[cvs] SF.net SVN: bogofilter:[7019] trunk/web/security

[<m-...@us...>]

Revision: 7019
          http://sourceforge.net/p/bogofilter/code/7019
Author:   m-a
Date:     2014-11-12 00:08:24 +0000 (Wed, 12 Nov 2014)
Log Message:
-----------
Rename security announcements to let nginx's MIME type logic work.

Modified Paths:
--------------
    trunk/web/security/index.html

Added Paths:
-----------
    trunk/web/security/bogofilter-SA-2002-01.txt
    trunk/web/security/bogofilter-SA-2004-01.txt
    trunk/web/security/bogofilter-SA-2005-01.txt
    trunk/web/security/bogofilter-SA-2005-02.txt
    trunk/web/security/bogofilter-SA-2010-01.txt
    trunk/web/security/bogofilter-SA-2012-01.txt

Removed Paths:
-------------
    trunk/web/security/bogofilter-SA-2002-01
    trunk/web/security/bogofilter-SA-2004-01
    trunk/web/security/bogofilter-SA-2005-01
    trunk/web/security/bogofilter-SA-2005-02
    trunk/web/security/bogofilter-SA-2010-01
    trunk/web/security/bogofilter-SA-2012-01

Deleted: trunk/web/security/bogofilter-SA-2002-01
===================================================================
--- trunk/web/security/bogofilter-SA-2002-01	2014-07-22 17:40:08 UTC (rev 7018)
+++ trunk/web/security/bogofilter-SA-2002-01	2014-11-12 00:08:24 UTC (rev 7019)
@@ -1,96 +0,0 @@
-This security announcement is kept for historic reasons. The software
-that was found to be vulnerable no longer ships with bogofilter.
------------------------------------------------------------------------
-
-bogofilter-SA-2002:01.bogopass
-
-Topic:		vulnerability in bogopass
-
-Announcement:	bogofilter-SA-2002:01
-Writer:		Matthias Andree
-Version:	1.00
-Announced:	2002-11-29
-Category:	contrib
-Type:		temporary file created insecurely
-Impact:		anonymous local file destruction or change
-Credits:	-
-Danger:		medium (the vulnerable version was replaced after 6
-		        hours, the vulnerable program is not installed
-			by default)
-Bugtraq ID:	6278
-URL:		http://bogofilter.sourceforge.net/security/bogofilter-SA-2002-01
-
-Affects:	bogofilter 0.9.0.4 (beta version)
-
-Not affected:	bogofilter 0.9.0.3 and before
-		bogofilter 0.9.0.5 and newer
-
-Default install: unaffected.
-
-Introduced:	2002-11-27 23:04:28 UTC (CVS)
-		2002-11-27 23:11    bogofilter 0.9.0.4 released
-
-Corrected:	2002-11-28 01:19:04 UTC (CVS) - disabled original version
-		2002-11-28 03:32:47 UTC (CVS) - committed corrected version
-		2002-11-28 04:26    bogofilter 0.9.0.5 released
-
-0. Release history
-
-2002-11-28	1.00 initial announcement
-2004-10-28	     added Bugtraq ID
-2004-10-30	     added URL
-
-1. Background
-
-Bogofilter is a software package to determine if a mail on its standard
-input is spam or not.
-
-2. Problem description
-
-A vulnerability was found in the contrib/bogopass Perl program that was
-added to bogofilter as of the 0.9.0.4 beta release (date: 2002-11-27
-23:04:28 UTC in CVS) with bogofilter, but is not installed by default.
-
-The bogopass program creates temporary files with the name
-/tmp/bogopass.$$, where $$ is the process ID, with the open FH, ">file"
-syntax of Perl, which uses O_TRUNC mode, not O_EXCL.
-
-3. Impact
-
-This vulnerability allows for anonymous file destruction or change, and
-might be abused to further escalate the privileges of the local
-attacker.
-
-If bogopass is run by the root user, this may eventually lead to a
-complete system compromise.
-
-4. Workaround
-
-Do not install or use the "bogopass" program that shipped with the
-vulnerable versions (see above) of bogofilter.
-
-5. Solution
-
-Upgrade your bogofilter to version 0.9.0.5 beta, and reinstall the
-bogopass program. Make sure you delete all copies of the old version of
-bogopass.
-
-bogofilter 0.9.0.5 is available from sourceforge:
-
-http://sourceforge.net/project/showfiles.php?group_id=62265&release_id=118794
-
-6. Solution details
-
-revision 1.3
-date: 2002/11/28 03:32:47;  author: m-a;  state: Exp;  lines: +67 -26
-
-7. Other hints
-
-Software that treats user input should not run as root if it can be
-avoided. When installing bogofilter for system-wide use, make sure that
-it runs as an unprivileged user to limit the impact of possible
-vulnerabilities.
-
-A. References
-
-bogofilter home page: http://bogofilter.sourceforge.net/

