Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libxslt: Three security issues

Related Vulnerabilities: CVE-2012-2893   CVE-2012-2870   CVE-2012-2871  

Source

Debian Bug report logs - #689422
libxslt: Three security issues

version graph

Package: libxslt; Maintainer for libxslt is Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Tue, 2 Oct 2012 12:54:04 UTC

Severity: grave

Tags: patch, security

Fixed in versions libxslt/1.1.26-14, libxslt/1.1.26-6+squeeze2

Done: Aron Xu <aron@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#689422; Package libxslt. (Tue, 02 Oct 2012 12:54:07 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. (Tue, 02 Oct 2012 12:54:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libxslt: Three security issues
Date: Tue, 02 Oct 2012 14:49:32 +0200
Package: libxslt
Severity: grave
Tags: security patch
Justification: user security hole

The chrome developers found three security issues in libxslt:

CVE-2012-2893:
http://googlechromereleases.blogspot.de/2012/09/stable-channel-update_25.html

Patch:
http://git.gnome.org/browse/libxslt/commit/?id=54977ed7966847e305a2008cb18892df26eeb065


CVE-2012-2870:
http://googlechromereleases.blogspot.in/2012/08/stable-channel-update_30.html

Patches:
http://git.gnome.org/browse/libxslt/commit/libxslt/pattern.c?id=8566ab4a10158d195adb5f1f61afe1ee8bfebd12
http://git.gnome.org/browse/libxslt/commit/libxslt/functions.c?id=4da0f7e207f14a03daad4663865c285eb27f93e9
http://git.gnome.org/browse/libxslt/commit/libexslt/functions.c?id=24653072221e76d2f1f06aa71225229b532f8946
http://git.gnome.org/browse/libxslt/commit/?id=1564b30e994602a95863d9716be83612580a2fed


CVE-2012-2871:
http://googlechromereleases.blogspot.in/2012/08/stable-channel-update_30.html

Patch:
http://git.gnome.org/browse/libxslt/commit/?id=937ba2a3eb42d288f53c8adc211bd1122869f0bf


Can you please also prepare packages for stable-security?

Cheers,
        Moritz

Reply sent to Aron Xu <aron@debian.org>:
You have taken responsibility. (Tue, 02 Oct 2012 17:36:04 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Tue, 02 Oct 2012 17:36:04 GMT) (full text, mbox, link).

Message #10 received at 689422-close@bugs.debian.org (full text, mbox, reply):

From: Aron Xu <aron@debian.org>
To: 689422-close@bugs.debian.org
Subject: Bug#689422: fixed in libxslt 1.1.26-14
Date: Tue, 02 Oct 2012 17:32:35 +0000
Source: libxslt
Source-Version: 1.1.26-14

