Hi! On Sun, Aug 04, 2019 at 08:26:04PM -0400, Daniel Richard G. wrote: > On Sun, 2019 Aug 4 03:20-04:00, Salvatore Bonaccorso wrote: > > > > Sure it might have been overlooked, but pinging the existing bug would > > have been less overhead to now as well start tracking this one as well > > adjusting metadata etc. But no worries. > > Just so that I understand, there was an existing bug? I checked the open > bugs before filing this one, but didn't see anything relating to those > CVEs. Do you mean something with the security tracker?
No I was refering to the bugs filled in the BTS, they were #926895, #931321 and #931320. We then cross reference those to/from the security-tracker as well. I added your bug as well later on. > > > CVSS severity scores are really very dependent and who assess it. I > > guess you are refering to the ones as assessed by NVD. Agreed though > > that Felix Wilhelm has provided a nice exploiting vector example in > > the upstream issue for local file access depending on context of how > > libxslt would be used. > > And I figure LibXSLT is used in a number of ways that may result in > security exposure, not just within Debian itself, but also user > applications built on top of it. > > > Anyway I prepared a non-maintainer upload for libxslt adressing all > > three CVEs in unstable and uploaded it to DELAYED/2 and create a merge > > request on salsa. > > Thank you, I will watch for it in sid :) Done and it entered unstable today, https://tracker.debian.org/news/1052113/accepted-libxslt-1132-21-source-into-unstable/ . Will look into prepare based on that as well a buster-pu update and possibly time permitting as well one back to stretch. Regards, Salvatore