Copied: trunk/web/security/bogofilter-SA-2002-01.txt (from rev 7018, trunk/web/security/bogofilter-SA-2002-01)
===================================================================
--- trunk/web/security/bogofilter-SA-2002-01.txt	                        (rev 0)
+++ trunk/web/security/bogofilter-SA-2002-01.txt	2014-11-12 00:08:24 UTC (rev 7019)
@@ -0,0 +1,96 @@
+This security announcement is kept for historic reasons. The software
+that was found to be vulnerable no longer ships with bogofilter.
+-----------------------------------------------------------------------
+
+bogofilter-SA-2002:01.bogopass
+
+Topic:		vulnerability in bogopass
+
+Announcement:	bogofilter-SA-2002:01
+Writer:		Matthias Andree
+Version:	1.00
+Announced:	2002-11-29
+Category:	contrib
+Type:		temporary file created insecurely
+Impact:		anonymous local file destruction or change
+Credits:	-
+Danger:		medium (the vulnerable version was replaced after 6
+		        hours, the vulnerable program is not installed
+			by default)
+Bugtraq ID:	6278
+URL:		http://bogofilter.sourceforge.net/security/bogofilter-SA-2002-01
+
+Affects:	bogofilter 0.9.0.4 (beta version)
+
+Not affected:	bogofilter 0.9.0.3 and before
+		bogofilter 0.9.0.5 and newer
+
+Default install: unaffected.
+
+Introduced:	2002-11-27 23:04:28 UTC (CVS)
+		2002-11-27 23:11    bogofilter 0.9.0.4 released
+
+Corrected:	2002-11-28 01:19:04 UTC (CVS) - disabled original version
+		2002-11-28 03:32:47 UTC (CVS) - committed corrected version
+		2002-11-28 04:26    bogofilter 0.9.0.5 released
+
+0. Release history
+
+2002-11-28	1.00 initial announcement
+2004-10-28	     added Bugtraq ID
+2004-10-30	     added URL
+
+1. Background
+
+Bogofilter is a software package to determine if a mail on its standard
+input is spam or not.
+
+2. Problem description
+
+A vulnerability was found in the contrib/bogopass Perl program that was
+added to bogofilter as of the 0.9.0.4 beta release (date: 2002-11-27
+23:04:28 UTC in CVS) with bogofilter, but is not installed by default.
+
+The bogopass program creates temporary files with the name
+/tmp/bogopass.$$, where $$ is the process ID, with the open FH, ">file"
+syntax of Perl, which uses O_TRUNC mode, not O_EXCL.
+
+3. Impact
+
+This vulnerability allows for anonymous file destruction or change, and
+might be abused to further escalate the privileges of the local
+attacker.
+
+If bogopass is run by the root user, this may eventually lead to a
+complete system compromise.
+
+4. Workaround
+
+Do not install or use the "bogopass" program that shipped with the
+vulnerable versions (see above) of bogofilter.
+
+5. Solution
+
+Upgrade your bogofilter to version 0.9.0.5 beta, and reinstall the
+bogopass program. Make sure you delete all copies of the old version of
+bogopass.
+
+bogofilter 0.9.0.5 is available from sourceforge:
+
+http://sourceforge.net/project/showfiles.php?group_id=62265&release_id=118794
+
+6. Solution details
+
+revision 1.3
+date: 2002/11/28 03:32:47;  author: m-a;  state: Exp;  lines: +67 -26
+
+7. Other hints
+
+Software that treats user input should not run as root if it can be
+avoided. When installing bogofilter for system-wide use, make sure that
+it runs as an unprivileged user to limit the impact of possible
+vulnerabilities.
+
+A. References
+
+bogofilter home page: http://bogofilter.sourceforge.net/

Deleted: trunk/web/security/bogofilter-SA-2004-01
===================================================================
--- trunk/web/security/bogofilter-SA-2004-01	2014-07-22 17:40:08 UTC (rev 7018)
+++ trunk/web/security/bogofilter-SA-2004-01	2014-11-12 00:08:24 UTC (rev 7019)
@@ -1,98 +0,0 @@
-bogofilter-SA-2004-01 rfc2047crash
-
-Topic:		vulnerability in bogofilter/bogolexer
-
-Announcement:	bogofilter-SA-2004-01
-Writer:		Matthias Andree
-Version:	1.01
-CVE id:		CAN-2004-1007
-Announced:	2004-10-30
-Category:	vulnerability
-Type:		segmentation fault through malformed input
-Impact:		denial of service
-Credits:	Antti-Juhani Kaijanaho, Clint Adams, David Relson
-Danger:		medium
-URL:		http://bogofilter.sourceforge.net/security/bogofilter-SA-2004-01
-
-Affected:	bogofilter (stable)  0.92.6, 0.92.4, 0.92.0, 0.17.5
-		bogofilter (current) 0.17.4 to 0.92.7 (inclusive)
-
-Not affected:	bogofilter 0.17.3 and older
-		bogofilter 0.92.8 and newer
-
-Introduced:	2004-03-20 21:46:39 UTC (CVS)
-		2004-03-20 22:20    bogofilter 0.17.4 released as current
-		2004-04-02 01:00    bogofilter 0.17.5 released as stable
-
-Corrected:	2004-10-08 23:50:04 UTC (CVS) - committed corrected version
-		2004-10-25          bogofilter 0.92.8 released as stable
-		2004-10-26          recognized bug as a vulnerability
-
-References:	Debian Bug #275373
-		FreeBSD VuXML ID f4428842-a583-4a4c-89b7-297c3459a1c3
-		FreeBSD Problem Report #73144
-		CAN-2004-1007
-
-0. Release history
-
-2004-10-28	0.01 initial draft for internal review
-2004-10-30	0.02 minor revision, added URL
-2004-10-30	1.00 minor revision by David Relson, published.
-2004-11-03	1.01 Added CVE candidate number.
-
-1. Background
-
-Bogofilter is a software package to classify a mail as spam or
-non-spam.  It uses a data base to store words and must be trained
-which mail are spam and non-spam. It uses the probabilities of
-individual words for classifying the message.
-
-Bogofilter understands enough of MIME to decode headers and only
-consider text parts of mail.
-
-2. Problem description
-
-Antti-Juhani Kaijanaho provided Debian with a test case that crashed
-bogofilter 0.92.7. The problem was examined and tracked down to a change
-in bogofilter's quoted-printable decoder that went into 0.17.4.
-
-The pertinent change allowed the quoted-printable decoder to accept LF
-in encoded words but replaced it by a NUL character, which the calling
-function inside bogofilter could not handle. It attempted to write a NUL
-byte either one byte past the end of a buffer provided by the lexical
-analyzer or to an address that was the negative of the address of the
-first byte of the "encoded text" part of the encoded word that was
-supposed to be decoded.
-
-It was decided to announce this as a vulnerability because bogofilter
-cannot process the pertinent message.
-
-3. Impact
-
-This vulnerability causes bogofilter to catch a "segmentation violation"
-signal, which causes an immediate program abort.
-
-The exact impact depends on the way bogofilter is integrated into the
-system. In common setups, the mail that contains such malformed headers
-is deferred by the mail delivery agent and remains in the queue, where
-it will eventually bounce back to the sender.
-
-4. Workaround
-
-No reasonable workaround is known at this time.
-
-5. Solution
-
-Upgrade your bogofilter to version 0.92.8.
-
-bogofilter 0.92.8 is available from sourceforge:
-
-http://sourceforge.net/project/showfiles.php?group_id=62265&package_id=59357&release_id=277823
-
-Note that a broken-out bugfix patch is not available at this time,
-because the reversion of the failure-inducing change is not a complete
-fix. Besides, bogofilter is under development and support is limited to
-the latest available "current" plus the latest available "stable"
-versions.
-
-END of bogofilter-SA-2004-01 rfc2047crash

