author: Martin Wilke <miwi@FreeBSD.org> 2012-01-14 04:36:22 +0000
committer: Martin Wilke <miwi@FreeBSD.org> 2012-01-14 04:36:22 +0000
commit: f3391e322e92e8e75a4fc403dce1cfeb2e45b6ae (patch)
tree: e1446be965cd76d831c2f59f058137f1ebd92e13 /security
parent: 751b489b9fa19fb529f0a3edce73514a5254e9cf (diff)
download: ports-f3391e322e92e8e75a4fc403dce1cfeb2e45b6ae.tar.gz
ports-f3391e322e92e8e75a4fc403dce1cfeb2e45b6ae.zip
1 files changed, 42 insertions, 42 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index a0a3bcb16b2a..6bee242b1399 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -61,23 +61,23 @@ Note:  Please add new entries to the beginning of this file.
 	<blockquote cite="http://openssl.org/news/secadv_20120104.txt">
 	  <p>6 security flaws have been fixed in OpenSSL 1.0.0f:</p>
 	  <p>If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8,
-	     then a policy check failure can lead to a double-free.</p>
+	    then a policy check failure can lead to a double-free.</p>
 	  <p>OpenSSL prior to 1.0.0f and 0.9.8s failed to clear the
-	     bytes used as block cipher padding in SSL 3.0 records.
-	     As a result, in each record, up to 15 bytes of
-	     uninitialized memory may be sent, encrypted, to the SSL
-	     peer.  This could include sensitive contents of
-	     previously freed memory.</p>
+	    bytes used as block cipher padding in SSL 3.0 records.
+	    As a result, in each record, up to 15 bytes of
+	    uninitialized memory may be sent, encrypted, to the SSL
+	    peer.  This could include sensitive contents of
+	    previously freed memory.</p>
 	  <p>RFC 3779 data can be included in certificates, and if
-	     it is malformed, may trigger an assertion failure.
-	     This could be used in a denial-of-service attack.</p>
+	    it is malformed, may trigger an assertion failure.
+	    This could be used in a denial-of-service attack.</p>
 	  <p>Support for handshake restarts for server gated
-	     cryptograpy (SGC) can be used in a denial-of-service
-	     attack.</p>
+	    cryptograpy (SGC) can be used in a denial-of-service
+	    attack.</p>
 	  <p>A malicious TLS client can send an invalid set of GOST
-	     parameters which will cause the server to crash due to
-	     lack of error checking.  This could be used in a
-	     denial-of-service attack.</p>
+	    parameters which will cause the server to crash due to
+	    lack of error checking.  This could be used in a
+	    denial-of-service attack.</p>
 	</blockquote>
       </body>
     </description>
@@ -109,12 +109,12 @@ Note:  Please add new entries to the beginning of this file.
 	<p>ISC reports:</p>
 	<blockquote cite="https://www.isc.org/software/dhcp/advisories/cve-2011-4868">
 	  <p>Due to improper handling of a DHCPv6 lease structure, ISC DHCP
-	     servers that are serving IPv6 address pools AND using Dynamic
-	     DNS can encounter a segmentation fault error while updating lease
-	     status under certain conditions.</p>
+	    servers that are serving IPv6 address pools AND using Dynamic
+	    DNS can encounter a segmentation fault error while updating lease
+	    status under certain conditions.</p>
 	  <p>The potential exists for this condition to be intentionally
-	     triggered, resulting in effective denial of service to
-	     clients expecting service from the affected server.</p>
+	    triggered, resulting in effective denial of service to
+	    clients expecting service from the affected server.</p>
 	</blockquote>
       </body>
     </description>
@@ -273,9 +273,9 @@ Note:  Please add new entries to the beginning of this file.
 	<p>Google Chrome Releases reports:</p>
 	<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
 	  <p>[106672] High CVE-2011-3921: Use-after-free in animation frames.
-	      Credit to Boris Zbarsky of Mozilla.<br/>
+	    Credit to Boris Zbarsky of Mozilla.<br/>
 	    [107128] High CVE-2011-3919: Heap-buffer-overflow in libxml. Credit
-	      to Juri Aedla.<br/>
+	    to Juri Aedla.<br/>
 	    [108006] High CVE-2011-3922: Stack-buffer-overflow in glyph
 	      handling. Credit to Google Chrome Security Team (Cris Neckar).</p>
 	</blockquote>
@@ -428,11 +428,11 @@ Note:  Please add new entries to the beginning of this file.
 	<p>US-CERT/NIST reports:</p>
 	<blockquote cite="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4362">
 	  <p>Integer signedness error in the base64_decode function in the
-	     HTTP authentication functionality (http_auth.c) in lighttpd 1.4
-	     before 1.4.30 and 1.5 before SVN revision 2806 allows remote
-	     attackers to cause a denial of service (segmentation fault)
-	     via crafted base64 input that triggers an out-of-bounds read
-	     with a negative index.</p>
+	    HTTP authentication functionality (http_auth.c) in lighttpd 1.4
+	    before 1.4.30 and 1.5 before SVN revision 2806 allows remote
+	    attackers to cause a denial of service (segmentation fault)
+	    via crafted base64 input that triggers an out-of-bounds read
+	    with a negative index.</p>
 	</blockquote>
       </body>
     </description>
@@ -458,8 +458,8 @@ Note:  Please add new entries to the beginning of this file.
