libxslt: some CVEs not fixed in debian buster

To: debian-lts@lists.debian.org
Subject: libxslt: some CVEs not fixed in debian buster
From: Akira Shibakawa <arabishi900@gmail.com>
Date: Fri, 29 Jul 2022 13:31:27 +0900
Message-id: <[🔎] CAE84iWUqyOhzK2dn3v-2Sx7ZL5hC8RR_coAQKRKTyznF5VFJjg@mail.gmail.com>

Hi,
CVE-2019-5815 and CVE-2021-30560 are vulnerabilities of libxslt
included in chromium source code as third-party code.
And not only chromium but also libxslt upstream has already fixed them.
https://gitlab.gnome.org/GNOME/libxslt/-/commit/08b62c258
https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9cd3

Because libxslt in debian buster is older than the fixed version in
upstream, these bugs are still present in debian buster.
Is there any plans to fix them in debian buster ?
(I am wonder why these CVEs are linked to only chromium, not libxslt.)

Reply to:

Follow-Ups:
- Re: libxslt: some CVEs not fixed in debian buster
  - From: Anton Gladky <gladky.anton@gmail.com>

Prev by Date: linux-5.10 code signing in buster
Next by Date: Re: libxslt: some CVEs not fixed in debian buster
Previous by thread: linux-5.10 code signing in buster
Next by thread: Re: libxslt: some CVEs not fixed in debian buster
Index(es):
- Date
- Thread