Copied: trunk/web/security/bogofilter-SA-2004-01.txt (from rev 7018, trunk/web/security/bogofilter-SA-2004-01)
===================================================================
--- trunk/web/security/bogofilter-SA-2004-01.txt	                        (rev 0)
+++ trunk/web/security/bogofilter-SA-2004-01.txt	2014-11-12 00:08:24 UTC (rev 7019)
@@ -0,0 +1,98 @@
+bogofilter-SA-2004-01 rfc2047crash
+
+Topic:		vulnerability in bogofilter/bogolexer
+
+Announcement:	bogofilter-SA-2004-01
+Writer:		Matthias Andree
+Version:	1.01
+CVE id:		CAN-2004-1007
+Announced:	2004-10-30
+Category:	vulnerability
+Type:		segmentation fault through malformed input
+Impact:		denial of service
+Credits:	Antti-Juhani Kaijanaho, Clint Adams, David Relson
+Danger:		medium
+URL:		http://bogofilter.sourceforge.net/security/bogofilter-SA-2004-01
+
+Affected:	bogofilter (stable)  0.92.6, 0.92.4, 0.92.0, 0.17.5
+		bogofilter (current) 0.17.4 to 0.92.7 (inclusive)
+
+Not affected:	bogofilter 0.17.3 and older
+		bogofilter 0.92.8 and newer
+
+Introduced:	2004-03-20 21:46:39 UTC (CVS)
+		2004-03-20 22:20    bogofilter 0.17.4 released as current
+		2004-04-02 01:00    bogofilter 0.17.5 released as stable
+
+Corrected:	2004-10-08 23:50:04 UTC (CVS) - committed corrected version
+		2004-10-25          bogofilter 0.92.8 released as stable
+		2004-10-26          recognized bug as a vulnerability
+
+References:	Debian Bug #275373
+		FreeBSD VuXML ID f4428842-a583-4a4c-89b7-297c3459a1c3
+		FreeBSD Problem Report #73144
+		CAN-2004-1007
+
+0. Release history
+
+2004-10-28	0.01 initial draft for internal review
+2004-10-30	0.02 minor revision, added URL
+2004-10-30	1.00 minor revision by David Relson, published.
+2004-11-03	1.01 Added CVE candidate number.
+
+1. Background
+
+Bogofilter is a software package to classify a mail as spam or
+non-spam.  It uses a data base to store words and must be trained
+which mail are spam and non-spam. It uses the probabilities of
+individual words for classifying the message.
+
+Bogofilter understands enough of MIME to decode headers and only
+consider text parts of mail.
+
+2. Problem description
+
+Antti-Juhani Kaijanaho provided Debian with a test case that crashed
+bogofilter 0.92.7. The problem was examined and tracked down to a change
+in bogofilter's quoted-printable decoder that went into 0.17.4.
+
+The pertinent change allowed the quoted-printable decoder to accept LF
+in encoded words but replaced it by a NUL character, which the calling
+function inside bogofilter could not handle. It attempted to write a NUL
+byte either one byte past the end of a buffer provided by the lexical
+analyzer or to an address that was the negative of the address of the
+first byte of the "encoded text" part of the encoded word that was
+supposed to be decoded.
+
+It was decided to announce this as a vulnerability because bogofilter
+cannot process the pertinent message.
+
+3. Impact
+
+This vulnerability causes bogofilter to catch a "segmentation violation"
+signal, which causes an immediate program abort.
+
+The exact impact depends on the way bogofilter is integrated into the
+system. In common setups, the mail that contains such malformed headers
+is deferred by the mail delivery agent and remains in the queue, where
+it will eventually bounce back to the sender.
+
+4. Workaround
+
+No reasonable workaround is known at this time.
+
+5. Solution
+
+Upgrade your bogofilter to version 0.92.8.
+
+bogofilter 0.92.8 is available from sourceforge:
+
+http://sourceforge.net/project/showfiles.php?group_id=62265&package_id=59357&release_id=277823
+
+Note that a broken-out bugfix patch is not available at this time,
+because the reversion of the failure-inducing change is not a complete
+fix. Besides, bogofilter is under development and support is limited to
+the latest available "current" plus the latest available "stable"
+versions.
+
+END of bogofilter-SA-2004-01 rfc2047crash

