Your message dated Thu, 21 Aug 2025 17:47:12 +0000
with message-id <[email protected]>
and subject line Bug#1109123: fixed in libxslt 1.1.35-1.2+deb13u1
has caused the Debian Bug report #1109123,
regarding libxslt: CVE-2025-7424
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109123: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109123
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxslt
Version: 1.1.35-1.2
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libxslt/-/issues/139
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libxslt.
CVE-2025-7424[0]:
| A flaw was found in the libxslt library. The same memory field,
| psvi, is used for both stylesheet and input data, which can lead to
| type confusion during XML transformations. This vulnerability allows
| an attacker to crash the application or corrupt memory. In some
| cases, it may lead to denial of service or unexpected behavior.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-7424
https://www.cve.org/CVERecord?id=CVE-2025-7424
[1] https://gitlab.gnome.org/GNOME/libxslt/-/issues/139
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxslt
Source-Version: 1.1.35-1.2+deb13u1
Done: Aron Xu <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <[email protected]> (supplier of updated libxslt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 13 Aug 2025 19:12:53 +0800
Source: libxslt
Architecture: source
Version: 1.1.35-1.2+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Aron Xu <[email protected]>
Closes: 1108074 1109123
Changes:
libxslt (1.1.35-1.2+deb13u1) trixie-security; urgency=medium
.
* Fix information disclosure with improved memory handling of generated-id()
(Closes: #1108074, CVE-2023-40403)
* Fix type confusion in xmlNode.psvi between stylesheet and source nodes
(Closes: #1109123, CVE-2025-7424)
Checksums-Sha1:
0350297ddafb6505b47f2d3af3222c41d155a2cf 1850 libxslt_1.1.35-1.2+deb13u1.dsc
9e4e7f884f8ac88c17df0f9475201bef985d42e4 1827548 libxslt_1.1.35.orig.tar.xz
08216f4bbf04584ffe850e69a3d705bc431fdb8b 30456
libxslt_1.1.35-1.2+deb13u1.debian.tar.xz
5510688948e97b8f8647f8370cc72eb934f1d11a 5452
libxslt_1.1.35-1.2+deb13u1_source.buildinfo
Checksums-Sha256:
d5de86c66c7833442d0c06881dac36c02063c12122bf0bbb3b671df95001e52f 1850
libxslt_1.1.35-1.2+deb13u1.dsc
8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79 1827548
libxslt_1.1.35.orig.tar.xz
b55ef92c63959181f6a9772c506de589d27ea0baeff7967f456055db4a3e37de 30456
libxslt_1.1.35-1.2+deb13u1.debian.tar.xz
2456f6471d17acd0fa4831b8b8db8fa783f29593d90004816171c1338b7dda6f 5452
libxslt_1.1.35-1.2+deb13u1_source.buildinfo
Files:
709524624c720903002bcee1d855f0b7 1850 text optional
libxslt_1.1.35-1.2+deb13u1.dsc
5b3a634b77effd8a6268c21173575053 1827548 text optional
libxslt_1.1.35.orig.tar.xz
f761d7562c6439902a6befa6f21da6af 30456 text optional
libxslt_1.1.35-1.2+deb13u1.debian.tar.xz
fe95c865a42fc38c39ab477ed5cc4f2e 5452 text optional
libxslt_1.1.35-1.2+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEBLHAyuu1xqoC2aJ5NP8o68vMTMgFAmiiERgACgkQNP8o68vM
TMhndQgAkZaKGW4LF+rU8mIkV7xFIy6s7lWM/bolc+/WF6BYrHa0I4pE75wjVITc
/R4QHYeunH7TiR/euP/nhFT1O++jBqQvyLdOkr73CxHZbcen8jkNBCrOhZWXeOAd
iG94SPhxCz8tdFHovBczVhtjDU1VuQE0BiEm69EzHVczAHiR4O4Gg5vfVC0CaHcB
P7ZkapVX0u0EzvMcD3HvAYzQK/Ii0BjaRmQhNkwJcbE1Qoz/YYtxBg291+dQogfi
K4DnsXgun1+xiE1pI1678kXXHXXTUoGV8MiZAuts6xalECYqLuelQ3Qhqs7G9vX/
zlCYZyf59wpNenkRc8ocSRSigpj4mA==
=nVZO
-----END PGP SIGNATURE-----
pgpnn1hmqvjbk.pgp
Description: PGP signature
--- End Message ---
