| From: | Jim Jones <jim(dot)jones(at)uni-muenster(dot)de> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us>, PostgreSQL-development <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: libxml2 author overwhelmed with security requests |
| Date: | 2025-06-19 19:24:32 |
| Message-ID: | 205eb656-5fd5-4d5f-8837-469b8a6c2f12@uni-muenster.de |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 19.06.25 03:41, Bruce Momjian wrote:
> This blog post explains the serious problems the single libxml2 author
> is having in maintaining the library:
>
> https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports
>
> There are few learnings from this:
>
> * libxml2 is even less production-ready than we thought
> * many projects don't have the resources we do
>
That's even worse than I thought. Especially this disclaimer consideration:
“This is open-source software written by hobbyists, maintained by a
single volunteer, badly tested, written in a memory-unsafe language and
full of security bugs. It is foolish to use this software to process
untrusted data.”
No wonder other major databases opt for writing their own XML processing
engines. Sadly, despite these issues, there doesn't seem to be a decent
alternative to libxml2 :(
--
Jim
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2025-06-19 20:09:04 | Re: libxml2 author overwhelmed with security requests |
| Previous Message | Salvatore Dipietro | 2025-06-19 19:10:52 | Re: Remove Instruction Synchronization Barrier in spin_delay() for ARM64 architecture |