Today I discovered a very weird situation in 2023.

xmllint, a tool designed to validate #XML files is not able to load resources, especially document type definitions (DTD) and XML schemas, if these are available through HTTPS.

The reason is that #libxml2, the library xmllint is part of, embarks its own HTTP client that does not support HTTPS.

That would not be an issue if a lot of tools were not relying on libxml2 for XML validation.

#webdev

I found at least one spot where there is work towards my #libxml2 for #Dlang efforts. It is right next to some #ATS code for parsing s-expressions. :) (I might still use that instead of either JSON or libguile, now that I have found it.)

Hmm. Maybe I should attempt to make an automatically generated interface from #ATS to #libguile, as I did for an interface from #Dlang to #libxml2. (The latter is sitting somewhere in my ‘chemoelectric’ repository. It is constructed mostly by Awk scripts. But I’ll probably use Object Icon instead, this time.)

I never thaught I'd be saying this, but processing #XML from #C to turn #XHTML into #SSML with #libxml2 was an utterly *enjoyable* experience! I know right, in what universe is that possible? But props go to Daniel Veillard, Gnome, and contributors. It's fast, simple, and easy to understand, and everything just worked!

It seems that the fact that #Apple has released an emergency patch for two #libxml2 vulnerabilities in #macOS 13.0.1, but no corresponding updates for Monterey or Big Sur, got some people thinking that those systems are not vulnerable. l think that conclusion is wrong!

The update was very fast on Ventura due to Rapid Security Response [edit: not Rapid Security Response, just the improvements to update speed in Ventura]. These patches would have taken a lot longer to install on Monterey or Big Sur, so maybe Apple doesn’t think that weighs up against the risk of these vulnerabilities. Apple probably has a different bar for what requires a security patch with this feature.

Secondly, Apple has officially stated that not all vulnerabilities get fixed in older macOS versions due to architectural differences. While I’m sure they’ll eventually patch these, that does make it clear that you need to be on the latest OS to get all patches as soon as possible.

#Ventura #RapidSecurityResponse #vulnerability

CVE-2022-40303 and CVE-2022-40304 just got patched in iOS 16.1.1 that affected #libxml2

Remember to update :)

New #libxml2 version 2.9.12 breaks validation with some incorrect DTDs, such as old #XHTML 1.0 DTDs: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993638#50 — Are there other users likely to be affected when they upgrade to this version?

We are in 2018 and #libxml2 still does not support #https!