Jeremy, no, I don't know patches for 2.6.32.
I am only aware of the problem from the portaudit:
Type of problem: libxml2 -- two vulnerabilities.
Reference:

I am not using Gnome, but many other ports are using this library
(to name a few: openwebmail, ImageMagick, squirrelmail, many of php5-*).


BTW, it is not clear to a person who doesn't deal with freebsd-gnome
mailing list that a message sent to gnome@freebsd.org (which is listed
as "Maintened by" in libxml2 and several other ports) gets posted
to freebsd-gnome mailing list. As a result, such a person would not
receive any reply unless his/her address is added in Cc:.

I would suggest that
1. people responding to the thread should keep the original poster in
Cc:
2. somehow, it should be clearly documented in ports (including the
web-interface at http://www.freebsd.org/ports/ )- thet gnome@freebsd.org
is the same as freebsd-gnome list.

3. Speaking of the patch, - having been using FreeBSD for more than 12
years, I am clueless what "MC ports" means. Upon searching in Google,
I found that the expression "MC ports" is used mostly by you, Jeremy.
So, let me confess that for some "gnome-uninitiated" FreeBSD users
who use libxml2 which is used by ports other than gnome-related,
it is totally unclear what is written in your response to the PR.
"Slush" is yet another jargon that needs explanation.

Upon further search, I found that MC ports probably refers to
http://www.marcuscom.com:8080/cgi-bin/cvsweb.cgi/
"Slush" remains a mystery, even though I might guess that it is
somehow related to the Gnome release cycle.

Thank you,

Igor



Fri Oct 17 17:14:24 UTC 2008
Jeremy Messenger mezz7 at cox.net wrote:

On Fri, 17 Oct 2008 13:17:42 -0000, Igor Roshchin
wrote:
>
> Hello!
>
> libxml2 which is used by various applications outside of Gnome itself
> is reported to have known security vulnerabilities.
> I just looked at libxml2 website and I see that FreeBSD ports are
> several versions (and about half a year) behind the source.
> (the version 2.7 which presumably fixed the problem was released on
> Aug.
> 30, while FreeBSD port is stuck at 2.6.32: Apr 8 2008)
>
> I do not mean to blaim anybody (I know that there was a port freeze
> recently), - I am just trying to alert people in
> charge for this port, in case it slipped through the cracks.


The 2.7.0 and 2.7.1 are too buggy, and broke many stuff. The 2.7.2
(fixed
bugs) seems to be better, but I am not trust it to get into FreeBSD
ports
during the slush. If you can point me where security patch(es) for
2.6.32
and I will be happy to it put in FreeBSD port, then bump it.

Cheers,
Mezz




_______________________________________________
freebsd-gnome@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-gnome
To unsubscribe, send any mail to "freebsd-gnome-unsubscribe@freebsd.org"