So I did

[root@lucy /usr/ports/textproc/libxml2]# portaudit -a
Affected package: libxml2-2.6.32_1
Type of problem: libxml2 -- multiple vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/f1e0164e-b67b-11dd-a55e-00163e000016.html>

1 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.

and found out that I have to update libxml2.. butt

[root@lucy /usr/ports/textproc/libxml2]# portmaster libxml2
===>>> Gathering distinfo list for installed ports

===>>> Currently installed version: libxml2-2.6.32_1
===>>> Port directory: /usr/ports/textproc/libxml2
===>>> Launching 'make checksum' for textproc/libxml2 in background
===>>> Gathering dependency list for textproc/libxml2 from ports
===>>> Starting recursive 'make config' check
===>>> Recursive 'make config' check complete for textproc/libxml2

===>>> Starting build for textproc/libxml2 <<<===

===>>> The 'make config' check found no dependencies to update

===> Cleaning for libxml2-2.6.32_1

===> libxml2-2.6.32_1 has known vulnerabilities:
=> libxml2 -- multiple vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/f1e0164e-b67b-11dd-a55e-00163e000016.html>
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/textproc/libxml2.

===>>> make failed for textproc/libxml2
===>>> Aborting update

Does this mean that there is no newer version of libxml2 in the ports yet? I did a portupgrade and have the latest version of the ports tree already. It is a dependency for php5 so I can't just delete it right now.

Suggestions?

You need to update your ports tree. So either run portsnap, csup or however you keep your ports tree up to date, and then try again as port revision 2 does exist in the tree(libxml2-2.6.32_2)

You ought to update your ports tree and the vulnerability database.

# portaudit -Fa

try the following 3 steps
1
rm /var/db/portaudit/auditfile.tbz
2
portmaster libxml2
3
portaudit -Fda

Gilinko already gave the correct answer, the rest is FUD.

You can verify that the security fixes got in the 19th of November here (http://www.freebsd.org/cgi/cvsweb.cgi/ports/textproc/libxml2/Makefile).

Thanks guys, problem solved. I suppose I was a bit confused about how to upgrade the ports tree.. thought portupgrade was for that reason, my bad.

so basically whenever there's a vulnerability do:


# csup -L 2 /root/ports-supfile
# portmaster -a #to update all installed ports


or


# portmaster portname #to update the vulnerable port

so basically whenever there's a vulnerability do:


# csup -L 2 /root/ports-supfile
# portmaster -a #to update all installed ports


or


# portmaster portname #to update the vulnerable port


This is a matter of preference / opinion, but I'd suggest updating only the vulnerable port (not all ports, which sometimes gets you into trouble). I don't have a lot of tolerance for breakage. ;)

Also, make a habit of reading /usr/ports/UPDATING after you update your ports tree. This file includes special instructions for upgrading certain ports.