Hi Salvatore, On Sat, 2019 Aug 3 09:32-04:00, Salvatore Bonaccorso wrote: > > As you can see from the security-tracker btw, for all three there are > bugs filled already. So why a new bug for all three together? :)
The earliest CVE is nearly four months old, and patches already exist. I filed the bug since it seems a sid/stable update has been overlooked... > Btw, they do not warrant a DSA, but LTS might not classify them > similarly as for stretch and buster, so there was a DLA because there > is no point release in LTS. The CVSS severity scores are fairly high for CVE-2019-11068... don't DSAs include less-exploitable issues than this? (I'm pretty sure a number of network-facing applications use LibXSLT) I understand that LTS may handle updates differently, but aren't these issues rather significant to defer fixes to the next point release? And even then, shouldn't at least sid have the fix already?
