Created attachment 208512 [details] Fix CVE, close #239131 I have created a patch for CVE-2019-18197, listed here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18197 ; I have cherry-picked the commit from the URL listed. I also included a patch for suggestion in bug #239131, to close that bug as well.
Created attachment 208515 [details] Fix CVE, close #239131 Remove patch prefixes
Pending VuXML entry
Created attachment 208538 [details] VuXML patch Added entry for VuXML file
Comment on attachment 208515 [details] Fix CVE, close #239131 >--- textproc/libxslt/Makefile >+++ textproc/libxslt/Makefile >@@ -3,9 +3,9 @@ > > PORTNAME= libxslt > PORTVERSION= 1.1.33 >+PORTREVISION= 1 > CATEGORIES?= textproc gnome >-MASTER_SITES= http://xmlsoft.org/sources/ \ >- https://mirror.umd.edu/xbmc/build-deps/sources/ >+MASTER_SITES= https://ftp.osuosl.org/pub/blfs/conglomeration/libxslt/ Do we really want to use an unofficial site as the only MASTER_SITES?
(In reply to Ting-Wei Lan from comment #4) osuosl is a mirror for many FOSS projects, and the other one did not have the new version either, 404
Created attachment 208586 [details] CVE-2019-18197 patch
Comment on attachment 208586 [details] CVE-2019-18197 patch >--- a/textproc/libxslt/Makefile >+++ b/textproc/libxslt/Makefile >@@ -3,9 +3,10 @@ > > PORTNAME= libxslt > PORTVERSION= 1.1.33 >+PORTREVISION= 1 > CATEGORIES?= textproc gnome >-MASTER_SITES= http://xmlsoft.org/sources/ \ >- https://mirror.umd.edu/xbmc/build-deps/sources/ >+MASTER_SITES= https://ftp.osuosl.org/pub/blfs/conglomeration/libxslt/ \ >+ ftp://xmlsoft.org/libxslt/ I still don't understand why we want to prefer an unofficial site to the official site. I don't think HTTPS can give any extra security when it is not an official site. Also, FreeBSD ports disable certificate verification by default. I guess the only benefit is that it is less likely to be blocked by firewalls.
We have version 1.1.34. The changes in transform.c are in the code. Close - overcome by events.