Hi, On Fri, Aug 02, 2019 at 03:30:41PM -0400, Daniel Richard G. wrote: > Package: libxslt1.1 > Version: 1.1.32-2 > Severity: grave > > The upstream version of LibXSLT shipped in Debian stable (1.1.32) has > the following three CVEs reported against it: > > https://nvd.nist.gov/vuln/detail/CVE-2019-11068 > https://nvd.nist.gov/vuln/detail/CVE-2019-13117 > https://nvd.nist.gov/vuln/detail/CVE-2019-13118 > > Debian has taken notice of these, but has only patched them in jessie > (a.k.a. oldoldstable): > > https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html > https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html > > The current jessie package version of LibXSLT (1.1.28-2+deb8u5) contains > the following patch files: > > CVE-2019-11068.patch > CVE-2019-13117.patch > CVE-2019-13118.patch > > These are not present in 1.1.32-2, and so these vulnerabilities appear > to be exploitable in Debian stable, testing, and sid.
As you can see from the security-tracker btw, for all three there are bugs filled already. So why a new bug for all three togheter? :) Btw, they do not warrant a DSA, but LTS might not classify them similarly as for stretch and buster, so there was a DLA because there is no point release in LTS. Regards, Salvatore