[xml/sgml-pkgs] Bug#933743: LibXSLT in Debian stable has three unpatched security vulnerabilities
Daniel Richard G.
skunk at iSKUNK.ORG
Fri Aug 2 20:30:41 BST 2019
Package: libxslt1.1
Version: 1.1.32-2
Severity: grave
The upstream version of LibXSLT shipped in Debian stable (1.1.32) has
the following three CVEs reported against it:
https://nvd.nist.gov/vuln/detail/CVE-2019-11068
https://nvd.nist.gov/vuln/detail/CVE-2019-13117
https://nvd.nist.gov/vuln/detail/CVE-2019-13118
Debian has taken notice of these, but has only patched them in jessie
(a.k.a. oldoldstable):
https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html
https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html
The current jessie package version of LibXSLT (1.1.28-2+deb8u5) contains
the following patch files:
CVE-2019-11068.patch
CVE-2019-13117.patch
CVE-2019-13118.patch
These are not present in 1.1.32-2, and so these vulnerabilities appear
to be exploitable in Debian stable, testing, and sid.
The current upstream release of LibXSLT is 1.1.33, which unfortunately
still has the above three CVEs. However, they appear to have been
patched in Git.
More information about the debian-xml-sgml-pkgs
mailing list