From nobody Wed Jun 25 09:45:54 2025
X-Original-To: desktop@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bRyH23PB6z5yqND
	for <desktop@mlmmj.nyi.freebsd.org>; Wed, 25 Jun 2025 10:09:50 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bRyH20HwVz3bkk
	for <desktop@FreeBSD.org>; Wed, 25 Jun 2025 10:09:49 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1750846190;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=kTlAO5Wsa18H2s87VupfEFohO5Vb7L+8uYbjsRV1iCk=;
	b=qHl8vyfbWMBAEjgWdv36PBpoQFMzmkrGCUXQk17NEhN5kDYZXwSC2K7OBLJ1vchP37BSO3
	uZXOzK7Y/iTwMLm10XF+2mB2GpMWT34BnSBCyeYBjzrSuKaMJ+BVtaOnjHH4K/TUaQyA66
	kGDa3NouS+nb2v2v+Y6IACI0hrwEir9MMAsoQGSsWeNWkOhNNPoshiVw0g8Aa+bSY2ZYDV
	pMoxuE14Jglwu/xEE1mSj6Nx6Lapt0jqgkPTLt7+gU7408EYeVoT9mZhsHfQSGEqxs+2vf
	AiaRyZtwN1Y+h96B3IyGoPetphWIuw9N3EXv8pxmxh6dubFEK9nrgbyoxuz2xw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1750846190;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=kTlAO5Wsa18H2s87VupfEFohO5Vb7L+8uYbjsRV1iCk=;
	b=AfVx2dUdOAXVoCltdO6PhOYRICznEUkyAPnlz1jrGKQAz/wVG7YWk0a8eUugD/zK+AKWU0
	b2oB+GVONDfo8Y+ignuPWdIxcNtiEaEDKn5DqhO4kk8zopaled+Hq/JYGpwvVc5xSCT9Vz
	h+bKKk1FT507fuLDpQ/0csVQJnzt03JM4YCDxzRMAYcQD3etxSLf0d6FAdweUuV1/2qL8e
	J7tACLefPdGzP1xgHvyCGRGofS7C6KhPGI/05wsUV3x9UOdZs1MLNvwZf+8KLtqXLAG35i
	hs0mXfIv05JHgrTviweL1HGI4LNAnEbGiBtaLzEgLWC/jvKt45g2Om0BWbNahw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1750846190; a=rsa-sha256; cv=none;
	b=x7TH/Adx5HOELWBmw6byEgFTxWAdS2T4dX/FAohqn02gBmSHjRbh7s8zy8tfwkirMeVRWY
	M+s5sLM2rmhRo1RfnsHW5u51VcaBzpKv/DaPLbrgldfyUh5KhUFL7IA6b8dorTifi5cObi
	KmQzsCrvZ3MI+xEl8Dawr9+4Rtm4wye50V1D3kVKK8b/RBs998U8ZV7vxD9g4dyLpdDoyy
	CTOEUrlXppMXgnIG1XPzKZVtUl/H+AwpxBsSCOJDa42WuTVenGnIxN8IA/COGORRAphPbd
	vKNUk1G1HZtp7I8mGqWOTu+V16K6Xmxm0Vl9rzU9HIHcZ7guGcPiVtFRMzPjKg==
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bRyH164syz1RbW
	for <desktop@FreeBSD.org>; Wed, 25 Jun 2025 10:09:49 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 55PA9kjd039961
	for <desktop@FreeBSD.org>; Wed, 25 Jun 2025 10:09:49 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 55P9jxPl099696
	for desktop@FreeBSD.org; Wed, 25 Jun 2025 09:45:59 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: desktop@FreeBSD.org
Subject: [Bug 287391] textproc/libxml2: security patches for 2.11.9 and audit
 code that the patches don't miss other similar bugs in same code
Date: Wed, 25 Jun 2025 09:45:54 +0000
X-Bugzilla-Reason: AssignedTo CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Ports & Packages
X-Bugzilla-Component: Individual Port(s)
X-Bugzilla-Version: Latest
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: mandree@FreeBSD.org
X-Bugzilla-Status: Open
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: desktop@FreeBSD.org
X-Bugzilla-Flags: maintainer-feedback+
X-Bugzilla-Changed-Fields: cc bug_status resolution short_desc
Message-ID: <bug-287391-39348-SVH9pjmwjo@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-287391-39348@https.bugs.freebsd.org/bugzilla/>
References: <bug-287391-39348@https.bugs.freebsd.org/bugzilla/>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Using and improving FreeBSD on the desktop <freebsd-desktop.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-desktop
List-Help: <mailto:freebsd-desktop+help@freebsd.org>
List-Post: <mailto:freebsd-desktop@freebsd.org>
List-Subscribe: <mailto:freebsd-desktop+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-desktop+unsubscribe@freebsd.org>
Sender: owner-freebsd-desktop@FreeBSD.org
MIME-Version: 1.0

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D287391

Matthias Andree <mandree@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mandree@FreeBSD.org,
                   |                            |portmgr@FreeBSD.org
             Status|Closed                      |Open
         Resolution|FIXED                       |---
            Summary|textproc/libxml2: security  |textproc/libxml2: security
                   |patches for 2.11.9          |patches for 2.11.9 and
                   |                            |audit code that the patches
                   |                            |don't miss other similar
                   |                            |bugs in same code

--- Comment #40 from Matthias Andree <mandree@FreeBSD.org> ---
(In reply to Charlie Li from comment #36)
And if what upstream does matters to us, we should stop wasting time on
backporting stuff and possibly missing fixes because nobody looked at the o=
lder
version, and instead move forward to the "upstream-supported versions" that=
 get
the proper public attention so we're less likely to miss things.

We're not done here with backporting matters, we also need to audit the ent=
ire
libxml2 source code that the backport of security fixes didn't miss code th=
at
got fixed or removed for later versions. Quite obviously we must look what's
what if libxml 2.14.X fixes five CVEs and here we're dealing with three.

Reopening and rewriting.

If we cannot muster the workforce, we have no choice but to update to a fix=
ed
patchlevel release of a supported branch. Before 2025Q3.

--=20
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.=