[xml/sgml-pkgs] Bug#933743: LibXSLT in Debian stable has three unpatched security vulnerabilities
Salvatore Bonaccorso
carnil at debian.org
Tue Aug 6 20:20:34 BST 2019
Hi!
On Sun, Aug 04, 2019 at 08:26:04PM -0400, Daniel Richard G. wrote:
> On Sun, 2019 Aug 4 03:20-04:00, Salvatore Bonaccorso wrote:
> >
> > Sure it might have been overlooked, but pinging the existing bug would
> > have been less overhead to now as well start tracking this one as well
> > adjusting metadata etc. But no worries.
>
> Just so that I understand, there was an existing bug? I checked the open
> bugs before filing this one, but didn't see anything relating to those
> CVEs. Do you mean something with the security tracker?
No I was refering to the bugs filled in the BTS, they were #926895,
#931321 and #931320. We then cross reference those to/from the
security-tracker as well. I added your bug as well later on.
>
> > CVSS severity scores are really very dependent and who assess it. I
> > guess you are refering to the ones as assessed by NVD. Agreed though
> > that Felix Wilhelm has provided a nice exploiting vector example in
> > the upstream issue for local file access depending on context of how
> > libxslt would be used.
>
> And I figure LibXSLT is used in a number of ways that may result in
> security exposure, not just within Debian itself, but also user
> applications built on top of it.
>
> > Anyway I prepared a non-maintainer upload for libxslt adressing all
> > three CVEs in unstable and uploaded it to DELAYED/2 and create a merge
> > request on salsa.
>
> Thank you, I will watch for it in sid :)
Done and it entered unstable today,
https://tracker.debian.org/news/1052113/accepted-libxslt-1132-21-source-into-unstable/
. Will look into prepare based on that as well a buster-pu update and
possibly time permitting as well one back to stretch.
Regards,
Salvatore
More information about the debian-xml-sgml-pkgs
mailing list