From owner-freebsd-gnome@FreeBSD.ORG  Mon Oct 20 16:22:06 2008
Return-Path: <owner-freebsd-gnome@FreeBSD.ORG>
Delivered-To: gnome@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7A100106567F
	for <gnome@freebsd.org>; Mon, 20 Oct 2008 16:22:06 +0000 (UTC)
	(envelope-from mezz7@cox.net)
Received: from eastrmmtao102.cox.net (eastrmmtao102.cox.net [68.230.240.8])
	by mx1.freebsd.org (Postfix) with ESMTP id 399278FC20
	for <gnome@freebsd.org>; Mon, 20 Oct 2008 16:22:06 +0000 (UTC)
	(envelope-from mezz7@cox.net)
Received: from eastrmimpo01.cox.net ([68.1.16.119]) by eastrmmtao102.cox.net
	(InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id
	<20081020162200.OLMT22786.eastrmmtao102.cox.net@eastrmimpo01.cox.net>;
	Mon, 20 Oct 2008 12:22:00 -0400
Received: from localhost ([68.103.35.214]) by eastrmimpo01.cox.net with bizsmtp
	id V4N01a0054dCcn0024N0bV; Mon, 20 Oct 2008 12:22:00 -0400
X-Authority-Analysis: v=1.0 c=1 a=6HwpgCz0hCIA:10 a=3AXpN4DpWSUA:10
	a=6I5d2MoRAAAA:8 a=LeH6XzfVAAAA:8 a=yF-7Bx0S2YBAw5_Y-LIA:9
	a=YTV6dj9xcph4ZqxlRvoA:7 a=sjdo83fbETn1NFW86PDOYkuHxjYA:4
	a=MVVg_Gj4SncA:10
	a=wyhqNpiHXuAA:10 a=OI6pGkCJVAAA:10 a=SV7veod9ZcQA:10 a=4vB-4DCPJfMA:10
	a=6bqG61NMjcsA:10
X-CM-Score: 0.00
Date: Mon, 20 Oct 2008 16:22:09 -0000
To: "Igor Roshchin" <str@komkon.org>
From: "Jeremy Messenger" <mezz7@cox.net>
Content-Type: text/plain; format=flowed; delsp=yes; charset=utf-8
MIME-Version: 1.0
References: <200810201435.m9KEZX7i099108@trantor.komkon.org>
Content-Transfer-Encoding: 7bit
Message-ID: <op.ujbzq7x89aq2h7@localhost>
In-Reply-To: <200810201435.m9KEZX7i099108@trantor.komkon.org>
User-Agent: Opera Mail/9.60 (Linux)
Cc: gnome@freebsd.org
Subject: Re: libxml2 - will it be updated? (security vulnerability)
X-BeenThere: freebsd-gnome@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: GNOME for FreeBSD -- porting and maintaining
	<freebsd-gnome.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-gnome>,
	<mailto:freebsd-gnome-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-gnome>
List-Post: <mailto:freebsd-gnome@freebsd.org>
List-Help: <mailto:freebsd-gnome-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-gnome>,
	<mailto:freebsd-gnome-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2008 16:22:06 -0000

Committed fix.


On Mon, 20 Oct 2008 14:35:33 -0000, Igor Roshchin <str@komkon.org> wrote:

>
> Jeremy, no, I don't know patches for  2.6.32.
> I am only aware of the problem from the portaudit:
> Type of problem: libxml2 -- two vulnerabilities.
> Reference:
> <http://www.FreeBSD.org/ports/portaudit/d71da236-9a94-11dd-8f42-001c2514716c.html>
> I am not using Gnome, but many other ports are using this library
> (to name a few: openwebmail, ImageMagick, squirrelmail, many of php5-*).
>
>
> BTW, it is not clear to a person who doesn't deal with freebsd-gnome
> mailing list that a message sent to gnome@freebsd.org (which is listed
> as "Maintened by" in libxml2 and several other ports) gets posted
> to freebsd-gnome mailing list. As a result, such a person would not
> receive any reply unless his/her address is added in Cc:.
>
> I would suggest that
> 1. people responding to the thread should keep the original poster in
> Cc:
> 2. somehow, it should be clearly documented in ports (including the
> web-interface at http://www.freebsd.org/ports/ )- thet gnome@freebsd.org
> is the same as freebsd-gnome list.
>
> 3. Speaking of the patch, - having been using FreeBSD for more than 12
> years, I am clueless what "MC ports" means. Upon searching in Google,
> I found that the expression "MC ports" is used mostly by you, Jeremy.
> So, let me confess that for some "gnome-uninitiated" FreeBSD users
> who use libxml2 which is used by ports other than gnome-related,
> it is totally unclear what is written in your response to the PR.
> "Slush" is yet another jargon that needs explanation.
>
> Upon further search, I found that MC ports probably refers to
> http://www.marcuscom.com:8080/cgi-bin/cvsweb.cgi/
> "Slush" remains a mystery, even though I might guess that it is
> somehow related to the Gnome release cycle.
>
> Thank you,
>
> Igor
>
>
>
> Fri Oct 17 17:14:24 UTC 2008
> Jeremy Messenger mezz7 at cox.net wrote:
>
> On Fri, 17 Oct 2008 13:17:42 -0000, Igor Roshchin <str at komkon.org>
> wrote:
>>
>> Hello!
>>
>> libxml2 which is used by various applications outside of Gnome itself
>> is reported to have known security vulnerabilities.
>> I just looked at libxml2 website and I see that FreeBSD ports are
>> several versions (and about half a year) behind the source.
>> (the version 2.7 which presumably fixed the problem was released on
>> Aug.
>> 30, while FreeBSD port is stuck at 2.6.32: Apr 8 2008)
>>
>> I do not mean to blaim anybody (I know that there was a port freeze
>> recently), - I am just trying to alert people in
>> charge for this port, in case it slipped through the cracks.
>
> The 2.7.0 and 2.7.1 are too buggy, and broke many stuff. The 2.7.2
> (fixed
> bugs) seems to be better, but I am not trust it to get into FreeBSD
> ports
> during the slush. If you can point me where security patch(es) for
> 2.6.32
> and I will be happy to it put in FreeBSD port, then bump it.
>
> Cheers,
> Mezz


-- 
mezz7@cox.net  -  mezz@FreeBSD.org
FreeBSD GNOME Team
http://www.FreeBSD.org/gnome/  -  gnome@FreeBSD.org