Bug#933743: LibXSLT in Debian stable has three unpatched security vulnerabilities

Daniel Richard G. Fri, 02 Aug 2019 12:33:35 -0700

Package: libxslt1.1
Version: 1.1.32-2
Severity: grave

The upstream version of LibXSLT shipped in Debian stable (1.1.32) has
the following three CVEs reported against it:


    https://nvd.nist.gov/vuln/detail/CVE-2019-11068
    https://nvd.nist.gov/vuln/detail/CVE-2019-13117
    https://nvd.nist.gov/vuln/detail/CVE-2019-13118

Debian has taken notice of these, but has only patched them in jessie
(a.k.a. oldoldstable):

    https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html
    https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html

The current jessie package version of LibXSLT (1.1.28-2+deb8u5) contains
the following patch files:

    CVE-2019-11068.patch
    CVE-2019-13117.patch
    CVE-2019-13118.patch

These are not present in 1.1.32-2, and so these vulnerabilities appear
to be exploitable in Debian stable, testing, and sid.

The current upstream release of LibXSLT is 1.1.33, which unfortunately
still has the above three CVEs. However, they appear to have been
patched in Git.

Bug#933743: LibXSLT in Debian stable has three unpatched security vulnerabilities

Reply via email to