 	<p>The MIT Kerberos Team reports:</p>
 	<blockquote cite="http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc">
 	  <p>When an encryption key is supplied via the TELNET protocol,
-	     its length is not validated before the key is copied into a
-	     fixed-size buffer. Also see MITKRB5-SA-2011-008.</p>
+	    its length is not validated before the key is copied into a
+	    fixed-size buffer. Also see MITKRB5-SA-2011-008.</p>
 	</blockquote>
       </body>
     </description>
@@ -520,12 +520,12 @@ Note:  Please add new entries to the beginning of this file.
 	<p>The phpMyAdmin development team reports:</p>
 	<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php">
 	  <p>Using crafted url parameters, it was possible to produce XSS on
-	     the export panels in the server, database and table sections.</p>
+	    the export panels in the server, database and table sections.</p>
 	</blockquote>
 	<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php">
 	  <p>Crafted values entered in the setup interface can produce XSS;
-	     also, if the config directory exists and is writeable, the XSS
-	     payload can be saved to this directory.</p>
+	    also, if the config directory exists and is writeable, the XSS
+	    payload can be saved to this directory.</p>
 	</blockquote>
       </body>
     </description>
@@ -998,16 +998,16 @@ Note:  Please add new entries to the beginning of this file.
 	<p>The Internet Systems Consortium reports:</p>
 	<blockquote cite="https://www.isc.org/software/bind/advisories/cve-2011-4313">
 	  <p>Organizations across the Internet reported crashes interrupting service
-	     on BIND 9 nameservers performing recursive queries. Affected servers
-	     crashed after logging an error in query.c with the following message:
-	     &quot;INSIST(! dns_rdataset_isassociated(sigrdataset))&quot;
-	     Multiple versions were reported being affected, including all
-	     currently supported release versions of ISC BIND 9.</p>
+	    on BIND 9 nameservers performing recursive queries. Affected servers
+	    crashed after logging an error in query.c with the following message:
+	    &quot;INSIST(! dns_rdataset_isassociated(sigrdataset))&quot;
+	    Multiple versions were reported being affected, including all
+	    currently supported release versions of ISC BIND 9.</p>
 	  <p>Because it may be possible to trigger this bug even on networks
-	     that do not allow untrusted users to access the recursive name
-	     servers (perhaps via specially crafted e-mail messages, and/or
-	     malicious web sites) it is recommended that ALL operators of
-	     recursive name servers upgrade immediately.</p>
+	    that do not allow untrusted users to access the recursive name
+	    servers (perhaps via specially crafted e-mail messages, and/or
+	    malicious web sites) it is recommended that ALL operators of
+	    recursive name servers upgrade immediately.</p>
 	</blockquote>
       </body>
     </description>
@@ -4674,8 +4674,8 @@ Note:  Please add new entries to the beginning of this file.
       <body xmlns="http://www.w3.org/1999/xhtml">
 	<p>Matthias Hopf reports:</p>
 	<blockquote cite="http://lists.freedesktop.org/archives/xorg-announce/2011-April/001636.html">
-	  <p>By crafting hostnames with shell escape characters, arbitrary 
-	    commands can be executed in a root environment when a display 
+	  <p>By crafting hostnames with shell escape characters, arbitrary
+	    commands can be executed in a root environment when a display
 	    manager reads in the resource database via xrdb.</p>
 	  <p>These specially crafted hostnames can occur in two environments:</p>
 	  <p>Systems are affected are: systems set their hostname via DHCP,
@@ -7307,7 +7307,7 @@ Note:  Please add new entries to the beginning of this file.
 	    [101458] High CVE-2011-3895: Heap overflow in Vorbis decoder.
 	      Credit to Aki Helin of OUSPG.<br/>
 	    [101624] High CVE-2011-3896: Buffer overflow in shader variable
-	      mapping. Credit to Ken "strcpy" Russell of the Chromium 
+	      mapping. Credit to Ken "strcpy" Russell of the Chromium
 	      development community.<br/>
 	    [102242] High CVE-2011-3897: Use-after-free in editing. Credit to
 	      pa_kt reported through ZDI (ZDI-CAN-1416).<br/>
author	Martin Wilke <miwi@FreeBSD.org>	2012-01-14 04:36:22 +0000
committer	Martin Wilke <miwi@FreeBSD.org>	2012-01-14 04:36:22 +0000
commit	f3391e322e92e8e75a4fc403dce1cfeb2e45b6ae (patch)
tree	e1446be965cd76d831c2f59f058137f1ebd92e13 /security
parent	751b489b9fa19fb529f0a3edce73514a5254e9cf (diff)
download	ports-f3391e322e92e8e75a4fc403dce1cfeb2e45b6ae.tar.gz ports-f3391e322e92e8e75a4fc403dce1cfeb2e45b6ae.zip