[SECURITY] [DLA 1973-1] libxslt security update

2019-10-2721:17:53

lists.debian.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.008 Low

EPSS

Percentile

81.3%

JSON

Package : libxslt
Version : 1.1.28-2+deb8u6
CVE ID : CVE-2019-18197
Debian Bug : 942646

A security vulnerability was discovered in libxslt, a XSLT 1.0
processing library written in C.

In xsltCopyText in transform.c, a pointer variable is not reset under
certain circumstances. If the relevant memory area happened to be freed
and reused in a certain way, a bounds check could fail and memory
outside a buffer could be written to, or uninitialized data could be
disclosed.

For Debian 8 "Jessie", this problem has been fixed in version
1.1.28-2+deb8u6.

We recommend that you upgrade your libxslt packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian9mips64elpython-libxslt1< 1.1.29-2.1+deb9u2python-libxslt1_1.1.29-2.1+deb9u2_mips64el.deb
Debian8amd64xsltproc< 1.1.28-2+deb8u6xsltproc_1.1.28-2+deb8u6_amd64.deb
Debian10ppc64elpython-libxslt1< 1.1.32-2.2~deb10u1python-libxslt1_1.1.32-2.2~deb10u1_ppc64el.deb
Debian10armhfpython-libxslt1< 1.1.32-2.2~deb10u1python-libxslt1_1.1.32-2.2~deb10u1_armhf.deb
Debian9armhfpython-libxslt1< 1.1.29-2.1+deb9u2python-libxslt1_1.1.29-2.1+deb9u2_armhf.deb
Debian9armelxsltproc< 1.1.29-2.1+deb9u2xsltproc_1.1.29-2.1+deb9u2_armel.deb
Debian9mipslibxslt1.1< 1.1.29-2.1+deb9u2libxslt1.1_1.1.29-2.1+deb9u2_mips.deb
Debian10mipsxsltproc< 1.1.32-2.2~deb10u1xsltproc_1.1.32-2.2~deb10u1_mips.deb
Debian8armhfpython-libxslt1-dbg< 1.1.28-2+deb8u6python-libxslt1-dbg_1.1.28-2+deb8u6_armhf.deb
Debian9armhflibxslt1-dbg< 1.1.29-2.1+deb9u2libxslt1-dbg_1.1.29-2.1+deb9u2_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	mips64el	python-libxslt1	< 1.1.29-2.1+deb9u2	python-libxslt1_1.1.29-2.1+deb9u2_mips64el.deb
Debian	8	amd64	xsltproc	< 1.1.28-2+deb8u6	xsltproc_1.1.28-2+deb8u6_amd64.deb
Debian	10	ppc64el	python-libxslt1	< 1.1.32-2.2~deb10u1	python-libxslt1_1.1.32-2.2~deb10u1_ppc64el.deb
Debian	10	armhf	python-libxslt1	< 1.1.32-2.2~deb10u1	python-libxslt1_1.1.32-2.2~deb10u1_armhf.deb
Debian	9	armhf	python-libxslt1	< 1.1.29-2.1+deb9u2	python-libxslt1_1.1.29-2.1+deb9u2_armhf.deb
Debian	9	armel	xsltproc	< 1.1.29-2.1+deb9u2	xsltproc_1.1.29-2.1+deb9u2_armel.deb
Debian	9	mips	libxslt1.1	< 1.1.29-2.1+deb9u2	libxslt1.1_1.1.29-2.1+deb9u2_mips.deb
Debian	10	mips	xsltproc	< 1.1.32-2.2~deb10u1	xsltproc_1.1.32-2.2~deb10u1_mips.deb
Debian	8	armhf	python-libxslt1-dbg	< 1.1.28-2+deb8u6	python-libxslt1-dbg_1.1.28-2+deb8u6_armhf.deb
Debian	9	armhf	libxslt1-dbg	< 1.1.29-2.1+deb9u2	libxslt1-dbg_1.1.29-2.1+deb9u2_armhf.deb