Re: libxslt: some CVEs not fixed in debian buster

To: debian-devel@lists.debian.org
Subject: Re: libxslt: some CVEs not fixed in debian buster
From: David Bremner <david@tethera.net>
Date: Thu, 28 Jul 2022 07:06:19 -0300
Message-id: <[🔎] 87r1258sbo.fsf@tethera.net>
In-reply-to: <[🔎] CAE84iWVpSbr-ZzPf3P7TUgQp8G1T3W3WsHqrTjMCKXg1-i-AFw@mail.gmail.com>
References: <[🔎] CAE84iWVpSbr-ZzPf3P7TUgQp8G1T3W3WsHqrTjMCKXg1-i-AFw@mail.gmail.com>

Akira Shibakawa <arabishi900@gmail.com> writes:

> CVE-2019-5815 and CVE-2021-30560 are vulnerabilities of libxslt
> included in chromium source code as third-party code.
> And not only chromium but also libxslt upstream has already fixed them.
> https://gitlab.gnome.org/GNOME/libxslt/-/commit/08b62c258
> https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9cd3
>
> Because libxslt in debian buster is older than the fixed version in
> upstream, these bugs are still present in debian buster.
> Is there any plans to fix them in debian buster ?
> (I am wonder why these CVEs are linked to only chromium, not libxslt.)

Since security support for buster will expire in a few days, I suggest
following up with the LTS team. More information is available at

          https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- libxslt: some CVEs not fixed in debian buster
  - From: Akira Shibakawa <arabishi900@gmail.com>

Prev by Date: Bug#1016130: ITP: asdf -- multiple language runtime version manager
Next by Date: Bug#1016181: ITP: gap-edim -- GAP EDIM - Elementary Divisors of Integer Matrices
Previous by thread: libxslt: some CVEs not fixed in debian buster
Next by thread: Bug#1016130: ITP: asdf -- multiple language runtime version manager
Index(es):
- Date
- Thread