Date: Sun, 27 Oct 2019 06:58:38 +0000 From: bugzilla-noreply@freebsd.org To: gnome@FreeBSD.org Subject: [Bug 241420] textproc/libxslt: Fix CVE-2019-18197 Message-ID: <bug-241420-6497-cjitAcddNh@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-241420-6497@https.bugs.freebsd.org/bugzilla/> References: <bug-241420-6497@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D241420 --- Comment #7 from Ting-Wei Lan <lantw44@gmail.com> --- Comment on attachment 208586 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D208586 CVE-2019-18197 patch >--- a/textproc/libxslt/Makefile >+++ b/textproc/libxslt/Makefile >@@ -3,9 +3,10 @@ >=20 > PORTNAME=3D libxslt > PORTVERSION=3D 1.1.33 >+PORTREVISION=3D 1 > CATEGORIES?=3D textproc gnome >-MASTER_SITES=3D http://xmlsoft.org/sources/ \ >- https://mirror.umd.edu/xbmc/build-deps/sources/ >+MASTER_SITES=3D https://ftp.osuosl.org/pub/blfs/conglomeration/libxslt/ \ >+ ftp://xmlsoft.org/libxslt/ I still don't understand why we want to prefer an unofficial site to the official site. I don't think HTTPS can give any extra security when it is n= ot an official site. Also, FreeBSD ports disable certificate verification by default. I guess the only benefit is that it is less likely to be blocked by firewalls. --=20 You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-241420-6497-cjitAcddNh>