> Greg Smith <gsmith@gregsmith.com> writes:
> > When we noticed this recently, my digging suggested you'll be hard pressed
> > to have a RedHat system now without those two installed.
>
> Indeed, I've not heard any squawks from the field yet. It's still
> wrong though ...
Unsuprisingly, half the world in Debian also depends on libxml2, but I
agree 110% w/ Tom- it's wrong, and I feel it really ought to be fixed
regardless. It's entirely likely that there will come a time when it's
a less used library getting pulled in, too. I also personally hate
useless clutter in dependencies as it can cause package management
headaches..
After poking around a bit I did find a box that only pulled in libxml2
for subversion, and we've been talking about moving to a different SCM
(which don't appear to depend on libxml2), so it might eventually only
be pulled in by psql for us. Not a show-stopper, but it's also not
completely out of the question that it'll get pulled in unnecessairly.
Thanks,
Stephen
has anyone read up about the vulnerabilities associated with libxml2?
ReplyDeletei am trying to figure out which libxml2.dll version PostgreSQL uses so that potentially I can replace the vulnerable file that's in c/program files/postgresql/8.2
Will replacing the current dll file with a newer libxml2 file screw up postgresql?