Your message dated Fri, 24 Oct 2025 21:15:48 +0200
with message-id <[email protected]>
and subject line Re: Accepted libxslt 1.1.43-0.3 (source) into unstable
has caused the Debian Bug report #1118078,
regarding libxslt: CVE-2025-11731
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118078: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118078
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxslt
Version: 1.1.43-0.2
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libxslt/-/issues/151
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.1.35-1
Control: found -1 1.1.35-1+deb12u2
Control: found -1 1.1.35-1+deb12u3
Control: found -1 1.1.35-1.2+deb13u1
Control: found -1 1.1.35-1.2+deb13u2
Hi,
The following vulnerability was published for libxslt.
CVE-2025-11731[0]:
| A flaw was found in the exsltFuncResultComp() function of libxslt,
| which handles EXSLT <func:result> elements during stylesheet
| parsing. Due to improper type handling, the function may treat an
| XML document node as a regular XML element node, resulting in a type
| confusion. This can cause unexpected memory reads and potential
| crashes. While difficult to exploit, the flaw could lead to
| application instability or denial of service.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-11731
https://www.cve.org/CVERecord?id=CVE-2025-11731
[1] https://gitlab.gnome.org/GNOME/libxslt/-/issues/151
[2]
https://gitlab.gnome.org/GNOME/libxslt/-/commit/fe508f201efb9ea37bfbe95413b8b28251497de3
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxslt
Source-Version: 1.1.43-0.3
On Fri, Oct 24, 2025 at 05:49:09PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Fri, 24 Oct 2025 19:05:05 +0200
> Source: libxslt
> Architecture: source
> Version: 1.1.43-0.3
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian XML/SGML Group
> <[email protected]>
> Changed-By: Matthias Klose <[email protected]>
> Changes:
> libxslt (1.1.43-0.3) unstable; urgency=medium
> .
> * Non-maintainer upload.
> * CVE-2025-11731: End function node ancestor search at document,
> taken from the trunk.
> * CVE-2025-10911: Proposed patch, taken from
> https://gitlab.gnome.org/GNOME/libxslt/-/merge_requests/77.
> Checksums-Sha1:
> 878633636cba78c91206b6585398eecba911ff10 2183 libxslt_1.1.43-0.3.dsc
> cd57de8e3f8e21c0b12cb278a0ae711aea2e6105 27452
> libxslt_1.1.43-0.3.debian.tar.xz
> 1c56309a646bbe97762a5e7f0ef5831cfb2f83ea 6086
> libxslt_1.1.43-0.3_source.buildinfo
> Checksums-Sha256:
> 9e34bd60c75eb2fbdef1794258d030a131514629f8b54439795737e991c8631c 2183
> libxslt_1.1.43-0.3.dsc
> f6f15f9e9885e919682e87c329d9f04a2cbd2fa32d47afc55942892568bbea86 27452
> libxslt_1.1.43-0.3.debian.tar.xz
> 726b879ffca87e2941304695fa7b0a0adba781d24495d001eed3d2ed671870b1 6086
> libxslt_1.1.43-0.3_source.buildinfo
> Files:
> 165065cbfab23a7271b663f73f408af3 2183 text optional libxslt_1.1.43-0.3.dsc
> 324e69a97d6943c2c77060f7f522c04f 27452 text optional
> libxslt_1.1.43-0.3.debian.tar.xz
> 3b6e3141f983d419b93c8d762e3b52c9 6086 text optional
> libxslt_1.1.43-0.3_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmj7s/IQHGRva29AZGVi
> aWFuLm9yZwAKCRC9fqpgd4+m9WUdD/9gGxRymqXA/OvCa/O2BQ4EGvzKalsZUqoa
> 86jX8Oa3JpRpqKNycdTv4xrcxCmnSTi7TR2rdpDxQq0COAHl5AHQdyEAME/WxCRP
> AbGEW8n21QRB8WYA1yg/t75lYSKxt4sVOyv54v0vpWoYpQElwQdPm0/FW1BqPeno
> gecsYyXD38Jz0lLQWCvCw9y14jAGXRSrvAhFjy+CMYtqmKkeIgKD6F3NQFbEV7Di
> da0UWGezbA9Um7LGzaLAIRh9Yv/OuMs1EasgnEuHR5yP+FCs+REWjCJhoBwd177q
> xNx/FhiW9SSCR0hRW7zH1H2DBdKnvj5ZsGoQFrKnfFDyi2xCj9WaZ9Agi0oxpN9h
> 5ptEWp2J3RAhGDA19OhQ/pUPYKh4D7KlgST0IQSW9V6LULVeNKGcTwCVHGJG2NFR
> uDbrtdAyqq1BtGNO9rWjbKig3/djNYvF3j4/QR9Y7hjT5PTzRbFP8tpqvKRd4ypc
> X39DP0nz42yKsj9naJBC1ZiVYvsH6BPQtYsEQexirwPoaxv148sXJdbNy2lrO2cS
> 54r+YPMS4CQPlNdGCmbUKbZ+2QRTjvWn1ViW5ZahUfN77zMZ68jTlIOoYnm6KL0V
> N87RULpOR8tskDgIvZ92TSxJIicK76ywb/tHn6aHeVdtetH0Ni1me8Wqc4a1HHC9
> bNO7RcEZFw==
> =SlrC
> -----END PGP SIGNATURE-----
--- End Message ---
