Bug#933743: LibXSLT in Debian stable has three unpatched security vulnerabilities
On Tue, 2019 Aug 6 15:20-04:00, Salvatore Bonaccorso wrote: > > No I was refering to the bugs filled in the BTS, they were #926895, > #931321 and #931320. We then cross reference those to/from the > security-tracker as well. I added your bug as well later on. I think what may have happened was that these bugs were filed against the source package, but I had (only) checked the bugs for libxslt1.1, the runtime binary package. I will make a note to additionally check the source package in this kind of situation in the future. > Done and it entered unstable today, > https://tracker.debian.org/news/1052113/accepted-libxslt-1132-21-source-into-unstable/ > . Will look into prepare based on that as well a buster-pu update and > possibly time permitting as well one back to stretch. Greatly appreciate your work here, as will users running those releases.
Bug#933743: LibXSLT in Debian stable has three unpatched security vulnerabilities
Hi! On Sun, Aug 04, 2019 at 08:26:04PM -0400, Daniel Richard G. wrote: > On Sun, 2019 Aug 4 03:20-04:00, Salvatore Bonaccorso wrote: > > > > Sure it might have been overlooked, but pinging the existing bug would > > have been less overhead to now as well start tracking this one as well > > adjusting metadata etc. But no worries. > > Just so that I understand, there was an existing bug? I checked the open > bugs before filing this one, but didn't see anything relating to those > CVEs. Do you mean something with the security tracker? No I was refering to the bugs filled in the BTS, they were #926895, #931321 and #931320. We then cross reference those to/from the security-tracker as well. I added your bug as well later on. > > > CVSS severity scores are really very dependent and who assess it. I > > guess you are refering to the ones as assessed by NVD. Agreed though > > that Felix Wilhelm has provided a nice exploiting vector example in > > the upstream issue for local file access depending on context of how > > libxslt would be used. > > And I figure LibXSLT is used in a number of ways that may result in > security exposure, not just within Debian itself, but also user > applications built on top of it. > > > Anyway I prepared a non-maintainer upload for libxslt adressing all > > three CVEs in unstable and uploaded it to DELAYED/2 and create a merge > > request on salsa. > > Thank you, I will watch for it in sid :) Done and it entered unstable today, https://tracker.debian.org/news/1052113/accepted-libxslt-1132-21-source-into-unstable/ . Will look into prepare based on that as well a buster-pu update and possibly time permitting as well one back to stretch. Regards, Salvatore
Bug#933743: LibXSLT in Debian stable has three unpatched security vulnerabilities
On Sun, 2019 Aug 4 03:20-04:00, Salvatore Bonaccorso wrote: > > Sure it might have been overlooked, but pinging the existing bug would > have been less overhead to now as well start tracking this one as well > adjusting metadata etc. But no worries. Just so that I understand, there was an existing bug? I checked the open bugs before filing this one, but didn't see anything relating to those CVEs. Do you mean something with the security tracker? > CVSS severity scores are really very dependent and who assess it. I > guess you are refering to the ones as assessed by NVD. Agreed though > that Felix Wilhelm has provided a nice exploiting vector example in > the upstream issue for local file access depending on context of how > libxslt would be used. And I figure LibXSLT is used in a number of ways that may result in security exposure, not just within Debian itself, but also user applications built on top of it. > Anyway I prepared a non-maintainer upload for libxslt adressing all > three CVEs in unstable and uploaded it to DELAYED/2 and create a merge > request on salsa. Thank you, I will watch for it in sid :)
Bug#933743: LibXSLT in Debian stable has three unpatched security vulnerabilities
Hi Daniel, On Sat, Aug 03, 2019 at 08:57:56PM -0400, Daniel Richard G. wrote: > Hi Salvatore, > > On Sat, 2019 Aug 3 09:32-04:00, Salvatore Bonaccorso wrote: > > > > As you can see from the security-tracker btw, for all three there are > > bugs filled already. So why a new bug for all three together? :) > > The earliest CVE is nearly four months old, and patches already exist. I > filed the bug since it seems a sid/stable update has been overlooked... Sure it might have been overlooked, but pinging the existing bug would have been less overhead to now as well start tracking this one as well adjusting metadata etc. But no worries. > > Btw, they do not warrant a DSA, but LTS might not classify them > > similarly as for stretch and buster, so there was a DLA because there > > is no point release in LTS. > > The CVSS severity scores are fairly high for CVE-2019-11068... don't > DSAs include less-exploitable issues than this? (I'm pretty sure a > number of network-facing applications use LibXSLT) CVSS severity scores are really very dependent and who assess it. I guess you are refering to the ones as assessed by NVD. Agreed though that Felix Wilhelm has provided a nice exploiting vector example in the upstream issue for local file access depending on context of how libxslt would be used. Anyway I prepared a non-maintainer upload for libxslt adressing all three CVEs in unstable and uploaded it to DELAYED/2 and create a merge request on salsa. Regards, Salvatore
Bug#933743: LibXSLT in Debian stable has three unpatched security vulnerabilities
Hi Salvatore, On Sat, 2019 Aug 3 09:32-04:00, Salvatore Bonaccorso wrote: > > As you can see from the security-tracker btw, for all three there are > bugs filled already. So why a new bug for all three together? :) The earliest CVE is nearly four months old, and patches already exist. I filed the bug since it seems a sid/stable update has been overlooked... > Btw, they do not warrant a DSA, but LTS might not classify them > similarly as for stretch and buster, so there was a DLA because there > is no point release in LTS. The CVSS severity scores are fairly high for CVE-2019-11068... don't DSAs include less-exploitable issues than this? (I'm pretty sure a number of network-facing applications use LibXSLT) I understand that LTS may handle updates differently, but aren't these issues rather significant to defer fixes to the next point release? And even then, shouldn't at least sid have the fix already?
Bug#933743: LibXSLT in Debian stable has three unpatched security vulnerabilities
Hi, On Fri, Aug 02, 2019 at 03:30:41PM -0400, Daniel Richard G. wrote: > Package: libxslt1.1 > Version: 1.1.32-2 > Severity: grave > > The upstream version of LibXSLT shipped in Debian stable (1.1.32) has > the following three CVEs reported against it: > > https://nvd.nist.gov/vuln/detail/CVE-2019-11068 > https://nvd.nist.gov/vuln/detail/CVE-2019-13117 > https://nvd.nist.gov/vuln/detail/CVE-2019-13118 > > Debian has taken notice of these, but has only patched them in jessie > (a.k.a. oldoldstable): > > https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html > https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html > > The current jessie package version of LibXSLT (1.1.28-2+deb8u5) contains > the following patch files: > > CVE-2019-11068.patch > CVE-2019-13117.patch > CVE-2019-13118.patch > > These are not present in 1.1.32-2, and so these vulnerabilities appear > to be exploitable in Debian stable, testing, and sid. As you can see from the security-tracker btw, for all three there are bugs filled already. So why a new bug for all three togheter? :) Btw, they do not warrant a DSA, but LTS might not classify them similarly as for stretch and buster, so there was a DLA because there is no point release in LTS. Regards, Salvatore
Bug#933743: LibXSLT in Debian stable has three unpatched security vulnerabilities
Package: libxslt1.1 Version: 1.1.32-2 Severity: grave The upstream version of LibXSLT shipped in Debian stable (1.1.32) has the following three CVEs reported against it: https://nvd.nist.gov/vuln/detail/CVE-2019-11068 https://nvd.nist.gov/vuln/detail/CVE-2019-13117 https://nvd.nist.gov/vuln/detail/CVE-2019-13118 Debian has taken notice of these, but has only patched them in jessie (a.k.a. oldoldstable): https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html The current jessie package version of LibXSLT (1.1.28-2+deb8u5) contains the following patch files: CVE-2019-11068.patch CVE-2019-13117.patch CVE-2019-13118.patch These are not present in 1.1.32-2, and so these vulnerabilities appear to be exploitable in Debian stable, testing, and sid. The current upstream release of LibXSLT is 1.1.33, which unfortunately still has the above three CVEs. However, they appear to have been patched in Git.