https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287391
Matthias Andree <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected], | |[email protected] Status|Closed |Open Resolution|FIXED |--- Summary|textproc/libxml2: security |textproc/libxml2: security |patches for 2.11.9 |patches for 2.11.9 and | |audit code that the patches | |don't miss other similar | |bugs in same code --- Comment #40 from Matthias Andree <[email protected]> --- (In reply to Charlie Li from comment #36) And if what upstream does matters to us, we should stop wasting time on backporting stuff and possibly missing fixes because nobody looked at the older version, and instead move forward to the "upstream-supported versions" that get the proper public attention so we're less likely to miss things. We're not done here with backporting matters, we also need to audit the entire libxml2 source code that the backport of security fixes didn't miss code that got fixed or removed for later versions. Quite obviously we must look what's what if libxml 2.14.X fixes five CVEs and here we're dealing with three. Reopening and rewriting. If we cannot muster the workforce, we have no choice but to update to a fixed patchlevel release of a supported branch. Before 2025Q3. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug.
