Your message dated Sun, 25 Aug 2019 13:47:30 +0000 with message-id <[email protected]> and subject line Bug#933743: fixed in libxslt 1.1.29-2.1+deb9u1 has caused the Debian Bug report #933743, regarding LibXSLT in Debian stable has three unpatched security vulnerabilities to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 933743: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933743 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libxslt1.1 Version: 1.1.32-2 Severity: grave The upstream version of LibXSLT shipped in Debian stable (1.1.32) has the following three CVEs reported against it: https://nvd.nist.gov/vuln/detail/CVE-2019-11068 https://nvd.nist.gov/vuln/detail/CVE-2019-13117 https://nvd.nist.gov/vuln/detail/CVE-2019-13118 Debian has taken notice of these, but has only patched them in jessie (a.k.a. oldoldstable): https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html The current jessie package version of LibXSLT (1.1.28-2+deb8u5) contains the following patch files: CVE-2019-11068.patch CVE-2019-13117.patch CVE-2019-13118.patch These are not present in 1.1.32-2, and so these vulnerabilities appear to be exploitable in Debian stable, testing, and sid. The current upstream release of LibXSLT is 1.1.33, which unfortunately still has the above three CVEs. However, they appear to have been patched in Git.
--- End Message ---
--- Begin Message ---Source: libxslt Source-Version: 1.1.29-2.1+deb9u1 We believe that the bug you reported is fixed in the latest version of libxslt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <[email protected]> (supplier of updated libxslt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 24 Aug 2019 14:04:13 +0200 Source: libxslt Architecture: source Version: 1.1.29-2.1+deb9u1 Distribution: stretch Urgency: medium Maintainer: Debian XML/SGML Group <[email protected]> Changed-By: Salvatore Bonaccorso <[email protected]> Closes: 926895 931320 931321 933743 Changes: libxslt (1.1.29-2.1+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Fix security framework bypass (CVE-2019-11068) (Closes: #926895, #933743) * Fix uninitialized read of xsl:number token (CVE-2019-13117) (Closes: #931321, #933743) * Fix uninitialized read with UTF-8 grouping chars (CVE-2019-13118) (Closes: #931320, #933743) Checksums-Sha1: 70e7c78198055d69973ac9b28354210e1f584886 2563 libxslt_1.1.29-2.1+deb9u1.dsc 9963bba25c609012184ac5d815f6f6ab7b9b59b2 30436 libxslt_1.1.29-2.1+deb9u1.debian.tar.xz Checksums-Sha256: a7b353c973bd0a66c85c2786c608d9059fafa7c4f58613e3ca5a47124f4c4bb6 2563 libxslt_1.1.29-2.1+deb9u1.dsc 1551bfcb01d176f629a4dbc9031617ecc35a8f1825fa470b4e9191115cb0f3dd 30436 libxslt_1.1.29-2.1+deb9u1.debian.tar.xz Files: c8059916bf34e28bd0331b011459e2ff 2563 text optional libxslt_1.1.29-2.1+deb9u1.dsc 1b6d060c87131f68cbd22b73edb59c17 30436 text optional libxslt_1.1.29-2.1+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1hKpVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ep3QP/2J21EvP7wvk8w5j/MEtLXO9MnrzdaAG xuB5yALBpGpc1TzVOcXJQD1rMqqlGnPuUccUNgDUG82zL95WDGVO8jJcxkrTNVjm GaNL+BMHxznlLudES62L49cMvV2IMRx416ZMJ8RSOrh8WB2DeXXicWBfXyS9/jpe 9GxM1lhlSBhPM9a4hlvj28D9NgsqdzJ7Us5T/Up/MV44mnQ0ZbeNX+Q3CSPScnd0 L11hgyc7P2OG2i2G/Fn6ueWreIjaj7VjCfw0tpl/JbczvXkrYomeKDKlyq8qX17d eNIvHlePt8zCBwo4O7xM3J3l0w/uZKBKFIwaXq0eRGt/jI8hXnkJD6dtFtgqfddy csXjwHr3TdlCFR25ROZDSDKrY3nf+K3ryWWgqWyYyp8FrmRbUSfaaHyG0sZM0TCJ KTED6mAMoty6OyY8yLgG2zt76qs5P79iSKD6Ohz0EZxmqXu3yB6kta1gZed5xJ7E VKjoAxm7EbJNpjuMrMtP7bRg0IZCx6EyiZMxjfOnf3AZfGB838wTEkJUgug+ZIg2 QVDl0X4j1uuwtNGeg53AA69D6tkY6YR1Nb4voKACj3t4OcVhm/UCZzYhM1B5/XtU g/KLIpMv4Xfb/lLIxyD47dSpTCQtIcLl5SARcY3X0QWgUFEJwldjLFK2prDHi0wJ ToSdTp969/Xe =retl -----END PGP SIGNATURE-----
--- End Message ---
