textproc/xmlto and textproc/minixmlto and textproc/libxslt when will the situation improve?

bagas

bagas

Hello.
When will the situation with textproc/xmlto and textproc/minixmlto and textproc/libxslt be fixed?
I can't update the system, there are a lot of dependencies on ports.
 
fernandel said:
Does OpenBSD has the same problem or they solved it, please?
Click to expand...
It's NOT AT ALL FreeBSD SPECIFIC. It's problem of upstream, so ALL OS / APP USING LIBXSLT IS AFFECTED. Of course, if OpenBSD uses it, it surely IS affected. But as far as I know, no *BSD base OS uses libxslt, but ports/pkgsrc. So base FreeBSD, OpenBSD, NetBSD,... should not be affected if NO PORTS/PKGS/PKGSRC DEPENDING ON LIBXSLT ARE INSTALLED.
 
Why add a vulnerable port in ports?
If a port is vulnerable, then by default need to refer to correct version of the port.
If need a port of a more recent version or a vulnerable one, then add an installation marker to make.conf.
 
bagas said:
Why add a vulnerable port in ports?
Click to expand...
Software can always have CVEs to be fixed. www/firefox can get vulnerable too, every software.

bagas said:
If a port is vulnerable, then by default need to refer to correct version of the port.
Click to expand...
AFAIK, there is no new version of the software that fixes that vulnerability yet. That's the problem, you should wait until it happens.

bagas said:
If need a port of a more recent version or a vulnerable one, then add an installation marker to make.conf.
Click to expand...
What do you mean?
 
bagas said:
Why add a vulnerable port in ports?
If a port is vulnerable, then by default need to refer to correct version of the port.
If need a port of a more recent version or a vulnerable one, then add an installation marker to make.conf.
Click to expand...
Do you want to marked that is vulnerable? But it is ports installed like in case of libxslt what you will do? Delete it and brake many other programs?
 
Have completed the transition of a group of servers (critically important) from freebsd to debian linux.
Debian linux had no problems with libxslt.

I think we will migrate the rest of our servers to debian linux during this year.

Waited for two months with hope for the situation with libxslt to be fixed, but the situation has not been fixed.
 
bagas said:
[19 Aug 2025] TDSA-5979-1 libxslt security update
Debian has released fixes to libxslt.
Click to expand...

I don't know how to be sure what CVEs are outstanding, and which of those are really concerning. On FreeBSD at the moment I see

libxslt-1.1.43_1 is vulnerable:
libxslt -- unmaintained, with multiple unfixed vulnerabilities
CVE: CVE-2025-7425
CVE: CVE-2025-7424
WWW: https://vuxml.freebsd.org/freebsd/b0a3466f-5efc-11f0-ae84-99047d0a6bcc.html
Click to expand...

The Debian page you link to names a fix for CVE-2025-7424 but not for CVE-2025-7425. It _also_ names a fix for a vulnerability from 2023, CVE-2023-40403, which is not listed by pkg audit. Is it concerning that Debian appears to have no fix for CVE-2025-7425 or CVE-2023-40403?

And two years to fix a CVE? Did that one get fixed on other systems already? Does it exist on FreeBSD? https://nvd.nist.gov/vuln/detail/CVE-2023-40403 only mentions Apple operating systems, saying nothing about Linux or BSD.

I've no idea which system is more vulnerable.
 
In debian/gentoo linux the libxslt package is installed as stable, without notation that it is not secure.
 
covacat

Post in thread 'libxslt'

debian fix http://deb.debian.org/debian/pool/main/libx/libxslt/libxslt_1.1.43-0.2.debian.tar.xz

Diff: 
[22:08:45] [linsux!root]/usr/ports/textproc/libxslt#cat files/patch-gnome-libxslt-bug-139-apple-fix.diff
From 345d6826d0eae6f0a962456b8ed6f6a1bad0877d Mon Sep 17 00:00:00 2001
From: David Kilzer <ddkilzer@apple.com>
Date: Sat, 24 May 2025 15:06:42 -0700
Subject: [PATCH] libxslt: Type confusion in xmlNode.psvi between stylesheet
 and source nodes

* libxslt/functions.c:
(xsltDocumentFunctionLoadDocument):
- Implement fix...
  • Thanks
  • Like
 
You must log in or register to reply here.
Back
Top