Bug#933743: marked as done (LibXSLT in Debian stable has three unpatched security vulnerabilities)

[Debian Bug Tracking System]

Your message dated Sun, 25 Aug 2019 13:47:30 +0000
with message-id <e1i1sri-0000h7...@fasolo.debian.org>
and subject line Bug#933743: fixed in libxslt 1.1.29-2.1+deb9u1
has caused the Debian Bug report #933743,
regarding LibXSLT in Debian stable has three unpatched security vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
933743: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933743
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libxslt1.1
Version: 1.1.32-2
Severity: grave

The upstream version of LibXSLT shipped in Debian stable (1.1.32) has
the following three CVEs reported against it:

    https://nvd.nist.gov/vuln/detail/CVE-2019-11068
    https://nvd.nist.gov/vuln/detail/CVE-2019-13117
    https://nvd.nist.gov/vuln/detail/CVE-2019-13118

Debian has taken notice of these, but has only patched them in jessie
(a.k.a. oldoldstable):

    https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html
    https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html

The current jessie package version of LibXSLT (1.1.28-2+deb8u5) contains
the following patch files:

    CVE-2019-11068.patch
    CVE-2019-13117.patch
    CVE-2019-13118.patch

These are not present in 1.1.32-2, and so these vulnerabilities appear
to be exploitable in Debian stable, testing, and sid.

The current upstream release of LibXSLT is 1.1.33, which unfortunately
still has the above three CVEs. However, they appear to have been
patched in Git.

--- End Message ---

--- Begin Message ---

Source: libxslt
Source-Version: 1.1.29-2.1+deb9u1

We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 933...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated libxslt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 24 Aug 2019 14:04:13 +0200
Source: libxslt
Architecture: source
Version: 1.1.29-2.1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 926895 931320 931321 933743
Changes:
 libxslt (1.1.29-2.1+deb9u1) stretch; urgency=medium
 .
   * Non-maintainer upload.
   * Fix security framework bypass (CVE-2019-11068) (Closes: #926895, #933743)
   * Fix uninitialized read of xsl:number token (CVE-2019-13117)
     (Closes: #931321, #933743)
   * Fix uninitialized read with UTF-8 grouping chars (CVE-2019-13118)
     (Closes: #931320, #933743)
Checksums-Sha1: 
 70e7c78198055d69973ac9b28354210e1f584886 2563 libxslt_1.1.29-2.1+deb9u1.dsc
 9963bba25c609012184ac5d815f6f6ab7b9b59b2 30436 
libxslt_1.1.29-2.1+deb9u1.debian.tar.xz
Checksums-Sha256: 
 a7b353c973bd0a66c85c2786c608d9059fafa7c4f58613e3ca5a47124f4c4bb6 2563 
libxslt_1.1.29-2.1+deb9u1.dsc
 1551bfcb01d176f629a4dbc9031617ecc35a8f1825fa470b4e9191115cb0f3dd 30436 
libxslt_1.1.29-2.1+deb9u1.debian.tar.xz
Files: 
 c8059916bf34e28bd0331b011459e2ff 2563 text optional 
libxslt_1.1.29-2.1+deb9u1.dsc
 1b6d060c87131f68cbd22b73edb59c17 30436 text optional 
libxslt_1.1.29-2.1+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1hKpVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ep3QP/2J21EvP7wvk8w5j/MEtLXO9MnrzdaAG
xuB5yALBpGpc1TzVOcXJQD1rMqqlGnPuUccUNgDUG82zL95WDGVO8jJcxkrTNVjm
GaNL+BMHxznlLudES62L49cMvV2IMRx416ZMJ8RSOrh8WB2DeXXicWBfXyS9/jpe
9GxM1lhlSBhPM9a4hlvj28D9NgsqdzJ7Us5T/Up/MV44mnQ0ZbeNX+Q3CSPScnd0
L11hgyc7P2OG2i2G/Fn6ueWreIjaj7VjCfw0tpl/JbczvXkrYomeKDKlyq8qX17d
eNIvHlePt8zCBwo4O7xM3J3l0w/uZKBKFIwaXq0eRGt/jI8hXnkJD6dtFtgqfddy
csXjwHr3TdlCFR25ROZDSDKrY3nf+K3ryWWgqWyYyp8FrmRbUSfaaHyG0sZM0TCJ
KTED6mAMoty6OyY8yLgG2zt76qs5P79iSKD6Ohz0EZxmqXu3yB6kta1gZed5xJ7E
VKjoAxm7EbJNpjuMrMtP7bRg0IZCx6EyiZMxjfOnf3AZfGB838wTEkJUgug+ZIg2
QVDl0X4j1uuwtNGeg53AA69D6tkY6YR1Nb4voKACj3t4OcVhm/UCZzYhM1B5/XtU
g/KLIpMv4Xfb/lLIxyD47dSpTCQtIcLl5SARcY3X0QWgUFEJwldjLFK2prDHi0wJ
ToSdTp969/Xe
=retl
-----END PGP SIGNATURE-----

--- End Message ---