Bug#933743: marked as done (LibXSLT in Debian stable has three unpatched security vulnerabilities)

[Debian Bug Tracking System]

Your message dated Mon, 12 Aug 2019 19:17:09 +0000
with message-id <e1hxfob-000ebr...@fasolo.debian.org>
and subject line Bug#933743: fixed in libxslt 1.1.32-2.1~deb10u1
has caused the Debian Bug report #933743,
regarding LibXSLT in Debian stable has three unpatched security vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
933743: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933743
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libxslt1.1
Version: 1.1.32-2
Severity: grave

The upstream version of LibXSLT shipped in Debian stable (1.1.32) has
the following three CVEs reported against it:

    https://nvd.nist.gov/vuln/detail/CVE-2019-11068
    https://nvd.nist.gov/vuln/detail/CVE-2019-13117
    https://nvd.nist.gov/vuln/detail/CVE-2019-13118

Debian has taken notice of these, but has only patched them in jessie
(a.k.a. oldoldstable):

    https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html
    https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html

The current jessie package version of LibXSLT (1.1.28-2+deb8u5) contains
the following patch files:

    CVE-2019-11068.patch
    CVE-2019-13117.patch
    CVE-2019-13118.patch

These are not present in 1.1.32-2, and so these vulnerabilities appear
to be exploitable in Debian stable, testing, and sid.

The current upstream release of LibXSLT is 1.1.33, which unfortunately
still has the above three CVEs. However, they appear to have been
patched in Git.

--- End Message ---

--- Begin Message ---

Source: libxslt
Source-Version: 1.1.32-2.1~deb10u1

We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 933...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated libxslt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 09 Aug 2019 21:49:31 +0200
Source: libxslt
Architecture: source
Version: 1.1.32-2.1~deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 926895 931320 931321 933743
Changes:
 libxslt (1.1.32-2.1~deb10u1) buster; urgency=medium
 .
   * Rebuild for buster
 .
 libxslt (1.1.32-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix security framework bypass (CVE-2019-11068) (Closes: #926895, #933743)
   * Fix uninitialized read of xsl:number token (CVE-2019-13117)
     (Closes: #931321, #933743)
   * Fix uninitialized read with UTF-8 grouping chars (CVE-2019-13118)
     (Closes: #931320, #933743)
Checksums-Sha1: 
 74e907d0f8a1547f5eb70f537fbf59c845559827 2781 libxslt_1.1.32-2.1~deb10u1.dsc
 0398bf28f5b8d04e3b1feeeb5bfabd461b0a8fb3 33864 
libxslt_1.1.32-2.1~deb10u1.debian.tar.xz
Checksums-Sha256: 
 c81cf808598b6c7eaafa573658ab7f2db98bb5831ec0a0d7982e51bddb15a8e2 2781 
libxslt_1.1.32-2.1~deb10u1.dsc
 e2b83f24090e5852149094612062fe1be2f75ad241dfbc66e6350b4b0e6d5641 33864 
libxslt_1.1.32-2.1~deb10u1.debian.tar.xz
Files: 
 a2b647d2d424cded699a069631174711 2781 text optional 
libxslt_1.1.32-2.1~deb10u1.dsc
 6bba547dd07821d41404f9357429aab7 33864 text optional 
libxslt_1.1.32-2.1~deb10u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1N0AdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EEAcP/3NtLTd9lsKJl6V5ua4s/RI/K1QV3mKg
TyyBCx+h18896arJsz1F8Bqom0qZhiAvOx25bTURBcU8vwCcd9y6RDr80ndQ2vDT
hBoUM2zTjRcB/28OVIn5Svb3bvCEtPvy3xFa7RssmAmi1KVvHa/eM87pWMjNmXsD
EPRxphIVDpBSq4SCeFW0etp2wo1oa0mG+Ej4X/uyas7GWQM4ZLs6EkZVFgCnQGT4
Eieg/4+50vZSEzxXHvShxDeBE2VnJZ87LgWpRU3CsydzmSJ3r3P7/VDMuzQOWSvg
qYDuVn6IOMk18xWDFlnjweEUSawlJK3jxzmIw3IAwZrhKucK4cocYrjaMovAVBQc
mTa4boLAMP+NzK08p3rtGvVkg8VCuPFj5fAP/WXDOQ3HbsCA0QhFjUZ69WreYmxH
bKysMHAgqQE1SG/qhOdvcbLGuNuMUtokVSBWHg2WBJXltq1i02KHYhJMGhS0uv6a
kWI8iIFjZe5/YrRc6pxfZoEb3SvK5JOZCrw5BuNrFmg09yZ4FfzbCBSSZA/iVWyN
kFvkezrKN6msNC7sUEpTPOuHgqK6If2t2B5sXmZ5EsfuF0YvDnHipiEnvnBIFAiE
qfxrwLxcqZzhVoY9Vra+CSuutC8GmHGgahaRc5o8TtsI6NlKMwxv/98MmIkWK+Md
E6lmK2k50hAb
=IvBr
-----END PGP SIGNATURE-----

--- End Message ---