Your message dated Mon, 12 Aug 2019 19:17:09 +0000 with message-id <[email protected]> and subject line Bug#933743: fixed in libxslt 1.1.32-2.1~deb10u1 has caused the Debian Bug report #933743, regarding LibXSLT in Debian stable has three unpatched security vulnerabilities to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 933743: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933743 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libxslt1.1 Version: 1.1.32-2 Severity: grave The upstream version of LibXSLT shipped in Debian stable (1.1.32) has the following three CVEs reported against it: https://nvd.nist.gov/vuln/detail/CVE-2019-11068 https://nvd.nist.gov/vuln/detail/CVE-2019-13117 https://nvd.nist.gov/vuln/detail/CVE-2019-13118 Debian has taken notice of these, but has only patched them in jessie (a.k.a. oldoldstable): https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html The current jessie package version of LibXSLT (1.1.28-2+deb8u5) contains the following patch files: CVE-2019-11068.patch CVE-2019-13117.patch CVE-2019-13118.patch These are not present in 1.1.32-2, and so these vulnerabilities appear to be exploitable in Debian stable, testing, and sid. The current upstream release of LibXSLT is 1.1.33, which unfortunately still has the above three CVEs. However, they appear to have been patched in Git.
--- End Message ---
--- Begin Message ---Source: libxslt Source-Version: 1.1.32-2.1~deb10u1 We believe that the bug you reported is fixed in the latest version of libxslt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <[email protected]> (supplier of updated libxslt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 09 Aug 2019 21:49:31 +0200 Source: libxslt Architecture: source Version: 1.1.32-2.1~deb10u1 Distribution: buster Urgency: medium Maintainer: Debian XML/SGML Group <[email protected]> Changed-By: Salvatore Bonaccorso <[email protected]> Closes: 926895 931320 931321 933743 Changes: libxslt (1.1.32-2.1~deb10u1) buster; urgency=medium . * Rebuild for buster . libxslt (1.1.32-2.1) unstable; urgency=medium . * Non-maintainer upload. * Fix security framework bypass (CVE-2019-11068) (Closes: #926895, #933743) * Fix uninitialized read of xsl:number token (CVE-2019-13117) (Closes: #931321, #933743) * Fix uninitialized read with UTF-8 grouping chars (CVE-2019-13118) (Closes: #931320, #933743) Checksums-Sha1: 74e907d0f8a1547f5eb70f537fbf59c845559827 2781 libxslt_1.1.32-2.1~deb10u1.dsc 0398bf28f5b8d04e3b1feeeb5bfabd461b0a8fb3 33864 libxslt_1.1.32-2.1~deb10u1.debian.tar.xz Checksums-Sha256: c81cf808598b6c7eaafa573658ab7f2db98bb5831ec0a0d7982e51bddb15a8e2 2781 libxslt_1.1.32-2.1~deb10u1.dsc e2b83f24090e5852149094612062fe1be2f75ad241dfbc66e6350b4b0e6d5641 33864 libxslt_1.1.32-2.1~deb10u1.debian.tar.xz Files: a2b647d2d424cded699a069631174711 2781 text optional libxslt_1.1.32-2.1~deb10u1.dsc 6bba547dd07821d41404f9357429aab7 33864 text optional libxslt_1.1.32-2.1~deb10u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1N0AdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EEAcP/3NtLTd9lsKJl6V5ua4s/RI/K1QV3mKg TyyBCx+h18896arJsz1F8Bqom0qZhiAvOx25bTURBcU8vwCcd9y6RDr80ndQ2vDT hBoUM2zTjRcB/28OVIn5Svb3bvCEtPvy3xFa7RssmAmi1KVvHa/eM87pWMjNmXsD EPRxphIVDpBSq4SCeFW0etp2wo1oa0mG+Ej4X/uyas7GWQM4ZLs6EkZVFgCnQGT4 Eieg/4+50vZSEzxXHvShxDeBE2VnJZ87LgWpRU3CsydzmSJ3r3P7/VDMuzQOWSvg qYDuVn6IOMk18xWDFlnjweEUSawlJK3jxzmIw3IAwZrhKucK4cocYrjaMovAVBQc mTa4boLAMP+NzK08p3rtGvVkg8VCuPFj5fAP/WXDOQ3HbsCA0QhFjUZ69WreYmxH bKysMHAgqQE1SG/qhOdvcbLGuNuMUtokVSBWHg2WBJXltq1i02KHYhJMGhS0uv6a kWI8iIFjZe5/YrRc6pxfZoEb3SvK5JOZCrw5BuNrFmg09yZ4FfzbCBSSZA/iVWyN kFvkezrKN6msNC7sUEpTPOuHgqK6If2t2B5sXmZ5EsfuF0YvDnHipiEnvnBIFAiE qfxrwLxcqZzhVoY9Vra+CSuutC8GmHGgahaRc5o8TtsI6NlKMwxv/98MmIkWK+Md E6lmK2k50hAb =IvBr -----END PGP SIGNATURE-----
--- End Message ---
