[xml/sgml-pkgs] Bug#933743: LibXSLT in Debian stable has three unpatched security vulnerabilities
Salvatore Bonaccorso
carnil at debian.org
Sat Aug 3 14:32:49 BST 2019
Hi,
On Fri, Aug 02, 2019 at 03:30:41PM -0400, Daniel Richard G. wrote:
> Package: libxslt1.1
> Version: 1.1.32-2
> Severity: grave
>
> The upstream version of LibXSLT shipped in Debian stable (1.1.32) has
> the following three CVEs reported against it:
>
> https://nvd.nist.gov/vuln/detail/CVE-2019-11068
> https://nvd.nist.gov/vuln/detail/CVE-2019-13117
> https://nvd.nist.gov/vuln/detail/CVE-2019-13118
>
> Debian has taken notice of these, but has only patched them in jessie
> (a.k.a. oldoldstable):
>
> https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html
> https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html
>
> The current jessie package version of LibXSLT (1.1.28-2+deb8u5) contains
> the following patch files:
>
> CVE-2019-11068.patch
> CVE-2019-13117.patch
> CVE-2019-13118.patch
>
> These are not present in 1.1.32-2, and so these vulnerabilities appear
> to be exploitable in Debian stable, testing, and sid.
As you can see from the security-tracker btw, for all three there are
bugs filled already. So why a new bug for all three togheter? :)
Btw, they do not warrant a DSA, but LTS might not classify them
similarly as for stretch and buster, so there was a DLA because there
is no point release in LTS.
Regards,
Salvatore
More information about the debian-xml-sgml-pkgs
mailing list