Your message dated Thu, 27 Mar 2025 00:47:23 +0000
with message-id <e1txbp1-00amaq...@fasolo.debian.org>
and subject line Bug#1100566: fixed in libxslt 1.1.35-1+deb12u1
has caused the Debian Bug report #1100566,
regarding libxslt: CVE-2025-24855: Use-after-free due to xsltEvalXPathStringNs
leaking xpathCtxt->node
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1100566: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100566
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libxslt
Version: 1.1.35-1
Severity: grave
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for libxslt.
CVE-2025-24855[0]:
| numbers.c in libxslt before 1.1.43 has a use-after-free because, in
| nested XPath evaluations, an XPath context node can be modified but
| never restored. This is related to xsltNumberFormatGetValue,
| xsltEvalXPathPredicate, xsltEvalXPathStringNs, and
| xsltComputeSortResultInternal.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-24855
https://www.cve.org/CVERecord?id=CVE-2025-24855
[1] https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
[2]
https://gitlab.gnome.org/GNOME/libxslt/-/commit/c7c7f1f78dd202a053996fcefe57eb994aec8ef2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxslt
Source-Version: 1.1.35-1+deb12u1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1100...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated libxslt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 15 Mar 2025 14:53:42 +0100
Source: libxslt
Architecture: source
Version: 1.1.35-1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1100565 1100566
Changes:
libxslt (1.1.35-1+deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix UAF related to excluded namespaces (CVE-2024-55549) (Closes: #1100565)
* Fix use-after-free of XPath context node (CVE-2025-24855)
(Closes: #1100566)
Checksums-Sha1:
f5883c1433c3906a830ccd15ea819d9332f22a9f 2343 libxslt_1.1.35-1+deb12u1.dsc
9e4e7f884f8ac88c17df0f9475201bef985d42e4 1827548 libxslt_1.1.35.orig.tar.xz
ddf0672dafd3575e2ea829c7ef6e69e05ed8f3dd 22944
libxslt_1.1.35-1+deb12u1.debian.tar.xz
Checksums-Sha256:
542b36489cdca4a13dc1bb383842f9c7c1d7169d8d30a100367372fe5fae86c6 2343
libxslt_1.1.35-1+deb12u1.dsc
8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79 1827548
libxslt_1.1.35.orig.tar.xz
4d8717f10aa236e08219f495881065d15a7115d61536d4865a67274bf442a8db 22944
libxslt_1.1.35-1+deb12u1.debian.tar.xz
Files:
09bec485675dd2e0b9eb03d93c9b7ea2 2343 text optional
libxslt_1.1.35-1+deb12u1.dsc
5b3a634b77effd8a6268c21173575053 1827548 text optional
libxslt_1.1.35.orig.tar.xz
d6dfe82538724b37cb59eede91d499f6 22944 text optional
libxslt_1.1.35-1+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmfVhuNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Eo5kP/2CGL8XiFDfL1f0yk8jvgSrOtukPVbMK
Z7vPxlh4OFSTEiNKoYRqrjaDz+ejXRn0jNqOy3zo38ejqCYnJIvpBupoVJVj6WJl
WiR/rSfpxOzNLMGnKIhJBwfDfn8wWEx38R2uQdILRQzewL9ePHPngpUoHUYxbx7O
V6dcaMQhhxZpjC29nc9//PxlGKeI7mHhoRs08oYgg0dKloMc/KYmDm3CSQcj4gai
VdlBzNeuFnnHzDaatxhNTkpzafSgeWzARgBhQjhjiXMvL7vBhpte5gfSEMkRRpS5
ECbtjlo+tc0UWpzL/FvmHDtqphNOI0vPrwtM3wRlUw9qOK3pCgv2V/akWJ3ooe4d
Ev05Y0Fb3giSZwqYzKdzV05k7zwXsw1DAFnMlUiB73GWFJ+D7xyktMUF48RBq5lK
L8gLZrdvnLVJpc2dFs/kpwXWIIOnltfDmHX67jVLEBQg2EitDCViC/uu0fi3LaJO
ipqu4ZluYGtzOdYUnabnvQZYs+5SZS8Tdpewc1i/gIAGMAdGncq+/j6i9jtjQjps
GAxwSLiovNnBo5hZthxXtIsCURtM2uyKBsQCFemfNxnZPmen1opXqxUXBy37jp+l
PcZMRbK0YSsRllJ/RSRStEH3j5qkI2jbXicGrfDHAdv1oFDkbH9TwXLEcpDHTBIb
2rmMVisXmI4J
=gjb7
-----END PGP SIGNATURE-----
pgpNzTrztxiuB.pgp
Description: PGP signature
--- End Message ---
