Date: Mon, 20 Oct 2008 16:22:09 -0000 From: "Jeremy Messenger" <mezz7@cox.net> To: "Igor Roshchin" <str@komkon.org> Cc: gnome@freebsd.org Subject: Re: libxml2 - will it be updated? (security vulnerability) Message-ID: <op.ujbzq7x89aq2h7@localhost> In-Reply-To: <200810201435.m9KEZX7i099108@trantor.komkon.org> References: <200810201435.m9KEZX7i099108@trantor.komkon.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Committed fix. On Mon, 20 Oct 2008 14:35:33 -0000, Igor Roshchin <str@komkon.org> wrote: > > Jeremy, no, I don't know patches for 2.6.32. > I am only aware of the problem from the portaudit: > Type of problem: libxml2 -- two vulnerabilities. > Reference: > <http://www.FreeBSD.org/ports/portaudit/d71da236-9a94-11dd-8f42-001c2514716c.html> > I am not using Gnome, but many other ports are using this library > (to name a few: openwebmail, ImageMagick, squirrelmail, many of php5-*). > > > BTW, it is not clear to a person who doesn't deal with freebsd-gnome > mailing list that a message sent to gnome@freebsd.org (which is listed > as "Maintened by" in libxml2 and several other ports) gets posted > to freebsd-gnome mailing list. As a result, such a person would not > receive any reply unless his/her address is added in Cc:. > > I would suggest that > 1. people responding to the thread should keep the original poster in > Cc: > 2. somehow, it should be clearly documented in ports (including the > web-interface at http://www.freebsd.org/ports/ )- thet gnome@freebsd.org > is the same as freebsd-gnome list. > > 3. Speaking of the patch, - having been using FreeBSD for more than 12 > years, I am clueless what "MC ports" means. Upon searching in Google, > I found that the expression "MC ports" is used mostly by you, Jeremy. > So, let me confess that for some "gnome-uninitiated" FreeBSD users > who use libxml2 which is used by ports other than gnome-related, > it is totally unclear what is written in your response to the PR. > "Slush" is yet another jargon that needs explanation. > > Upon further search, I found that MC ports probably refers to > http://www.marcuscom.com:8080/cgi-bin/cvsweb.cgi/ > "Slush" remains a mystery, even though I might guess that it is > somehow related to the Gnome release cycle. > > Thank you, > > Igor > > > > Fri Oct 17 17:14:24 UTC 2008 > Jeremy Messenger mezz7 at cox.net wrote: > > On Fri, 17 Oct 2008 13:17:42 -0000, Igor Roshchin <str at komkon.org> > wrote: >> >> Hello! >> >> libxml2 which is used by various applications outside of Gnome itself >> is reported to have known security vulnerabilities. >> I just looked at libxml2 website and I see that FreeBSD ports are >> several versions (and about half a year) behind the source. >> (the version 2.7 which presumably fixed the problem was released on >> Aug. >> 30, while FreeBSD port is stuck at 2.6.32: Apr 8 2008) >> >> I do not mean to blaim anybody (I know that there was a port freeze >> recently), - I am just trying to alert people in >> charge for this port, in case it slipped through the cracks. > > The 2.7.0 and 2.7.1 are too buggy, and broke many stuff. The 2.7.2 > (fixed > bugs) seems to be better, but I am not trust it to get into FreeBSD > ports > during the slush. If you can point me where security patch(es) for > 2.6.32 > and I will be happy to it put in FreeBSD port, then bump it. > > Cheers, > Mezz -- mezz7@cox.net - mezz@FreeBSD.org FreeBSD GNOME Team http://www.FreeBSD.org/gnome/ - gnome@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.ujbzq7x89aq2h7>