla.org/en-US/security/advisories/mfsa2019-04/

 

15:39 jkim 

Document the latest Flash Player vulnerability.

https://helpx.adobe.com/security/products/flash-player/apsb19-06.html

 

19:11 sunpoet 

Fix r492723 for the name of NVD report

 

18:59 sunpoet 

Update openjpeg status

There were 5 vulnerabilities in openjpeg and 4 of them are fixed.
The current status  is described in [1] as follows:
- CVE-2017-17479 and CVE-2017-17480 were fixed in r477112.
- CVE-2018-5785 was fixed in r480624.
- CVE-2018-6616 was fixed in r489415.
- CVE-2018-5727 is not fixed yet.

Though I keep committing fixes and updating the status, it does not show in the
"pkg audit" result. Users have to follow the link but apparently few people
would do that. Therefore, I got mails asking if the CVEs are fixed, etc.

I don't know if there's a better way to handle this condition (partly fixed over
several months). Instead of removing fixed CVEs from vuln.xml, I decided to add
a new entry (5efd7a93-2dfb-11e9-9549-e980e869c2e9) which is split from the old
entry (11dc3890-0e64-11e8-99b0-d017c2987f9a). It should be clearer for users if
they only read the "pkg audit" result.

[1] https://www.vuxml.org/freebsd/11dc3890-0e64-11e8-99b0-d017c2987f9a.html

 

00:11 feld 

Document FreeBSD-SA-19:02.fd

 

00:10 feld 

Document FreeBSD-SA-19:01.syscall

 

18:02 tcberner 

Document kf5-kauth vulnerability.

 

01:12 osa 

Update versions range for recent unit vulnerability.

 

01:04 osa 

Document unit vulnerability.

 

23:14 sunpoet 

Document curl vulnerability

 

09:10 mfechner 

Document gitlab-ce vulnerability.

 

14:52 ler 

mail/dovecot: update reporter for latest vuln

 

14:39 ler 

mail/dovecot: Suitable client certificate can be used to login as other user

update vuxml

 

21:55 sunpoet 

Document typo3 vulnerability

PR:		235187, 235188

 

01:26 jrm 

security/vuxml: Document Gitea < 1.7.1 vulnerabilities

PR:		235399
Submitted by:	stb@lassitu.de (www/gitea maintainer)

 

19:36 matthew 

Document vulnerability addressed by release 0.06 of p5-Email-Address-List

Unfortunately there is very little real description of the
vulnerability available, other than what is in the changelog.  Even
the CVE number only leads to a page saying the number is reserved.

 

17:42 mfechner 

Documented multiple vulnerabilities for www/gitlab-ce.

 

11:37 bhughes 

security/vuxml: document vulnerabilities in net/turnserver

Sponsored by:	Miles AS

 

17:18 jbeich 

security/vuxml: mark firefox < 65 as vulnerable

 

16:53 swills 

Document powerdns-recursor issue

PR:		235113
Submitted by:	Ralf van der Enden <tremere@cainites.net>

 

19:58 sunpoet 

Update py-requests entry

Reference:	https://lists.freebsd.org/pipermail/svn-ports-head/2019-January/198601.html

 

15:14 brnrd 

security/vuxml: Document recent MySQL vulnerabilities

 - 5.5 branch see https://mariadb.com/kb/en/library/mariadb-5563-release-notes/

 

09:58 tcberner 

security/vuxml: Document security/botan2 vulnerability

PR:		234938
Submitted by:	Ralf van der Enden <tremere@cainites.net> (maintainer)

 

09:19 matthew 

Document PMASA-2019-1 and PMSA-2019-2 security advisories: Arbitrary
file disclosure and SQL injection attacks.

 

10:54 joneum 

Add entry for www/gitea

PR:		235140
Sponsored by:	Netzkommune GmbH

 

09:49 koobs 

security/vuxml: Add libzmq4 -- Remote Code Execution Vulnerability

PR:	230575

 

15:10 zi 

Fix invalid package name in previous commit for
4af3241d-1f0c-11e9-b4bd-d43d7eed0ce2

 

14:37 joneum 

Add entry for www/apache24

Sponsored by:	Netzkommune GmbH

 

12:48 lev 

 Add CVE-2018-11803 for www/mod_dav_svn.

 

12:32 gjb 

Attempt to fix vuxml build.

Sponsored by:	The FreeBSD Foundation

 

10:44 koobs 

security/vuxml: Add www/py-requests: Information disclosure vulnerability

 

01:05 ler 

security/vuxml: Document joomla 3 vulnerabilities.

 

20:37 acm 

- Add drupal7 and drupal8 vulnerability entry

 

22:39 danilo 

Document helm security advisory

 

00:14 mfechner 

Documented gitlab security vulnerability.

 

17:43 lwhsu 

Document Jenkins Security Advisory 2019-01-16

Sponsored by:	The FreeBSD Foundation

 

12:20 swills 

Document py-matrix-synapse issue

PR:		234828
Submitted by:	Sascha Biberhofer <ports@skyforge.at> (with slight editing)

 

18:59 dbaio 

security/vuxml: Document irc/irssi issue

Security:	CVE-2019-5882

PR:		234798

 

19:30 riggs 

Document out-of-bounds vulnerability in net/uriparser < 0.9.1

Reported by:	sebastian@pipping.org (via e-mail)

 

16:55 swills 

Document gitea issue

PR:		234659
Submitted by:	stb@lassitu.de

 

23:00 sunpoet 

Update openjpeg status

 

13:20 cpm 

Document new vulnerability in www/chromium < 71.0.3578.98

Obtained
from:	https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop_12.html

 

13:10 cpm 

Document new vulnerabilities in www/chromium < 71.0.3578.80

Obtained
from:	https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html

 

08:09 wen 

- Documented security vulnerability of Django

 

09:03 mfechner 

Documented several gitlab-ce security vulnerabilities.

Approved by:	mentors (implicit)

 

21:05 swills 

Document gitea issue

 

16:09 rodrigo 

Add entry for archivers/rpm4 security isssue on 4.14.2

 

16:04 tijl 

Update handbrake entries now that 1.2.0 has been released.

PR:		234322
Submitted by:	Nei Teng  You Yi Lang  <naito.yuichiro@gmail.com> (maintainer)

 

07:42 mfechner 

Documented security vulnerability for gitlab-ce.

Approved by:	mentors (implicit)

 

14:50 girgen 

Add vuxml entry for shibboleth-sp

 

09:38 dch 

Document databases/couchdb2 and databases/couchdb vulnerability

Approved by:	jrm (mentor)
Security:	CVE-2018-17188
Security:	see http://docs.couchdb.org/en/stable/cve/2018-17188.html
Differential Revision:	https://reviews.freebsd.org/D18498

 

01:15 leres 

Mark bro < 2.6.1 as vulnerable as per:

    https://www.bro.org/download/NEWS.bro.html

The issue is a remote code execution vulnerability in the bundled
sqlite ("Magellan").

Reviewed by:	ler (mentor)
Approved by:	ler (mentor)
Differential Revision:	https://reviews.freebsd.org/D18615

 

21:15 feld 

Document FreeBSD-SA-18:15.bootpd