[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1860-1] libxslt security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : libxslt
Version        : 1.1.28-2+deb8u5
CVE ID         : CVE-2016-4609 CVE-2016-4610 CVE-2019-13117
  		 CVE-2019-13118
Debian Bug     : 932321 932320

Several vulnerabilities were found in libxslt the XSLT 1.0 processing
library.

CVE-2016-4610

    Invalid memory access leading to DoS at exsltDynMapFunction. libxslt
    allows remote attackers to cause a denial of service (memory
    corruption) or possibly have unspecified other impact via unknown
    vectors.

CVE-2016-4609

    Out-of-bounds read at xmlGetLineNoInternal()
    libxslt allows remote attackers to cause a denial of service (memory
    corruption) or possibly have unspecified other impact via unknown
    vectors.

CVE-2019-13117

    An xsl:number with certain format strings could lead to an
    uninitialized read in xsltNumberFormatInsertNumbers. This could
    allow an attacker to discern whether a byte on the stack contains
    the characters A, a, I, i, or 0, or any other character.

CVE-2019-13118

    A type holding grouping characters of an xsl:number instruction was
    too narrow and an invalid character/length combination could be
    passed to xsltNumberFormatDecimal, leading to a read of
    uninitialized stack data.

For Debian 8 "Jessie", these problems have been fixed in version
1.1.28-2+deb8u5.

We recommend that you upgrade your libxslt packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl014W9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSTsQ/+NTZjxFPjyvu2HBjwQA1AzvJt9kL1lTWOb3AAeqyG3nwiZyzZdiW4hdMq
uqEMWy1uTfXap+HezGWPQ0xgzOxZpBelhAL8tgyMiHnOd6UPyEC5AKM5Ta1liZQY
3ndpZuAzOlbXrSqv0Z3QxrqmdQoqHFS+//9W+6EeVI/4iBtWxZAnl9G1Jxwhgt9Q
TDGhvFkzg7J2K5Am39pFVOrdRW+3AVOCP5cxyRqmn5SHrNhtdfwEL7vcFJ3V4pVM
1x4yeIppnz5Z+wJqLB9slzgvphvYzjQ/SEOyDBGvRahhaK/fZxRUb6sNbKm//sTC
T0iu30Xo2XJd+pKXP4Ebpg+QMTdhUquIKLaV78aEsuInaYcsIZwV75fENLurSsgy
BgnQI5VhpXWoYdmdokoPW+qcycLmUeDH/C3UX9LAsvFSsx494qhTN5LYC+jZqVIP
1KzfifQLAjxSzrZzGOzWe9rkQsALQtQQ8wpaw5fWytOC2QoJu+uBrNn2rvx2ikPv
5fvpAtrVyIq6ceu0Fptvwo6ePEfkw7ctd5PGxQW0m0kKpPlH8TB4AKdbBH0PIv1b
FuRVAvVSuperwkhUWNwpzcCNrJpm9Yws96ZsKjRe2P4FAf8iZvU5Lc4dnZAwJ860
lc4LywM+8vfcZNb3SPXU7Hsl4Zev7ie/UnSKualUonNyhVykI1o=
=FavF
-----END PGP SIGNATURE-----


Reply to: