Created attachment 225587 [details] Patch for libxml2 Update libxml2 to 2.9.12 Backport following commits: https://gitlab.gnome.org/GNOME/libxml2/-/commit/85b1792e37b131e7a51af98a37f92472e8de5f3f https://gitlab.gnome.org/GNOME/libxml2/-/commit/13ad8736d294536da4cbcd70a96b0a2fbf47070c https://gitlab.gnome.org/GNOME/libxml2/-/commit/3e1aad4fe584747fd7d17cc7b2863a78e2d21a77 Compile and runtime tested on 13.0-STABLE #0 stable/13-n245227-5ec4eb443e8 (amd64) (make, make check-plist, make test) Poudriere testport OK 12.2-RELEASE (amd64) Poudriere testport OK 11.4-RELEASE (amd64) textproc/py-libxml2: Poudriere testport OK 12.2-RELEASE (amd64) Poudriere testport OK 11.4-RELEASE (amd64)
When compiling tests -pthread needs to passed, not sure how to handle that in a nice way (see patch).
^Triage: Security and bugfix releases, MFH. @Daniel Is there a canonical source for the 2.9.10-12 release notes? I see only a single CVE reference for .11 (CVE-2021-3541) but see other CVE's being referenced elsewhere online that affect .10 too. CVE-2019-20388 CVE-2020-24977 CVE-2021-3517 CVE-2021-3518 CVE-2021-3537 CVE-2021-3516 CVE-2020-7595
@Koobs https://gitlab.gnome.org/GNOME/libxml2/-/commit/b48e77cf4f6fa0792c5f4b639707a2b0675e461b That's the only commit between .11 and .12 There's no (to my knowledge) other source by upstream except for the commit log.
Created attachment 225669 [details] Patch for libxml2 v2 Fix tests
Created attachment 225761 [details] Patch for libxml2 v3 Backport https://gitlab.gnome.org/GNOME/libxml2/-/commit/92d9ab4c28842a09ca2b76d3ff2f933e01b6cd6f
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=4c0c936fe9f8e602e56b1b0862e2cfa538cea219 commit 4c0c936fe9f8e602e56b1b0862e2cfa538cea219 Author: Daniel Engberg <daniel.engberg.lists@pyret.net> AuthorDate: 2021-06-16 15:33:04 +0000 Commit: Gleb Popov <arrowd@FreeBSD.org> CommitDate: 2021-06-21 21:19:10 +0000 textproc/libxml2: Update to 2.9.12 PR: 256436 Reviewed by: arrowd Tested by: arrowd textproc/libxml2/Makefile | 39 ++-- textproc/libxml2/distinfo | 14 +- textproc/libxml2/files/patch-CVE-2019-20388 (gone) | 33 ---- textproc/libxml2/files/patch-CVE-2020-24977 (gone) | 36 ---- textproc/libxml2/files/patch-CVE-2020-7595 (gone) | 32 ---- textproc/libxml2/files/patch-CVE-2021-3541 (gone) | 67 ------- textproc/libxml2/files/patch-Makefile.in | 26 ++- .../libxml2/files/patch-Python-39-support (gone) | 92 --------- ...-85b1792e37b131e7a51af98a37f92472e8de5f3f (new) | 211 +++++++++++++++++++++ ...-13ad8736d294536da4cbcd70a96b0a2fbf47070c (new) | 46 +++++ ...-3e1aad4fe584747fd7d17cc7b2863a78e2d21a77 (new) | 31 +++ ...-92d9ab4c28842a09ca2b76d3ff2f933e01b6cd6f (new) | 43 +++++ ...106757e8c1e26ad9b8c924c7f304074b79e082c5 (gone) | 39 ---- 13 files changed, 378 insertions(+), 331 deletions(-)
Pushed in, thanks.
Not sure on how to write a vuxml entry as upstream doesn't directly refer to multiple CVEs.