[Bug 287391] textproc/libxml2: security patches for 2.11.9
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 10 Jun 2025 16:55:08 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287391
Daniel Engberg <diizzy@FreeBSD.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |diizzy@FreeBSD.org
--- Comment #6 from Daniel Engberg <diizzy@FreeBSD.org> ---
As someone who has been trying to push a version that is supported upstream I'm
not too fond of this idea. 2.11 branch is dead and unsupported upstream, there
have been many changes to internal code between 2.11 - 2.14 so I would suggest
that further investigation needs to be done to ensure that functionality is
retained as intended and there are more CVEs but I didn't list all in VuXML.
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libxml2
These are new and fixes have been committed upstream
https://gitlab.gnome.org/GNOME/libxml2/-/issues/932
https://gitlab.gnome.org/GNOME/libxml2/-/issues/931
https://gitlab.gnome.org/GNOME/libxml2/-/issues/933
We do have a pretty much final version (PR 279705) however there are a few
fallouts left. In case you're wondering about why there are two versions, the
CMake version has been used for testing pretty much the whole time including
fixing PRs except for the last exp-run (which is pretty much identical the
previous one). The current also includes upstream commits (various bug fixes
etc) which are to be included in next release for 2.14 branch which the other
version lacks. Charlie is only one blocking it (so if you want to get it going
I'd suggest you ask portmgr for a final decision, futher testing as it has
recieved a lot less testing and evaluation) if we are go that route.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.