Jeremy, no, I don't know patches for 2.6.32.
I am only aware of the problem from the portaudit:
Type of problem: libxml2 -- two vulnerabilities.

I am not using Gnome, but many other ports are using this library
(to name a few: openwebmail, ImageMagick, squirrelmail, many of php5-*).

BTW, it is not clear to a person who doesn't deal with freebsd-gnome
mailing list that a message sent to (which is listed
as "Maintened by" in libxml2 and several other ports) gets posted
to freebsd-gnome mailing list. As a result, such a person would not
receive any reply unless his/her address is added in Cc:.

I would suggest that
1. people responding to the thread should keep the original poster in
2. somehow, it should be clearly documented in ports (including the
web-interface at )- thet
is the same as freebsd-gnome list.

3. Speaking of the patch, - having been using FreeBSD for more than 12
years, I am clueless what "MC ports" means. Upon searching in Google,
I found that the expression "MC ports" is used mostly by you, Jeremy.
So, let me confess that for some "gnome-uninitiated" FreeBSD users
who use libxml2 which is used by ports other than gnome-related,
it is totally unclear what is written in your response to the PR.
"Slush" is yet another jargon that needs explanation.

Upon further search, I found that MC ports probably refers to
"Slush" remains a mystery, even though I might guess that it is
somehow related to the Gnome release cycle.

Thank you,


Fri Oct 17 17:14:24 UTC 2008
Jeremy Messenger mezz7 at wrote:

On Fri, 17 Oct 2008 13:17:42 -0000, Igor Roshchin
> Hello!
> libxml2 which is used by various applications outside of Gnome itself
> is reported to have known security vulnerabilities.
> I just looked at libxml2 website and I see that FreeBSD ports are
> several versions (and about half a year) behind the source.
> (the version 2.7 which presumably fixed the problem was released on
> Aug.
> 30, while FreeBSD port is stuck at 2.6.32: Apr 8 2008)
> I do not mean to blaim anybody (I know that there was a port freeze
> recently), - I am just trying to alert people in
> charge for this port, in case it slipped through the cracks.

The 2.7.0 and 2.7.1 are too buggy, and broke many stuff. The 2.7.2
bugs) seems to be better, but I am not trust it to get into FreeBSD
during the slush. If you can point me where security patch(es) for
and I will be happy to it put in FreeBSD port, then bump it.


_______________________________________________ mailing list
To unsubscribe, send any mail to ""