Deleted: trunk/web/security/bogofilter-SA-2005-01
===================================================================
--- trunk/web/security/bogofilter-SA-2005-01	2014-07-22 17:40:08 UTC (rev 7018)
+++ trunk/web/security/bogofilter-SA-2005-01	2014-11-12 00:08:24 UTC (rev 7019)
@@ -1,98 +0,0 @@
-bogofilter-SA-2005-01
-
-Topic:		heap buffer overrun in bogofilter/bogolexer 0.93.5 - 0.96.2
-
-Announcement:	bogofilter-SA-2005-01
-Writer:		Matthias Andree
-Version:	1.00
-CVE ID:		CVE-2005-4591
-Announced:	2006-01-02
-Category:	vulnerability
-Type:		buffer overrun through malformed input
-Impact:		heap corruption, application crash
-Credits:	David Relson, Clint Adams
-Danger:		medium
-URL:		http://bogofilter.sourceforge.net/security/bogofilter-SA-2005-01
-
-Affected:	bogofilter 0.96.2
-		bogofilter 0.95.2
-		bogofilter 0.94.14
-		bogofilter 0.94.12
-		all "current" versions from 0.93.5 to 0.96.2 inclusively
-		CVS between 2005-01-09T17:32Z and 2005-10-22T00:51Z
-		CVS between 2005-12-31T10:22Z and 2005-12-31T12:45Z
-
-Not affected:	bogofilter 0.96.3 "current" (released 2005-10-26)
-		bogofilter 0.96.6           (released 2005-11-19)
-		bogofilter 1.0.0            (released 2005-12-01)
-		bogofilter 1.0.1            (released 2006-01-01)
-
-1. Background
-=============
-
-Bogofilter is a software package for classifying a message as spam or
-non-spam.  It uses a data base to store words and must be trained
-which messages are spam and non-spam. It uses the probabilities of
-individual words for classifying the message.
-
-Note that the bogofilter project is issuing security announcements only
-for current "stable" releases, and not necessarily for past "stable"
-releases.
-
-2. Problem description
-======================
-
-When using Unicode databases (default in more recent bogofilter
-installations), upon encountering invalid input sequences, bogofilter or
-bogolexer could overrun a malloc()'d buffer, corrupting the heap, while
-converting character sets. Bogofilter would usually be processing
-untrusted data received from the network at that time.
-
-This problem was aggravated by an unrelated bug that made bogofilter
-process binary attachments as though they were text, and attempt charset
-conversion on them.  Given the MIME default character set, US-ASCII, all
-input octets in the range 0x80...0xff were considered invalid input
-sequences and could trigger the heap corruption.
-
-The faulty code was first released with bogofilter "current" 0.93.5,
-initially under the aegis of "./configure --enable-iconv", which was
-later renamed "--enable-unicode" and enabled by default.
-
-3. Impact
-=========
-
-Vulnerable bogofilter and bogolexer applications corrupt their heap and
-crash. The consequences are dependent on the local configuration which
-is up to the user; in common configurations, messages would be placed
-back in the mail queue and ultimately be returned to the sender when the
-mail queue lifetime expired, or they might be processed as though
-bogofilter had classified them as "ham".
-
-The bogofilter maintainers are not aware of exploits against this
-vulnerability in the wild.
-
-4. Solution
-===========
-
-Upgrade your bogofilter to version 1.0.1 (or a newer release).
-
-bogofilter is available from SourceForge:
-
-<https://sourceforge.net/project/showfiles.php?group_id=62265>
-
-A. Copyright, License and Warranty
-==================================
-
-(C) Copyright 2005 - 2006 by Matthias Andree, <mat...@gm...>.
-Some rights reserved.
-
-This work is licensed under the Creative Commons
-Attribution-NonCommercial-NoDerivs German License. To view a copy of
-this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
-or send a letter to Creative Commons; 559 Nathan Abbott Way;
-Stanford, California 94305; USA.
-
-THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
-Use the information herein at your own risk.
-
-END of bogofilter-SA-2005-01

Copied: trunk/web/security/bogofilter-SA-2005-01.txt (from rev 7018, trunk/web/security/bogofilter-SA-2005-01)
===================================================================
--- trunk/web/security/bogofilter-SA-2005-01.txt	                        (rev 0)
+++ trunk/web/security/bogofilter-SA-2005-01.txt	2014-11-12 00:08:24 UTC (rev 7019)
@@ -0,0 +1,98 @@
+bogofilter-SA-2005-01
+
+Topic:		heap buffer overrun in bogofilter/bogolexer 0.93.5 - 0.96.2
+
+Announcement:	bogofilter-SA-2005-01
+Writer:		Matthias Andree
+Version:	1.00
+CVE ID:		CVE-2005-4591
+Announced:	2006-01-02
+Category:	vulnerability
+Type:		buffer overrun through malformed input
+Impact:		heap corruption, application crash
+Credits:	David Relson, Clint Adams
+Danger:		medium
+URL:		http://bogofilter.sourceforge.net/security/bogofilter-SA-2005-01
+
+Affected:	bogofilter 0.96.2
+		bogofilter 0.95.2
+		bogofilter 0.94.14
+		bogofilter 0.94.12
+		all "current" versions from 0.93.5 to 0.96.2 inclusively
+		CVS between 2005-01-09T17:32Z and 2005-10-22T00:51Z
+		CVS between 2005-12-31T10:22Z and 2005-12-31T12:45Z
+
+Not affected:	bogofilter 0.96.3 "current" (released 2005-10-26)
+		bogofilter 0.96.6           (released 2005-11-19)
+		bogofilter 1.0.0            (released 2005-12-01)
+		bogofilter 1.0.1            (released 2006-01-01)
+
+1. Background
+=============
+
+Bogofilter is a software package for classifying a message as spam or
+non-spam.  It uses a data base to store words and must be trained
+which messages are spam and non-spam. It uses the probabilities of
+individual words for classifying the message.
+
+Note that the bogofilter project is issuing security announcements only
+for current "stable" releases, and not necessarily for past "stable"
+releases.
+
+2. Problem description
+======================
+
+When using Unicode databases (default in more recent bogofilter
+installations), upon encountering invalid input sequences, bogofilter or
+bogolexer could overrun a malloc()'d buffer, corrupting the heap, while
+converting character sets. Bogofilter would usually be processing
+untrusted data received from the network at that time.
+
+This problem was aggravated by an unrelated bug that made bogofilter
+process binary attachments as though they were text, and attempt charset
+conversion on them.  Given the MIME default character set, US-ASCII, all
+input octets in the range 0x80...0xff were considered invalid input
+sequences and could trigger the heap corruption.
+
+The faulty code was first released with bogofilter "current" 0.93.5,
+initially under the aegis of "./configure --enable-iconv", which was
+later renamed "--enable-unicode" and enabled by default.
+
+3. Impact
+=========
+
+Vulnerable bogofilter and bogolexer applications corrupt their heap and
+crash. The consequences are dependent on the local configuration which
+is up to the user; in common configurations, messages would be placed
+back in the mail queue and ultimately be returned to the sender when the
+mail queue lifetime expired, or they might be processed as though
+bogofilter had classified them as "ham".
+
+The bogofilter maintainers are not aware of exploits against this
+vulnerability in the wild.
+
+4. Solution
+===========
+
+Upgrade your bogofilter to version 1.0.1 (or a newer release).
+
+bogofilter is available from SourceForge:
+
+<https://sourceforge.net/project/showfiles.php?group_id=62265>
+
+A. Copyright, License and Warranty
+==================================
+
+(C) Copyright 2005 - 2006 by Matthias Andree, <mat...@gm...>.
+Some rights reserved.
+
+This work is licensed under the Creative Commons
+Attribution-NonCommercial-NoDerivs German License. To view a copy of
+this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
+or send a letter to Creative Commons; 559 Nathan Abbott Way;
+Stanford, California 94305; USA.
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END of bogofilter-SA-2005-01

