Path: news.eternal-september.org!eternal-september.org!feeder3.eternal-september.org!news.szaf.org!inka.de!mips.inka.de!.POSTED.localhost!not-for-mail
From: Christian Weisgerber <naddy@mips.inka.de>
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: pkg/ports, pkg audit, and libxml2
Date: Mon, 16 Jun 2025 12:53:02 -0000 (UTC)
Message-ID: <slrn10504te.1p7b.naddy@lorvorc.mips.inka.de>
References: <ydwm9evsy6.fsf@UBEblock.psr.com>
Injection-Date: Mon, 16 Jun 2025 12:53:02 -0000 (UTC)
Injection-Info: lorvorc.mips.inka.de; posting-host="localhost:::1";
	logging-data="58604"; mail-complaints-to="usenet@mips.inka.de"
User-Agent: slrn/1.0.3 (FreeBSD)

On 2025-06-14, Winston <wbe@UBEBLOCK.psr.com.invalid> wrote:

> A while back, a security notice for libxml2 appeared.
>
> The links from 'pkg audit' to pages describing its issues
> gave the version number required to resolve the issues.

They do?  All I see is that such-and-such version is affected.
The underlying database is generated from security/vuxml.

> 1) Does having what appears to be a FreeBSD-style version number on
>    those problem description pages in any way imply that the fixed
>    version is available via 'ports', or is it usually just the
>    upstream's version number converted to what will eventually be
>    its FreeBSD version number?

The vuxml entry has a <range> element, which typically just contains
a <lt> (less than), indicating that any version LESS THAN the given
FreeBSD package version is affected.  Sometimes people create the
vuxml entry when they upgrade the port to a version with a fix,
sometimes they create the vuxml entry before a fix is available.

> In the case of libxml2 in particular, pkg audit flagged it what seems
> like 2-3 weeks ago as needing an upgrade to 2.14.2, yet pkg as of today
> still has only version 2.11.9.  This seems like longer than usual for a
> fix to appear.

Yes, that is unusually long and... *checks repository*... the port
still hasn't been updated.

I _suspect_ the problem is that the port is still at 2.11.x, libxml
head is at 2.14.x, and there are breaking changes inbetween that
need to be dealt with.  (OpenBSD went from 2.13.x to 2.14.x in April
and had to deal with some breakage.)

-- 
Christian "naddy" Weisgerber                          naddy@mips.inka.de