Your message dated Tue, 06 Aug 2019 07:36:22 +0000 with message-id <[email protected]> and subject line Bug#933743: fixed in libxslt 1.1.32-2.1 has caused the Debian Bug report #933743, regarding LibXSLT in Debian stable has three unpatched security vulnerabilities to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 933743: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933743 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libxslt1.1 Version: 1.1.32-2 Severity: grave The upstream version of LibXSLT shipped in Debian stable (1.1.32) has the following three CVEs reported against it: https://nvd.nist.gov/vuln/detail/CVE-2019-11068 https://nvd.nist.gov/vuln/detail/CVE-2019-13117 https://nvd.nist.gov/vuln/detail/CVE-2019-13118 Debian has taken notice of these, but has only patched them in jessie (a.k.a. oldoldstable): https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html The current jessie package version of LibXSLT (1.1.28-2+deb8u5) contains the following patch files: CVE-2019-11068.patch CVE-2019-13117.patch CVE-2019-13118.patch These are not present in 1.1.32-2, and so these vulnerabilities appear to be exploitable in Debian stable, testing, and sid. The current upstream release of LibXSLT is 1.1.33, which unfortunately still has the above three CVEs. However, they appear to have been patched in Git.
--- End Message ---
--- Begin Message ---Source: libxslt Source-Version: 1.1.32-2.1 We believe that the bug you reported is fixed in the latest version of libxslt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <[email protected]> (supplier of updated libxslt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 04 Aug 2019 08:14:05 +0200 Source: libxslt Architecture: source Version: 1.1.32-2.1 Distribution: unstable Urgency: medium Maintainer: Debian XML/SGML Group <[email protected]> Changed-By: Salvatore Bonaccorso <[email protected]> Closes: 926895 931320 931321 933743 Changes: libxslt (1.1.32-2.1) unstable; urgency=medium . * Non-maintainer upload. * Fix security framework bypass (CVE-2019-11068) (Closes: #926895, #933743) * Fix uninitialized read of xsl:number token (CVE-2019-13117) (Closes: #931321, #933743) * Fix uninitialized read with UTF-8 grouping chars (CVE-2019-13118) (Closes: #931320, #933743) Checksums-Sha1: 9edb1b30d9652d632d49a7667201b4ad51e3f15c 2502 libxslt_1.1.32-2.1.dsc 253481a7c31a78d1c9ace6da37af3e50934fe016 33792 libxslt_1.1.32-2.1.debian.tar.xz Checksums-Sha256: bc9454624f5127960244d433676a654c96790ed3c3e5c01b416188953a0f3421 2502 libxslt_1.1.32-2.1.dsc 68a20c62f69574822af5f01e807228fbaf5ab23868df3a2b57d4915d0f799dd7 33792 libxslt_1.1.32-2.1.debian.tar.xz Files: 6e2048b8d013183e16ce2d39d418f7bc 2502 text optional libxslt_1.1.32-2.1.dsc b586dca5cf29e1dc6e02dc4473d66509 33792 text optional libxslt_1.1.32-2.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1GhE5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E4LUP/RxDTCzHKUltsGsmEF13WU+CUaVSRdFQ K+6oxKLcQY4+HZ3MRemmk/ugVapyyvNnTyQt9OHpM7ZRmL8+y5DOZysVpjR3ofOE F0EaxDQcLOQl7FX7WFns33K81D5i9qkZkrsSQJmu0SVPlN2+0KcuUQBoIDuDQixP qaMJqk5ymk5A+MYbFfDGVmSpWGBHpYwlUudkoz0wfBDk9CpkbCXaCi/LNGQ1Ug/n UwOqKtgfhaysrABW3OrbvwhJfqWsOiA+jskuwmq9wtGuTEhPIOVfqO3NZZFJ6qNH JDIgCO/8YVKYK2bsk8kaXYRl2DPELyYsbB/K5+B5PRYHQ5Dk2hESNZw9bL0XuBK4 0khk83pD9BN3rlWFpCGJA+C/Jv5pEylok5U0AfIx8ex0d/u993e+ElKa7+JMpgfE l5UkDEApj7+3AA4f/sDcCDn0vUfXbXhHoZP1cff33RdceyQz08D/SckwKA1UC6v7 00vNiovK7FGXHD+u8KelAWwAdckn8lIuqJRrHCnQMlTD0vcIibhuh4rOaeujTG7J 2DFDRu7tJ4DFj69br1wCrMVIRgcIv34WJ+U894b0YySVrKU0xF1vCN1eaN8CMo+t 315K1Dyu7u2xuFuE8Y6mjA8OPv0u+EiYOYz9O/vc2LLxlcdSAG7v7z6X62eY8mVe RxInCDFuWQtl =Fm9U -----END PGP SIGNATURE-----
--- End Message ---