Deleted: trunk/web/security/bogofilter-SA-2005-02
===================================================================
--- trunk/web/security/bogofilter-SA-2005-02	2014-07-22 17:40:08 UTC (rev 7018)
+++ trunk/web/security/bogofilter-SA-2005-02	2014-11-12 00:08:24 UTC (rev 7019)
@@ -1,84 +0,0 @@
-bogofilter-SA-2005-02
-
-Topic:		heap buffer overrun in bogofilter/bogolexer 0.96.2
-
-Announcement:	bogofilter-SA-2005-02
-Writer:		Matthias Andree
-Version:	1.00
-CVE ID:		CVE-2005-4592
-Announced:	2006-01-02
-Category:	vulnerability
-Type:		buffer overrun through long input
-Impact:		heap corruption, application crash
-Credits:	David Relson, Clint Adams
-Danger:		medium
-URL:		http://bogofilter.sourceforge.net/security/bogofilter-SA-2005-02
-
-Affected:	bogofilter 0.96.2
-		CVS between 2005-09-08T02:49Z and 2005-10-23T15:16Z
-
-Not affected:	bogofilter 0.96.3 "current" (released 2005-10-26)
-		bogofilter 0.96.6           (released 2005-11-19)
-		bogofilter 1.0.0            (released 2005-12-01)
-		bogofilter 1.0.1            (released 2006-01-01)
-
-1. Background
-=============
-
-Bogofilter is a software package for classifying a message as spam or
-non-spam.  It uses a data base to store words and must be trained
-which messages are spam and non-spam. It uses the probabilities of
-individual words for classifying the message.
-
-Note that the bogofilter project is issuing security announcements only
-for current "stable" releases, and not necessarily for past "stable"
-releases.
-
-2. Problem description
-======================
-
-Bogofilter's/bogolexer's input handling in version 0.96.2 was not
-keeping track of its output buffers properly and could overrun a heap
-buffer if the input contained words whose length exceeded 16,384 bytes,
-the size of flex's input buffer. A "word" here refers to a contiguous
-run of input octets that was not '_' and did not match at least one of
-ispunct(), iscntrl() or isspace().
-
-3. Impact
-=========
-
-Vulnerable bogofilter and bogolexer applications corrupt their heap and
-crash. The consequences are dependent on the local configuration which
-is up to the user; in common configurations, messages would be placed
-back in the mail queue and ultimately be returned to the sender when the
-mail queue lifetime expired, or they might be processed as though
-bogofilter had classified them as "ham".
-
-The bogofilter maintainers are not aware of exploits against this
-vulnerability in the wild.
-
-4. Solution
-===========
-
-Upgrade your bogofilter to version 1.0.1 (or a newer release).
-
-bogofilter is available from SourceForge:
-
-<https://sourceforge.net/project/showfiles.php?group_id=62265>
-
-A. Copyright, License and Warranty
-==================================
-
-(C) Copyright 2005 - 2006 by Matthias Andree, <mat...@gm...>.
-Some rights reserved.
-
-This work is licensed under the Creative Commons
-Attribution-NonCommercial-NoDerivs German License. To view a copy of
-this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
-or send a letter to Creative Commons; 559 Nathan Abbott Way;
-Stanford, California 94305; USA.
-
-THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
-Use the information herein at your own risk.
-
-END of bogofilter-SA-2005-02

Copied: trunk/web/security/bogofilter-SA-2005-02.txt (from rev 7018, trunk/web/security/bogofilter-SA-2005-02)
===================================================================
--- trunk/web/security/bogofilter-SA-2005-02.txt	                        (rev 0)
+++ trunk/web/security/bogofilter-SA-2005-02.txt	2014-11-12 00:08:24 UTC (rev 7019)
@@ -0,0 +1,84 @@
+bogofilter-SA-2005-02
+
+Topic:		heap buffer overrun in bogofilter/bogolexer 0.96.2
+
+Announcement:	bogofilter-SA-2005-02
+Writer:		Matthias Andree
+Version:	1.00
+CVE ID:		CVE-2005-4592
+Announced:	2006-01-02
+Category:	vulnerability
+Type:		buffer overrun through long input
+Impact:		heap corruption, application crash
+Credits:	David Relson, Clint Adams
+Danger:		medium
+URL:		http://bogofilter.sourceforge.net/security/bogofilter-SA-2005-02
+
+Affected:	bogofilter 0.96.2
+		CVS between 2005-09-08T02:49Z and 2005-10-23T15:16Z
+
+Not affected:	bogofilter 0.96.3 "current" (released 2005-10-26)
+		bogofilter 0.96.6           (released 2005-11-19)
+		bogofilter 1.0.0            (released 2005-12-01)
+		bogofilter 1.0.1            (released 2006-01-01)
+
+1. Background
+=============
+
+Bogofilter is a software package for classifying a message as spam or
+non-spam.  It uses a data base to store words and must be trained
+which messages are spam and non-spam. It uses the probabilities of
+individual words for classifying the message.
+
+Note that the bogofilter project is issuing security announcements only
+for current "stable" releases, and not necessarily for past "stable"
+releases.
+
+2. Problem description
+======================
+
+Bogofilter's/bogolexer's input handling in version 0.96.2 was not
+keeping track of its output buffers properly and could overrun a heap
+buffer if the input contained words whose length exceeded 16,384 bytes,
+the size of flex's input buffer. A "word" here refers to a contiguous
+run of input octets that was not '_' and did not match at least one of
+ispunct(), iscntrl() or isspace().
+
+3. Impact
+=========
+
+Vulnerable bogofilter and bogolexer applications corrupt their heap and
+crash. The consequences are dependent on the local configuration which
+is up to the user; in common configurations, messages would be placed
+back in the mail queue and ultimately be returned to the sender when the
+mail queue lifetime expired, or they might be processed as though
+bogofilter had classified them as "ham".
+
+The bogofilter maintainers are not aware of exploits against this
+vulnerability in the wild.
+
+4. Solution
+===========
+
+Upgrade your bogofilter to version 1.0.1 (or a newer release).
+
+bogofilter is available from SourceForge:
+
+<https://sourceforge.net/project/showfiles.php?group_id=62265>
+
+A. Copyright, License and Warranty
+==================================
+
+(C) Copyright 2005 - 2006 by Matthias Andree, <mat...@gm...>.
+Some rights reserved.
+
+This work is licensed under the Creative Commons
+Attribution-NonCommercial-NoDerivs German License. To view a copy of
+this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
+or send a letter to Creative Commons; 559 Nathan Abbott Way;
+Stanford, California 94305; USA.
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END of bogofilter-SA-2005-02

