On Sun, 2019 Aug 4 03:20-04:00, Salvatore Bonaccorso wrote: > > Sure it might have been overlooked, but pinging the existing bug would > have been less overhead to now as well start tracking this one as well > adjusting metadata etc. But no worries.
Just so that I understand, there was an existing bug? I checked the open bugs before filing this one, but didn't see anything relating to those CVEs. Do you mean something with the security tracker? > CVSS severity scores are really very dependent and who assess it. I > guess you are refering to the ones as assessed by NVD. Agreed though > that Felix Wilhelm has provided a nice exploiting vector example in > the upstream issue for local file access depending on context of how > libxslt would be used. And I figure LibXSLT is used in a number of ways that may result in security exposure, not just within Debian itself, but also user applications built on top of it. > Anyway I prepared a non-maintainer upload for libxslt adressing all > three CVEs in unstable and uploaded it to DELAYED/2 and create a merge > request on salsa. Thank you, I will watch for it in sid :)