[xml/sgml-pkgs] Bug#933743: LibXSLT in Debian stable has three unpatched security vulnerabilities
Daniel Richard G.
skunk at iSKUNK.ORG
Sun Aug 4 01:57:56 BST 2019
Hi Salvatore,
On Sat, 2019 Aug 3 09:32-04:00, Salvatore Bonaccorso wrote:
>
> As you can see from the security-tracker btw, for all three there are
> bugs filled already. So why a new bug for all three together? :)
The earliest CVE is nearly four months old, and patches already exist. I
filed the bug since it seems a sid/stable update has been overlooked...
> Btw, they do not warrant a DSA, but LTS might not classify them
> similarly as for stretch and buster, so there was a DLA because there
> is no point release in LTS.
The CVSS severity scores are fairly high for CVE-2019-11068... don't
DSAs include less-exploitable issues than this? (I'm pretty sure a
number of network-facing applications use LibXSLT)
I understand that LTS may handle updates differently, but aren't these
issues rather significant to defer fixes to the next point release? And
even then, shouldn't at least sid have the fix already?
More information about the debian-xml-sgml-pkgs
mailing list