Deleted: trunk/web/security/bogofilter-SA-2010-01
===================================================================
--- trunk/web/security/bogofilter-SA-2010-01	2014-07-22 17:40:08 UTC (rev 7018)
+++ trunk/web/security/bogofilter-SA-2010-01	2014-11-12 00:08:24 UTC (rev 7019)
@@ -1,108 +0,0 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
-bogofilter-SA-2010-01
-
-Topic:		heap corruption overrun in bogofilter/bogolexer
-
-Announcement:	bogofilter-SA-2010-01
-Writer:		Matthias Andree
-Version:	1.0
-CVE ID:		CVE-2010-2494
-Announced:	2010-07-07
-Category:	vulnerability
-Type:		array index underflow/out of bounds write through invalid input
-Impact:		heap corruption, application crash
-Credits:	Julius Plenz
-Danger:		medium
-URL:		http://bogofilter.sourceforge.net/security/bogofilter-SA-2010-01
-
-Affected:	bogofilter <= 1.2.1
-		SVN checkouts before 2010-07-03 08:40 UTC
-
-Not affected:	bogofilter 1.2.2
-
-1. Background
-=============
-
-Bogofilter is a software package for classifying a message as spam or
-non-spam.  It uses a data base to store words and must be trained
-which messages are spam and non-spam. It uses the probabilities of
-individual words for classifying the message.
-
-Note that the bogofilter project is issuing security announcements only
-for current "stable" releases, and not necessarily for past "stable"
-releases.
-
-2. Problem description
-======================
-
-Bogofilter's/bogolexer's base64 could overwrite memory before its heap
-buffer if the base64 input started with an equals sign, such as through
-misdeclaration of quoted-printable as base64.
-
-3. Impact
-=========
-
-Vulnerable bogofilter and bogolexer applications can corrupt their heap and
-crash. The consequences are dependent on the local configuration, memory
-layout and operating system features.
-
-4. Solution
-===========
-
-Upgrade your bogofilter to version 1.2.2 (or a newer release).
-This version may not yet be available when this security announcement is
-issued.
-
-bogofilter is available from SourceForge:
-<https://sourceforge.net/project/showfiles.php?group_id=62265>
-
-
-Alternatively, this patch to 1.2.1 would fix the issue:
-(Note that if you see "- -" at the beginnings of these lines,
-you need to run this file through gnupg or pgp to strip the signature
-and the "-"-escaping, or manually replace such line beginnings with
-"-"). This is an SVN diff of base64.c between revisions 6766 and 6906
-and comprises two change sets: 6904 and 6906.
-
-- --- ./src/base64.c	2009/01/12 04:27:36	6766
-+++ ./src/base64.c	2010/07/03 08:39:44	6906
-@@ -61,8 +61,10 @@
- 	    d[i] = c;
- 	    v = v >> 8;
- 	}
-- -	d += 3 - shorten;
-- -	count += 3 - shorten;
-+    if(shorten != 4) {
-+        d += 3 - shorten;
-+        count += 3 - shorten;
-+    }
-     }
-     /* XXX do we need this NUL byte? */
-     if (word->leng)
-
-
-A. Copyright, License and Warranty
-==================================
-
-(C) Copyright 2010 by Matthias Andree, <mat...@gm...>.
-Some rights reserved.
-
-This work is licenced under the Creative Commons
-Attribution-NonCommercial-NoDerivs 3.0 Unported License. To view a copy
-of this licence, visit http://creativecommons.org/licenses/by-nc-nd/3.0/
-or send a letter to Creative Commons, 171 Second Street, Suite 300, San
-Francisco, California 94105, USA.
-
-THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
-Use the information herein at your own risk.
-
-END of bogofilter-SA-2010-01
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.12 (GNU/Linux)
-
-iEYEARECAAYFAkwzlAkACgkQvmGDOQUufZU2RgCg8eOMJ3Ig3FCuB4M5QVhoG84f
-dfgAoJY1HmuaARWOTueXPJBhCSidC1LK
-=7zZI
------END PGP SIGNATURE-----

