[Bug 287391] textproc/libxml2: security patches for 2.11.9 and audit code that the patches don't miss other similar bugs in same code
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 25 Jun 2025 09:45:54 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287391
Matthias Andree <mandree@FreeBSD.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mandree@FreeBSD.org,
| |portmgr@FreeBSD.org
Status|Closed |Open
Resolution|FIXED |---
Summary|textproc/libxml2: security |textproc/libxml2: security
|patches for 2.11.9 |patches for 2.11.9 and
| |audit code that the patches
| |don't miss other similar
| |bugs in same code
--- Comment #40 from Matthias Andree <mandree@FreeBSD.org> ---
(In reply to Charlie Li from comment #36)
And if what upstream does matters to us, we should stop wasting time on
backporting stuff and possibly missing fixes because nobody looked at the older
version, and instead move forward to the "upstream-supported versions" that get
the proper public attention so we're less likely to miss things.
We're not done here with backporting matters, we also need to audit the entire
libxml2 source code that the backport of security fixes didn't miss code that
got fixed or removed for later versions. Quite obviously we must look what's
what if libxml 2.14.X fixes five CVEs and here we're dealing with three.
Reopening and rewriting.
If we cannot muster the workforce, we have no choice but to update to a fixed
patchlevel release of a supported branch. Before 2025Q3.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.