Summary: | textproc/libxml2: SecurityUpdate to 2.10.4 | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | takefu | ||||||
Component: | Individual Port(s) | Assignee: | Dima Panov <fluffy> | ||||||
Status: | Closed FIXED | ||||||||
Severity: | Affects Only Me | CC: | arnaud, asomers, fabian, fluffy, frank, george, ish, kirill, michael.osipov, ml, nevecherya, vidar | ||||||
Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(desktop) |
||||||
Version: | Latest | ||||||||
Hardware: | Any | ||||||||
OS: | Any | ||||||||
Attachments: |
|
bug #262613 should be closed. Created attachment 241722 [details] Reformatted patch (In reply to takefu from comment #0) I have taken your patch and reformatted it more conventionally, so one can cd to /usr/ports and patch -p1 <reformatted-patch and have it apply cleanly. It's still the same patch. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=acd6567eeccaba062051ae4571c3d20c355383ac commit acd6567eeccaba062051ae4571c3d20c355383ac Author: Dima Panov <fluffy@FreeBSD.org> AuthorDate: 2023-04-27 18:07:36 +0000 Commit: Dima Panov <fluffy@FreeBSD.org> CommitDate: 2023-04-27 18:25:56 +0000 textproc/libxml2: update to 2.10.14 security release (+) - [CVE-2023-29469] Hashing of empty dict strings isn't deterministic - [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType - schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK - SAX2: Ignore namespaces in HTML documents - io: Fix "buffer full" error with certain buffer sizes PR: 270906 Security: 0bd7f07b-dc22-11ed-bf28-589cfc0f81b0 Sponsored by: Serenity Cybersecurity, LLC textproc/libxml2/Makefile | 22 ++++++++++------------ textproc/libxml2/distinfo | 6 +++--- 2 files changed, 13 insertions(+), 15 deletions(-) Updated, thanks Any chance for 2023Q2? A commit in branch 2023Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=11a2be5f1911d9e357a87eb302d84d3adf16a783 commit 11a2be5f1911d9e357a87eb302d84d3adf16a783 Author: Dima Panov <fluffy@FreeBSD.org> AuthorDate: 2023-04-27 18:07:36 +0000 Commit: Dima Panov <fluffy@FreeBSD.org> CommitDate: 2023-04-27 22:58:04 +0000 textproc/libxml2: update to 2.10.14 security release (+) - [CVE-2023-29469] Hashing of empty dict strings isn't deterministic - [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType - schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK - SAX2: Ignore namespaces in HTML documents - io: Fix "buffer full" error with certain buffer sizes PR: 270906 Security: 0bd7f07b-dc22-11ed-bf28-589cfc0f81b0 Sponsored by: Serenity Cybersecurity, LLC (cherry picked from commit acd6567eeccaba062051ae4571c3d20c355383ac) textproc/libxml2/Makefile | 23 +++++++++++------------ textproc/libxml2/distinfo | 6 +++--- 2 files changed, 14 insertions(+), 15 deletions(-) |
Created attachment 241552 [details] libxml2-2.10.4.patch fix: PORTCLIPPY(1) Compliant LIBXML2_SLAVE STRIP shared object files v2.10.4: Apr 11 2023 ### Security - [CVE-2023-29469] Hashing of empty dict strings isn't deterministic - [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType - schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK ### Regressions - SAX2: Ignore namespaces in HTML documents - io: Fix "buffer full" error with certain buffer sizes