What were you trying to do that didn't work?

The %patchN directives for Patch4 and Patch7 are not specified in SPEC file of libxslt-1.1.28-8.el7_9. These 2 CVEs are not actually fixed by applying RHSA-2025:3612.

$ grep -i patch SPECS/libxslt.spec 
# Fedora specific patches
Patch0: multilib.patch
Patch1: libxslt-1.1.26-utf8-docs.patch
Patch2: libxslt-1.1.28-CVE-2019-18197.patch
Patch3: libxslt-1.1.28-CVE-2019-11068.patch
Patch4:         libxslt-1.1.34-CVE-2025-24855.patch
Patch7:         libxslt-1.1.34-CVE-2024-55549.patch
%patch0 -p1
%patch1 -p1 -b .utf8
%patch2 -p1
%patch3 -p1
# Now fix up the timestamps of patched docs files
- Restore timestamps for patched documentation files
- Patch from Paul Howarth for converting files to utf8 (#226088)
- and the previous patch was incomplte breaking the python bindings
- revert a key initialization patch from 1.1.23 which seems broken 

What is the impact of this issue to you?

CVE-2024-55549 and CVE-2025-24855 are both "Important Impact" vulnerability.

Please re-release the errata as soon as possible.

I also added a comment in following tickets.

RHEL-83491: CVE-2025-24855 libxslt: Use-After-Free in libxslt numbers.c [rhel-7-els]

RHEL-83505: CVE-2024-55549 libxslt: Use-After-Free in libxslt (xsltGetInheritedNsList) [rhel-7-els]

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results