Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Oct 2019 06:58:38 +0000
From:      bugzilla-noreply@freebsd.org
To:        gnome@FreeBSD.org
Subject:   [Bug 241420] textproc/libxslt: Fix CVE-2019-18197
Message-ID:  <bug-241420-6497-cjitAcddNh@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-241420-6497@https.bugs.freebsd.org/bugzilla/>
References:  <bug-241420-6497@https.bugs.freebsd.org/bugzilla/>

next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D241420

--- Comment #7 from Ting-Wei Lan <lantw44@gmail.com> ---
Comment on attachment 208586
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D208586
CVE-2019-18197 patch

>--- a/textproc/libxslt/Makefile
>+++ b/textproc/libxslt/Makefile
>@@ -3,9 +3,10 @@
>=20
> PORTNAME=3D	libxslt
> PORTVERSION=3D	1.1.33
>+PORTREVISION=3D	1
> CATEGORIES?=3D	textproc gnome
>-MASTER_SITES=3D	http://xmlsoft.org/sources/ \
>-		https://mirror.umd.edu/xbmc/build-deps/sources/
>+MASTER_SITES=3D	https://ftp.osuosl.org/pub/blfs/conglomeration/libxslt/ \
>+		   ftp://xmlsoft.org/libxslt/

I still don't understand why we want to prefer an unofficial site to the
official site. I don't think HTTPS can give any extra security when it is n=
ot
an official site. Also, FreeBSD ports disable certificate verification by
default. I guess the only benefit is that it is less likely to be blocked by
firewalls.

--=20
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-241420-6497-cjitAcddNh>