all GNOME all xmlto vulnerable thru libxslt (Fwd: git: dceb46fc8a6e - main - textproc/libxml2, textproc/libxslt: vulnerable)

Greetings,

We're in a dependency mess with a high-profile port vulnerable and 
unmaintained, <https://xkcd.com/2347/>, namely textproc/libxslt.

We also have five unpatched libxml2 vulnerabilities, I have not assessed 
whether the patches are up for cherry-picking and whether they are 
breaking changes or just implementation fixes.

Some of the patches discussed upstream in the issue trackers seem to 
somehow break ABI and/or API and at least require recompilation of 
users, so we can't just cherry-pick patches.

2945 port records in ports/INDEX-14 depend on libxslt (including 
indirects, which has no maintainer, four known, of which two disclosed, 
security vulnerabilities.

Shy of 300 ports files reference libxslt at a /usr/ports/*/*/* level, 
counting five slashes like so:

rg libxslt /usr/ports -l | tr -cd $'/\n' | grep '^/////$' | wc -l

Some 100 ports reference xmlto or minixmlto, which also directly depend 
on libxslt.

(I have committed a vuln.xml entry earlier.)


Tough times...

Matthias