Summary: | textproc/libxslt: Fix CVE-2019-18197 | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Nathan <ndowens04> | ||||||||||
Component: | Individual Port(s) | Assignee: | freebsd-gnome (Nobody) <gnome> | ||||||||||
Status: | Closed Overcome By Events | ||||||||||||
Severity: | Affects Many People | CC: | gnome, ndowens04, ports-secteam, w.schwarzenfeld | ||||||||||
Priority: | Normal | Keywords: | security | ||||||||||
Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(gnome) koobs: merge-quarterly? |
||||||||||
Hardware: | Any | ||||||||||||
OS: | Any | ||||||||||||
URL: | w.schwarzenfeld@utanet.at | ||||||||||||
See Also: | https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239131 | ||||||||||||
Bug Depends on: | |||||||||||||
Bug Blocks: | 239131 | ||||||||||||
Attachments: |
|
Description
Nathan
2019-10-22 20:13:28 UTC
Created attachment 208515 [details]
Fix CVE, close #239131
Remove patch prefixes
Pending VuXML entry Created attachment 208538 [details]
VuXML patch
Added entry for VuXML file
Comment on attachment 208515 [details] Fix CVE, close #239131 >--- textproc/libxslt/Makefile >+++ textproc/libxslt/Makefile >@@ -3,9 +3,9 @@ > > PORTNAME= libxslt > PORTVERSION= 1.1.33 >+PORTREVISION= 1 > CATEGORIES?= textproc gnome >-MASTER_SITES= http://xmlsoft.org/sources/ \ >- https://mirror.umd.edu/xbmc/build-deps/sources/ >+MASTER_SITES= https://ftp.osuosl.org/pub/blfs/conglomeration/libxslt/ Do we really want to use an unofficial site as the only MASTER_SITES? (In reply to Ting-Wei Lan from comment #4) osuosl is a mirror for many FOSS projects, and the other one did not have the new version either, 404 Created attachment 208586 [details]
CVE-2019-18197 patch
Comment on attachment 208586 [details] CVE-2019-18197 patch >--- a/textproc/libxslt/Makefile >+++ b/textproc/libxslt/Makefile >@@ -3,9 +3,10 @@ > > PORTNAME= libxslt > PORTVERSION= 1.1.33 >+PORTREVISION= 1 > CATEGORIES?= textproc gnome >-MASTER_SITES= http://xmlsoft.org/sources/ \ >- https://mirror.umd.edu/xbmc/build-deps/sources/ >+MASTER_SITES= https://ftp.osuosl.org/pub/blfs/conglomeration/libxslt/ \ >+ ftp://xmlsoft.org/libxslt/ I still don't understand why we want to prefer an unofficial site to the official site. I don't think HTTPS can give any extra security when it is not an official site. Also, FreeBSD ports disable certificate verification by default. I guess the only benefit is that it is less likely to be blocked by firewalls. We have version 1.1.34. The changes in transform.c are in the code. Close - overcome by events. |