Your message dated Sun, 13 Nov 2016 11:17:12 +0000
with message-id <[email protected]>
and subject line Bug#842570: fixed in libxslt 1.1.28-2+deb8u2
has caused the Debian Bug report #842570,
regarding libxslt: CVE-2016-4738: possible heap overread
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
842570: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842570
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxslt
Version: 1.1.28-2
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for libxslt.
CVE-2016-4738[0]:
| libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and
| watchOS before 3 allows remote attackers to execute arbitrary code or
| cause a denial of service (memory corruption) via a crafted web site.
Unfortunately as for many libxml2 issues, the above is not very
specific and there is upstream bug referenced. But the fix is
mentioned as [1].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-4738
[1]
https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxslt
Source-Version: 1.1.28-2+deb8u2
We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libxslt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 Nov 2016 21:43:39 +0100
Source: libxslt
Binary: libxslt1.1 libxslt1-dev libxslt1-dbg xsltproc python-libxslt1
python-libxslt1-dbg
Architecture: source
Version: 1.1.28-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 842570
Description:
libxslt1-dbg - XSLT 1.0 processing library - debugging symbols
libxslt1-dev - XSLT 1.0 processing library - development kit
libxslt1.1 - XSLT 1.0 processing library - runtime library
python-libxslt1 - Python bindings for libxslt1
python-libxslt1-dbg - Python bindings for libxslt1 (debug extension)
xsltproc - XSLT 1.0 command line processor
Changes:
libxslt (1.1.28-2+deb8u2) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix heap overread in xsltFormatNumberConversion (CVE-2016-4738)
(Closes: #842570)
Checksums-Sha1:
6a250431bb43b792352b0d17dcce4e62aee3fc2c 2529 libxslt_1.1.28-2+deb8u2.dsc
aa8895a781dc554bfe6416843ef25b4cffa054df 37564
libxslt_1.1.28-2+deb8u2.debian.tar.xz
Checksums-Sha256:
e5a1286006f7c9d136f1a2441e4993deb35551ed359d4cb7492d3128835f6f64 2529
libxslt_1.1.28-2+deb8u2.dsc
218aa08affb2a5c8b8935a8b44d09e7727cbf453576b4c3e0886fd86a966cca0 37564
libxslt_1.1.28-2+deb8u2.debian.tar.xz
Files:
11e4607da911d652afd3bd9c8ffe4c1f 2529 text optional libxslt_1.1.28-2+deb8u2.dsc
d875d4c91dd9e2837f92565d6197f97e 37564 text optional
libxslt_1.1.28-2+deb8u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKPBAEBCgB5BQJYIWmsXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NjQ0NDA5ODA4QzE3MUUwNTUzMURERUUw
NTRDQjhGMzEzNDNDRjQ0EhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRPQy
D/sFdBerxEHHzUTOdjjmgj4i47aWWvSJn9RP/XLgmzQOJosrEyHhZnS+ceTKS/7/
u3XbNNu0uphlKDrDIc3pTkJYLEIngVCgOBgNjLV7up/hC2o7gPhSfagtGS4gN60n
JeR22EWr4KkGvaP52NoLG//EwECMKCj8EkPSOc1rnjQeQVqmu/7+x6YykqJVoIbf
kQL+w4y39yBLVzkirm1VbnrjLWQdQS0pnYJ6xpnheru5sqj44SJ2nEl8ZvJ2CNxv
xKuYSCI8qJ4M+bW0vV9AKoUAPYOo/mqP8dkHlULQpJpO3cCC4WwCrg6b7pm+l7au
z8lqKfNTHZZcjKGrs4l/oKIUMA3LYFT4cRc8sGSJh15yZsmKDEGBw87nGqAOgCgk
7B11xk4g0WJ1VcXW5SWNwdcCw8vkxcfZ6FPQIKTzwsZ2YXCXO8bEqS8/yBEWrgSY
g4zvno+HEhnfsUepPgzy12dWIPpBM5LnUK+OdlYZEwMKzuLDbWsyF6qj6wH8zXFU
cXXwcfAjO7rwS5XKeRpRaBQ4V7nVZD9+H4y8rMEvW4BNBiNcovVr1WemK5OwLln0
ZHI1WuaFdoH5EaEWeoSWVyTykYnhLwIEk+e3vkL/Vq5EQHr/c1PS7QSyquQz0ePb
ySWzLMfl7guDTmrcxGc3AkuzAuIqb1qMdT1ZnYruMUTh+g==
=/WVz
-----END PGP SIGNATURE-----
--- End Message ---