Copied: trunk/web/security/bogofilter-SA-2010-01.txt (from rev 7018, trunk/web/security/bogofilter-SA-2010-01)
===================================================================
--- trunk/web/security/bogofilter-SA-2010-01.txt	                        (rev 0)
+++ trunk/web/security/bogofilter-SA-2010-01.txt	2014-11-12 00:08:24 UTC (rev 7019)
@@ -0,0 +1,108 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+bogofilter-SA-2010-01
+
+Topic:		heap corruption overrun in bogofilter/bogolexer
+
+Announcement:	bogofilter-SA-2010-01
+Writer:		Matthias Andree
+Version:	1.0
+CVE ID:		CVE-2010-2494
+Announced:	2010-07-07
+Category:	vulnerability
+Type:		array index underflow/out of bounds write through invalid input
+Impact:		heap corruption, application crash
+Credits:	Julius Plenz
+Danger:		medium
+URL:		http://bogofilter.sourceforge.net/security/bogofilter-SA-2010-01
+
+Affected:	bogofilter <= 1.2.1
+		SVN checkouts before 2010-07-03 08:40 UTC
+
+Not affected:	bogofilter 1.2.2
+
+1. Background
+=============
+
+Bogofilter is a software package for classifying a message as spam or
+non-spam.  It uses a data base to store words and must be trained
+which messages are spam and non-spam. It uses the probabilities of
+individual words for classifying the message.
+
+Note that the bogofilter project is issuing security announcements only
+for current "stable" releases, and not necessarily for past "stable"
+releases.
+
+2. Problem description
+======================
+
+Bogofilter's/bogolexer's base64 could overwrite memory before its heap
+buffer if the base64 input started with an equals sign, such as through
+misdeclaration of quoted-printable as base64.
+
+3. Impact
+=========
+
+Vulnerable bogofilter and bogolexer applications can corrupt their heap and
+crash. The consequences are dependent on the local configuration, memory
+layout and operating system features.
+
+4. Solution
+===========
+
+Upgrade your bogofilter to version 1.2.2 (or a newer release).
+This version may not yet be available when this security announcement is
+issued.
+
+bogofilter is available from SourceForge:
+<https://sourceforge.net/project/showfiles.php?group_id=62265>
+
+
+Alternatively, this patch to 1.2.1 would fix the issue:
+(Note that if you see "- -" at the beginnings of these lines,
+you need to run this file through gnupg or pgp to strip the signature
+and the "-"-escaping, or manually replace such line beginnings with
+"-"). This is an SVN diff of base64.c between revisions 6766 and 6906
+and comprises two change sets: 6904 and 6906.
+
+- --- ./src/base64.c	2009/01/12 04:27:36	6766
++++ ./src/base64.c	2010/07/03 08:39:44	6906
+@@ -61,8 +61,10 @@
+ 	    d[i] = c;
+ 	    v = v >> 8;
+ 	}
+- -	d += 3 - shorten;
+- -	count += 3 - shorten;
++    if(shorten != 4) {
++        d += 3 - shorten;
++        count += 3 - shorten;
++    }
+     }
+     /* XXX do we need this NUL byte? */
+     if (word->leng)
+
+
+A. Copyright, License and Warranty
+==================================
+
+(C) Copyright 2010 by Matthias Andree, <mat...@gm...>.
+Some rights reserved.
+
+This work is licenced under the Creative Commons
+Attribution-NonCommercial-NoDerivs 3.0 Unported License. To view a copy
+of this licence, visit http://creativecommons.org/licenses/by-nc-nd/3.0/
+or send a letter to Creative Commons, 171 Second Street, Suite 300, San
+Francisco, California 94105, USA.
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END of bogofilter-SA-2010-01
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.12 (GNU/Linux)
+
+iEYEARECAAYFAkwzlAkACgkQvmGDOQUufZU2RgCg8eOMJ3Ig3FCuB4M5QVhoG84f
+dfgAoJY1HmuaARWOTueXPJBhCSidC1LK
+=7zZI
+-----END PGP SIGNATURE-----

Deleted: trunk/web/security/bogofilter-SA-2012-01
===================================================================
--- trunk/web/security/bogofilter-SA-2012-01	2014-07-22 17:40:08 UTC (rev 7018)
+++ trunk/web/security/bogofilter-SA-2012-01	2014-11-12 00:08:24 UTC (rev 7019)
@@ -1,89 +0,0 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
-bogofilter-SA-2012-01
-
-Topic:		heap corruption overrun in bogofilter/bogolexer
-
-Announcement:	bogofilter-SA-2012-01
-Writer:		Matthias Andree
-Version:	1.0
-CVE ID:		CVE-2012-5468
-Announced:	2012-12-03
-Category:	vulnerability
-Type:		out of bounds write through invalid input
-Impact:		heap corruption, application crash
-Credits:	Julius Plenz (FU Berlin, Germany)
-Danger:		medium
-URL:		http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01
-
-Affected:	bogofilter <= 1.2.2
-		SVN checkouts before 2012-10-19 UTC (-r6972)
-
-Not affected:	bogofilter 1.2.3 (r6973) and newer
-
-1. Background
-=============
-
-Bogofilter is a software package for classifying a message as spam or
-non-spam.  It uses a data base to store words and must be trained
-which messages are spam and non-spam. It uses the probabilities of
-individual words for classifying the message.
-
-Note that the bogofilter project is issuing security announcements only
-for current "stable" releases, and not necessarily for past "stable"
-releases.
-
-2. Problem description
-======================
-
-Julius Plenz figured out that bogofilter's/bogolexer's base64 could
-overwrite heap memory in the character set conversion in certain
-pathological cases of invalid base64 code that decodes to incomplete
-multibyte characters.
-
-3. Impact
-=========
-
-Vulnerable bogofilter/bogolexer applications can corrupt their heap and crash.
-
-4. Solution
-===========
-
-Upgrade your bogofilter to version 1.2.3 (or a newer release).
-
-bogofilter is available from SourceForge:
-<https://sourceforge.net/project/showfiles.php?group_id=62265>
-
-
-A. Copyright, License and Warranty
-==================================
-
-(C) Copyright 2012 by Matthias Andree, <mat...@gm...>.
-Some rights reserved.
-
-This work is licensed under the
-Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
-
-To view a copy of this license, visit
-http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
-or send a letter to:
-
-Creative Commons
-444 Castro Street
-Suite 900
-MOUNTAIN VIEW, CALIFORNIA 94041
-USA
-
-
-THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
-Use the information herein at your own risk.
-
-END of bogofilter-SA-2012-01
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.11 (GNU/Linux)
-
-iEYEARECAAYFAlC9KosACgkQvmGDOQUufZUxXwCfdAbd4IgFVkuWmH7z65Wy1TT1
-SiAAoJRLEwWzYXv81dgdtR4jg7uHDrLQ
-=gQie
------END PGP SIGNATURE-----

