[SECURITY] [DLA 1756-1] libxslt security update

2019-04-1516:07:56

lists.debian.org

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

65.0%

JSON

Package : libxslt
Version : 1.1.28-2+deb8u4
CVE ID : CVE-2019-11068
Debian Bug : #926895

It was discovered that there was a authentication bypass
vulnerability in libxslt, a widely-used library for transforming
files from XML to other arbitrary format.

The xsltCheckRead and xsltCheckWrite routines permitted access upon
receiving an-1 error code and (as xsltCheckRead returned -1 for a
specially-crafted URL that is not actually invalid) the attacker was
subsequently authenticated.

For Debian 8 "Jessie", this issue has been fixed in libxslt version
1.1.28-2+deb8u4.

We recommend that you upgrade your libxslt packages.

Regards,

  ,&#x27;&#x27;`.
 : :&#x27;  :     Chris Lamb
 `. `&#x27;`      [email protected] / chris-lamb.co.uk
   `-

OSVersionArchitecturePackageVersionFilename
Debian10mipsellibxslt1.1< 1.1.32-2.1~deb10u1libxslt1.1_1.1.32-2.1~deb10u1_mipsel.deb
Debian10armhflibxslt1.1-dbgsym< 1.1.32-2.1~deb10u1libxslt1.1-dbgsym_1.1.32-2.1~deb10u1_armhf.deb
Debian9mips64ellibxslt1-dev< 1.1.29-2.1+deb9u1libxslt1-dev_1.1.29-2.1+deb9u1_mips64el.deb
Debian10mipspython-libxslt1-dbg< 1.1.32-2.1~deb10u1python-libxslt1-dbg_1.1.32-2.1~deb10u1_mips.deb
Debian9amd64python-libxslt1-dbg< 1.1.29-2.1+deb9u1python-libxslt1-dbg_1.1.29-2.1+deb9u1_amd64.deb
Debian10s390xlibxslt1.1< 1.1.32-2.1~deb10u1libxslt1.1_1.1.32-2.1~deb10u1_s390x.deb
Debian10armhflibxslt1-dev< 1.1.32-2.1~deb10u1libxslt1-dev_1.1.32-2.1~deb10u1_armhf.deb
Debian8armelpython-libxslt1-dbg< 1.1.28-2+deb8u4python-libxslt1-dbg_1.1.28-2+deb8u4_armel.deb
Debian10i386libxslt1.1< 1.1.32-2.1~deb10u1libxslt1.1_1.1.32-2.1~deb10u1_i386.deb
Debian10ppc64elpython-libxslt1< 1.1.32-2.1~deb10u1python-libxslt1_1.1.32-2.1~deb10u1_ppc64el.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	mipsel	libxslt1.1	< 1.1.32-2.1~deb10u1	libxslt1.1_1.1.32-2.1~deb10u1_mipsel.deb
Debian	10	armhf	libxslt1.1-dbgsym	< 1.1.32-2.1~deb10u1	libxslt1.1-dbgsym_1.1.32-2.1~deb10u1_armhf.deb
Debian	9	mips64el	libxslt1-dev	< 1.1.29-2.1+deb9u1	libxslt1-dev_1.1.29-2.1+deb9u1_mips64el.deb
Debian	10	mips	python-libxslt1-dbg	< 1.1.32-2.1~deb10u1	python-libxslt1-dbg_1.1.32-2.1~deb10u1_mips.deb
Debian	9	amd64	python-libxslt1-dbg	< 1.1.29-2.1+deb9u1	python-libxslt1-dbg_1.1.29-2.1+deb9u1_amd64.deb
Debian	10	s390x	libxslt1.1	< 1.1.32-2.1~deb10u1	libxslt1.1_1.1.32-2.1~deb10u1_s390x.deb
Debian	10	armhf	libxslt1-dev	< 1.1.32-2.1~deb10u1	libxslt1-dev_1.1.32-2.1~deb10u1_armhf.deb
Debian	8	armel	python-libxslt1-dbg	< 1.1.28-2+deb8u4	python-libxslt1-dbg_1.1.28-2+deb8u4_armel.deb
Debian	10	i386	libxslt1.1	< 1.1.32-2.1~deb10u1	libxslt1.1_1.1.32-2.1~deb10u1_i386.deb
Debian	10	ppc64el	python-libxslt1	< 1.1.32-2.1~deb10u1	python-libxslt1_1.1.32-2.1~deb10u1_ppc64el.deb