[xml/sgml-pkgs] Bug#933743: LibXSLT in Debian stable has three unpatched security vulnerabilities
Salvatore Bonaccorso
carnil at debian.org
Sun Aug 4 08:20:09 BST 2019
Hi Daniel,
On Sat, Aug 03, 2019 at 08:57:56PM -0400, Daniel Richard G. wrote:
> Hi Salvatore,
>
> On Sat, 2019 Aug 3 09:32-04:00, Salvatore Bonaccorso wrote:
> >
> > As you can see from the security-tracker btw, for all three there are
> > bugs filled already. So why a new bug for all three together? :)
>
> The earliest CVE is nearly four months old, and patches already exist. I
> filed the bug since it seems a sid/stable update has been overlooked...
Sure it might have been overlooked, but pinging the existing bug would
have been less overhead to now as well start tracking this one as well
adjusting metadata etc. But no worries.
> > Btw, they do not warrant a DSA, but LTS might not classify them
> > similarly as for stretch and buster, so there was a DLA because there
> > is no point release in LTS.
>
> The CVSS severity scores are fairly high for CVE-2019-11068... don't
> DSAs include less-exploitable issues than this? (I'm pretty sure a
> number of network-facing applications use LibXSLT)
CVSS severity scores are really very dependent and who assess it. I
guess you are refering to the ones as assessed by NVD. Agreed though
that Felix Wilhelm has provided a nice exploiting vector example in
the upstream issue for local file access depending on context of how
libxslt would be used.
Anyway I prepared a non-maintainer upload for libxslt adressing all
three CVEs in unstable and uploaded it to DELAYED/2 and create a merge
request on salsa.
Regards,
Salvatore
More information about the debian-xml-sgml-pkgs
mailing list