Copied: trunk/web/security/bogofilter-SA-2012-01.txt (from rev 7018, trunk/web/security/bogofilter-SA-2012-01)
===================================================================
--- trunk/web/security/bogofilter-SA-2012-01.txt	                        (rev 0)
+++ trunk/web/security/bogofilter-SA-2012-01.txt	2014-11-12 00:08:24 UTC (rev 7019)
@@ -0,0 +1,89 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+bogofilter-SA-2012-01
+
+Topic:		heap corruption overrun in bogofilter/bogolexer
+
+Announcement:	bogofilter-SA-2012-01
+Writer:		Matthias Andree
+Version:	1.0
+CVE ID:		CVE-2012-5468
+Announced:	2012-12-03
+Category:	vulnerability
+Type:		out of bounds write through invalid input
+Impact:		heap corruption, application crash
+Credits:	Julius Plenz (FU Berlin, Germany)
+Danger:		medium
+URL:		http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01
+
+Affected:	bogofilter <= 1.2.2
+		SVN checkouts before 2012-10-19 UTC (-r6972)
+
+Not affected:	bogofilter 1.2.3 (r6973) and newer
+
+1. Background
+=============
+
+Bogofilter is a software package for classifying a message as spam or
+non-spam.  It uses a data base to store words and must be trained
+which messages are spam and non-spam. It uses the probabilities of
+individual words for classifying the message.
+
+Note that the bogofilter project is issuing security announcements only
+for current "stable" releases, and not necessarily for past "stable"
+releases.
+
+2. Problem description
+======================
+
+Julius Plenz figured out that bogofilter's/bogolexer's base64 could
+overwrite heap memory in the character set conversion in certain
+pathological cases of invalid base64 code that decodes to incomplete
+multibyte characters.
+
+3. Impact
+=========
+
+Vulnerable bogofilter/bogolexer applications can corrupt their heap and crash.
+
+4. Solution
+===========
+
+Upgrade your bogofilter to version 1.2.3 (or a newer release).
+
+bogofilter is available from SourceForge:
+<https://sourceforge.net/project/showfiles.php?group_id=62265>
+
+
+A. Copyright, License and Warranty
+==================================
+
+(C) Copyright 2012 by Matthias Andree, <mat...@gm...>.
+Some rights reserved.
+
+This work is licensed under the
+Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
+
+To view a copy of this license, visit
+http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
+or send a letter to:
+
+Creative Commons
+444 Castro Street
+Suite 900
+MOUNTAIN VIEW, CALIFORNIA 94041
+USA
+
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END of bogofilter-SA-2012-01
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iEYEARECAAYFAlC9KosACgkQvmGDOQUufZUxXwCfdAbd4IgFVkuWmH7z65Wy1TT1
+SiAAoJRLEwWzYXv81dgdtR4jg7uHDrLQ
+=gQie
+-----END PGP SIGNATURE-----

Modified: trunk/web/security/index.html
===================================================================
--- trunk/web/security/index.html	2014-07-22 17:40:08 UTC (rev 7018)
+++ trunk/web/security/index.html	2014-11-12 00:08:24 UTC (rev 7019)
@@ -25,30 +25,30 @@
 
   <ul>
       <li><a
-	  href="bogofilter-SA-2012-01">bogofilter-SA-2012-01/CVE-2012-5468:</a>
+	  href="bogofilter-SA-2012-01.txt">bogofilter-SA-2012-01/CVE-2012-5468:</a>
       bogofilter/bogolexer heap buffer overrun with base64 input that
       decodes to invalid multi-byte characters (versions up to and
       including 1.2.2).
       <li><a
-	  href="bogofilter-SA-2010-01">bogofilter-SA-2010-01/CVE-2010-2494:</a>
+	  href="bogofilter-SA-2010-01.txt">bogofilter-SA-2010-01/CVE-2010-2494:</a>
       bogofilter/bogolexer heap buffer underrun (1 byte) with invalid
       base64 input (versions up to and including 1.2.1).</li>
     <li><a href=
-    "bogofilter-SA-2005-02">bogofilter-SA-2005-02/CVE-2005-4592:</a>
+    "bogofilter-SA-2005-02.txt">bogofilter-SA-2005-02/CVE-2005-4592:</a>
     bogofilter/bogolexer heap buffer overrun with words &gt; 16
     kBytes (version 0.96.2).</li>
 
     <li><a href=
-    "bogofilter-SA-2005-01">bogofilter-SA-2005-01/CVE-2005-4591:</a>
+    "bogofilter-SA-2005-01.txt">bogofilter-SA-2005-01/CVE-2005-4591:</a>
     bogofilter/bogolexer heap buffer overrun with invalid input
     sequences (0.93.5 &le; versions &le; 0.96.2).</li>
 
     <li><a href=
-    "bogofilter-SA-2004-01">bogofilter-SA-2004-01/CVE-2004-1007:
+    "bogofilter-SA-2004-01.txt">bogofilter-SA-2004-01/CVE-2004-1007:
     rfc2047crash:</a> RFC-2047 decoding vulnerability (0.17.4 &le;
     versions &le; 0.92.7).</li>
 
-    <li><a href="bogofilter-SA-2002-01">bogofilter-SA-2002-01:</a>
+    <li><a href="bogofilter-SA-2002-01.txt">bogofilter-SA-2002-01:</a>
     bogopass: contributed script insecure temporary file handling
     (version 0.9.0.4).</li>
   </ul>

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.