Bug#933743: marked as done (LibXSLT in Debian stable has three unpatched security vulnerabilities)

[Debian Bug Tracking System]

Your message dated Tue, 06 Aug 2019 07:36:22 +0000
with message-id <e1huu18-000d2d...@fasolo.debian.org>
and subject line Bug#933743: fixed in libxslt 1.1.32-2.1
has caused the Debian Bug report #933743,
regarding LibXSLT in Debian stable has three unpatched security vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
933743: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933743
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libxslt1.1
Version: 1.1.32-2
Severity: grave

The upstream version of LibXSLT shipped in Debian stable (1.1.32) has
the following three CVEs reported against it:

    https://nvd.nist.gov/vuln/detail/CVE-2019-11068
    https://nvd.nist.gov/vuln/detail/CVE-2019-13117
    https://nvd.nist.gov/vuln/detail/CVE-2019-13118

Debian has taken notice of these, but has only patched them in jessie
(a.k.a. oldoldstable):

    https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html
    https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html

The current jessie package version of LibXSLT (1.1.28-2+deb8u5) contains
the following patch files:

    CVE-2019-11068.patch
    CVE-2019-13117.patch
    CVE-2019-13118.patch

These are not present in 1.1.32-2, and so these vulnerabilities appear
to be exploitable in Debian stable, testing, and sid.

The current upstream release of LibXSLT is 1.1.33, which unfortunately
still has the above three CVEs. However, they appear to have been
patched in Git.

--- End Message ---

--- Begin Message ---

Source: libxslt
Source-Version: 1.1.32-2.1

We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 933...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated libxslt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 04 Aug 2019 08:14:05 +0200
Source: libxslt
Architecture: source
Version: 1.1.32-2.1
Distribution: unstable
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 926895 931320 931321 933743
Changes:
 libxslt (1.1.32-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix security framework bypass (CVE-2019-11068) (Closes: #926895, #933743)
   * Fix uninitialized read of xsl:number token (CVE-2019-13117)
     (Closes: #931321, #933743)
   * Fix uninitialized read with UTF-8 grouping chars (CVE-2019-13118)
     (Closes: #931320, #933743)
Checksums-Sha1: 
 9edb1b30d9652d632d49a7667201b4ad51e3f15c 2502 libxslt_1.1.32-2.1.dsc
 253481a7c31a78d1c9ace6da37af3e50934fe016 33792 libxslt_1.1.32-2.1.debian.tar.xz
Checksums-Sha256: 
 bc9454624f5127960244d433676a654c96790ed3c3e5c01b416188953a0f3421 2502 
libxslt_1.1.32-2.1.dsc
 68a20c62f69574822af5f01e807228fbaf5ab23868df3a2b57d4915d0f799dd7 33792 
libxslt_1.1.32-2.1.debian.tar.xz
Files: 
 6e2048b8d013183e16ce2d39d418f7bc 2502 text optional libxslt_1.1.32-2.1.dsc
 b586dca5cf29e1dc6e02dc4473d66509 33792 text optional 
libxslt_1.1.32-2.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1GhE5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E4LUP/RxDTCzHKUltsGsmEF13WU+CUaVSRdFQ
K+6oxKLcQY4+HZ3MRemmk/ugVapyyvNnTyQt9OHpM7ZRmL8+y5DOZysVpjR3ofOE
F0EaxDQcLOQl7FX7WFns33K81D5i9qkZkrsSQJmu0SVPlN2+0KcuUQBoIDuDQixP
qaMJqk5ymk5A+MYbFfDGVmSpWGBHpYwlUudkoz0wfBDk9CpkbCXaCi/LNGQ1Ug/n
UwOqKtgfhaysrABW3OrbvwhJfqWsOiA+jskuwmq9wtGuTEhPIOVfqO3NZZFJ6qNH
JDIgCO/8YVKYK2bsk8kaXYRl2DPELyYsbB/K5+B5PRYHQ5Dk2hESNZw9bL0XuBK4
0khk83pD9BN3rlWFpCGJA+C/Jv5pEylok5U0AfIx8ex0d/u993e+ElKa7+JMpgfE
l5UkDEApj7+3AA4f/sDcCDn0vUfXbXhHoZP1cff33RdceyQz08D/SckwKA1UC6v7
00vNiovK7FGXHD+u8KelAWwAdckn8lIuqJRrHCnQMlTD0vcIibhuh4rOaeujTG7J
2DFDRu7tJ4DFj69br1wCrMVIRgcIv34WJ+U894b0YySVrKU0xF1vCN1eaN8CMo+t
315K1Dyu7u2xuFuE8Y6mjA8OPv0u+EiYOYz9O/vc2LLxlcdSAG7v7z6X62eY8mVe
RxInCDFuWQtl
=Fm9U
-----END PGP SIGNATURE-----

--- End Message ---