libxml2 - will it be updated? (security vulnerability)

Igor Roshchin str at komkon.org
Mon Oct 20 14:35:50 UTC 2008 

Jeremy, no, I don't know patches for  2.6.32.
I am only aware of the problem from the portaudit:
Type of problem: libxml2 -- two vulnerabilities.
Reference:
<http://www.FreeBSD.org/ports/portaudit/d71da236-9a94-11dd-8f42-001c2514716c.html>
I am not using Gnome, but many other ports are using this library
(to name a few: openwebmail, ImageMagick, squirrelmail, many of php5-*).


BTW, it is not clear to a person who doesn't deal with freebsd-gnome
mailing list that a message sent to gnome at freebsd.org (which is listed
as "Maintened by" in libxml2 and several other ports) gets posted
to freebsd-gnome mailing list. As a result, such a person would not
receive any reply unless his/her address is added in Cc:.

I would suggest that 
1. people responding to the thread should keep the original poster in
Cc:
2. somehow, it should be clearly documented in ports (including the
web-interface at http://www.freebsd.org/ports/ )- thet gnome at freebsd.org
is the same as freebsd-gnome list.

3. Speaking of the patch, - having been using FreeBSD for more than 12
years, I am clueless what "MC ports" means. Upon searching in Google,
I found that the expression "MC ports" is used mostly by you, Jeremy.
So, let me confess that for some "gnome-uninitiated" FreeBSD users 
who use libxml2 which is used by ports other than gnome-related,
it is totally unclear what is written in your response to the PR.
"Slush" is yet another jargon that needs explanation.

Upon further search, I found that MC ports probably refers to 
http://www.marcuscom.com:8080/cgi-bin/cvsweb.cgi/
"Slush" remains a mystery, even though I might guess that it is
somehow related to the Gnome release cycle.

Thank you,

Igor



Fri Oct 17 17:14:24 UTC 2008
Jeremy Messenger mezz7 at cox.net wrote:

On Fri, 17 Oct 2008 13:17:42 -0000, Igor Roshchin <str at komkon.org>
wrote:
>
> Hello!
>
> libxml2 which is used by various applications outside of Gnome itself
> is reported to have known security vulnerabilities.
> I just looked at libxml2 website and I see that FreeBSD ports are
> several versions (and about half a year) behind the source.
> (the version 2.7 which presumably fixed the problem was released on
> Aug.
> 30, while FreeBSD port is stuck at 2.6.32: Apr 8 2008)
>
> I do not mean to blaim anybody (I know that there was a port freeze
> recently), - I am just trying to alert people in
> charge for this port, in case it slipped through the cracks.

The 2.7.0 and 2.7.1 are too buggy, and broke many stuff. The 2.7.2
(fixed  
bugs) seems to be better, but I am not trust it to get into FreeBSD
ports  
during the slush. If you can point me where security patch(es) for
2.6.32  
and I will be happy to it put in FreeBSD port, then bump it.

Cheers,
Mezz

More information about the freebsd-gnome mailing list