Re: pkg/ports, pkg audit, and libxml2

On 2025-06-14, Winston <wbe@UBEBLOCK.psr.com.invalid> wrote:

A while back, a security notice for libxml2 appeared.
>
The links from 'pkg audit' to pages describing its issues
gave the version number required to resolve the issues.

They do?  All I see is that such-and-such version is affected.
The underlying database is generated from security/vuxml.

1) Does having what appears to be a FreeBSD-style version number on
   those problem description pages in any way imply that the fixed
   version is available via 'ports', or is it usually just the
   upstream's version number converted to what will eventually be
   its FreeBSD version number?

The vuxml entry has a <range> element, which typically just contains
a <lt> (less than), indicating that any version LESS THAN the given
FreeBSD package version is affected.  Sometimes people create the
vuxml entry when they upgrade the port to a version with a fix,
sometimes they create the vuxml entry before a fix is available.

In the case of libxml2 in particular, pkg audit flagged it what seems
like 2-3 weeks ago as needing an upgrade to 2.14.2, yet pkg as of today
still has only version 2.11.9.  This seems like longer than usual for a
fix to appear.

Yes, that is unusually long and... *checks repository*... the port
still hasn't been updated.

I _suspect_ the problem is that the port is still at 2.11.x, libxml
head is at 2.14.x, and there are breaking changes inbetween that
need to be dealt with.  (OpenBSD went from 2.13.x to 2.14.x in April
and had to deal with some breakage.)

--
Christian "naddy" Weisgerber                          naddy@mips.inka.de