Hi Daniel, On Sat, Aug 03, 2019 at 08:57:56PM -0400, Daniel Richard G. wrote: > Hi Salvatore, > > On Sat, 2019 Aug 3 09:32-04:00, Salvatore Bonaccorso wrote: > > > > As you can see from the security-tracker btw, for all three there are > > bugs filled already. So why a new bug for all three together? :) > > The earliest CVE is nearly four months old, and patches already exist. I > filed the bug since it seems a sid/stable update has been overlooked...
Sure it might have been overlooked, but pinging the existing bug would have been less overhead to now as well start tracking this one as well adjusting metadata etc. But no worries. > > Btw, they do not warrant a DSA, but LTS might not classify them > > similarly as for stretch and buster, so there was a DLA because there > > is no point release in LTS. > > The CVSS severity scores are fairly high for CVE-2019-11068... don't > DSAs include less-exploitable issues than this? (I'm pretty sure a > number of network-facing applications use LibXSLT) CVSS severity scores are really very dependent and who assess it. I guess you are refering to the ones as assessed by NVD. Agreed though that Felix Wilhelm has provided a nice exploiting vector example in the upstream issue for local file access depending on context of how libxslt would be used. Anyway I prepared a non-maintainer upload for libxslt adressing all three CVEs in unstable and uploaded it to DELAYED/2 and create a merge request on salsa. Regards, Salvatore