Re: git: dceb46fc8a6e - main - textproc/libxml2, textproc/libxslt: vulnerable

Reply: Matthias Andree : "Re: git: dceb46fc8a6e - main - textproc/libxml2, textproc/libxslt: vulnerable"
In reply to: Michael Osipov : "Re: git: dceb46fc8a6e - main - textproc/libxml2, textproc/libxslt: vulnerable"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kevin Bowling <kevin.bowling_at_kev009.com>
Date: Mon, 14 Jul 2025 07:01:28 UTC

On Sun, Jul 13, 2025 at 10:25 AM Michael Osipov <michaelo@freebsd.org> wrote:
>
> On 2025-07-12 11:13, Matthias Andree wrote:
> > The branch main has been updated by mandree:
> >
> > URL: https://cgit.FreeBSD.org/ports/commit/?id=dceb46fc8a6eea281dbafc46e6452a9d82550b09
> >
> > commit dceb46fc8a6eea281dbafc46e6452a9d82550b09
> > Author:     Matthias Andree <mandree@FreeBSD.org>
> > AuthorDate: 2025-07-12 09:10:11 +0000
> > Commit:     Matthias Andree <mandree@FreeBSD.org>
> > CommitDate: 2025-07-12 09:13:36 +0000
> >
> >      textproc/libxml2, textproc/libxslt: vulnerable
> >
> >      Note that libxslt is vulnerable, unfixed, and without maintainer.
> >      Two of four vulnerabilities have been fixed.
> >
> >      Note that libxml2 in our ports is vulnerable and there is no upstream
> >      release fixing these bugs, they need cherry-picks.
>
> Let me get this straight: If the port is not fixed within the next two
> months you are going to remove it from the tree? Looking at the reverse
> dependency tree in FreshPorts that would be devastating...

This would, humorously, have the effect of deadening VuXML itself.

> Is this your intention?
>
> Michael