We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 689422@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aron Xu <aron@debian.org> (supplier of updated libxslt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 02 Oct 2012 23:53:39 +0800
Source: libxslt
Binary: libxslt1.1 libxslt1-dev libxslt1-dbg xsltproc python-libxslt1 python-libxslt1-dbg
Architecture: source amd64
Version: 1.1.26-14
Distribution: unstable
Urgency: low
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Aron Xu <aron@debian.org>
Description: 
 libxslt1-dbg - XSLT 1.0 processing library - debugging symbols
 libxslt1-dev - XSLT 1.0 processing library - development kit
 libxslt1.1 - XSLT 1.0 processing library - runtime library
 python-libxslt1 - Python bindings for libxslt1
 python-libxslt1-dbg - Python bindings for libxslt1 (debug extension)
 xsltproc   - XSLT 1.0 command line processor
Closes: 689422
Changes: 
 libxslt (1.1.26-14) unstable; urgency=low
 .
   * Patch to fix three CVEs (Closes: #689422):
     - CVE-2012-2870 by Daniel Veillard and Chris Evans
     - CVE-2012-2871 by Daniel Veillard
     - CVE-2012-2893 by Chris Evans
Checksums-Sha1: 
 6beec4c09450c64bad073d65cba5ff27869a1c24 1970 libxslt_1.1.26-14.dsc
 49231be189cae628e96a13275af6b9cf3107b28f 37851 libxslt_1.1.26-14.debian.tar.gz
 c061894556cf26cf2e65c9e3eabaf9164f9da9ed 253330 libxslt1.1_1.1.26-14_amd64.deb
 ee6dda8f4fb8c7bed74d0e4b1eac41203e2b9688 651078 libxslt1-dev_1.1.26-14_amd64.deb
 383e8fe3f9b9f6b981c9c9b027244b22d58f300b 503204 libxslt1-dbg_1.1.26-14_amd64.deb
 af2055d367f461ff99a51e60c4a1bd0c3ccaa38e 116790 xsltproc_1.1.26-14_amd64.deb
 69fe4b15d25970c73a155a86163f03cc684fc4b7 171472 python-libxslt1_1.1.26-14_amd64.deb
 320dd9d603d405a2265b8f816571c71d6212980e 410756 python-libxslt1-dbg_1.1.26-14_amd64.deb
Checksums-Sha256: 
 e77009e62840eeb9f46319d9198bca9e0df74dc94690dffcc8e268e89da93c14 1970 libxslt_1.1.26-14.dsc
 085fcf7edb0f929b5f189e9e77e50a0b3ea4f76dcdc4fad5889163bfc07802a3 37851 libxslt_1.1.26-14.debian.tar.gz
 74389b29cec25e8dc068ffc6763a4afbcff516d0eeef4b76e85a2cea46b2d71f 253330 libxslt1.1_1.1.26-14_amd64.deb
 4b543b0c0faeba3811775a1cec64801d2fe92ff358b318c2438d6952c60d53f9 651078 libxslt1-dev_1.1.26-14_amd64.deb
 d810b8487be15b12e4c96266b71cd4f4480a28e318bd65841f559af119d2a1d5 503204 libxslt1-dbg_1.1.26-14_amd64.deb
 b13479bdcf91731f5dd9bc07ca8640729014c2969a32a404dfae610656d97746 116790 xsltproc_1.1.26-14_amd64.deb
 6110c78b69242128b9a36a3fa84ac32ad29ffa85d208ca5d9b2725cf91448b53 171472 python-libxslt1_1.1.26-14_amd64.deb
 31bb7bdfdcb05ac392b5e9f2a02a69b491a5f11b06e375a6ad5ba4830299c442 410756 python-libxslt1-dbg_1.1.26-14_amd64.deb
Files: 
 7ee74477da15abc287cfd191de5b70ae 1970 text optional libxslt_1.1.26-14.dsc
 3cae538053d531be48cdd8971bc7946c 37851 text optional libxslt_1.1.26-14.debian.tar.gz
 5f1b848f0ddfb7e98eebb3d88a85519b 253330 libs optional libxslt1.1_1.1.26-14_amd64.deb
 8e67330a919e722b138cfeb03e631a28 651078 libdevel optional libxslt1-dev_1.1.26-14_amd64.deb
 de9180eaa64ab4cc3ba25fe4114659bf 503204 debug extra libxslt1-dbg_1.1.26-14_amd64.deb
 da925bfd79ec910a4d4e83123a10e891 116790 text optional xsltproc_1.1.26-14_amd64.deb
 557a5f150a33ae6a9d1d714d0bdff054 171472 python optional python-libxslt1_1.1.26-14_amd64.deb
 6422e2645e23705c823b295f31ad1892 410756 debug extra python-libxslt1-dbg_1.1.26-14_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJQayGjAAoJEIAhAkTu07wNLuYIALeXWQziA09BHOFmOnyPx7sz
hVEfcG8JWEzWy743uL/WChHj2jek/QzDoIrhYh4fBEbr0X352ugJ3LrzsOBMAFoG
fbjLxSA7EINjjSYqf8dNYMcCyDI6SatMd9X6diFHmzY6jhjer8MFat5EjXEOarDl
E3UGkyA5RCERPhwJupplHXQ4Kz7K17K5GUXNLO+5U+TJCLfuYGn/c9stSJbfLsws
7SL7E/Vj2q/bclzUMRLh69xvTOts+xlfaQQIycaLk7kGR/KhYlLuiebsL+SIRpkY
H2b3yZPUtNtDqt5GkX9HAaaWLHVFE9RCoQQZmj1Hs6fzc21dk+FFGhB+1FHVQ4A=
=gSVz
-----END PGP SIGNATURE-----

Reply sent to Aron Xu <aron@debian.org>:
You have taken responsibility. (Fri, 12 Oct 2012 14:51:15 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Fri, 12 Oct 2012 14:51:15 GMT) (full text, mbox, link).

Message #15 received at 689422-close@bugs.debian.org (full text, mbox, reply):

From: Aron Xu <aron@debian.org>
To: 689422-close@bugs.debian.org
Subject: Bug#689422: fixed in libxslt 1.1.26-6+squeeze2
Date: Fri, 12 Oct 2012 14:48:25 +0000
Source: libxslt
Source-Version: 1.1.26-6+squeeze2

We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 689422@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aron Xu <aron@debian.org> (supplier of updated libxslt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 03 Oct 2012 00:02:59 +0800
Source: libxslt
Binary: libxslt1.1 libxslt1-dev libxslt1-dbg xsltproc python-libxslt1 python-libxslt1-dbg
Architecture: source amd64
Version: 1.1.26-6+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Aron Xu <aron@debian.org>
Description: 
 libxslt1-dbg - XSLT 1.0 processing library - debugging symbols
 libxslt1-dev - XSLT 1.0 processing library - development kit
 libxslt1.1 - XSLT 1.0 processing library - runtime library
 python-libxslt1 - Python bindings for libxslt1
 python-libxslt1-dbg - Python bindings for libxslt1 (debug extension)
 xsltproc   - XSLT 1.0 command line processor
Closes: 689422
Changes: 
 libxslt (1.1.26-6+squeeze2) stable-security; urgency=high
 .
   * Patch to fix three CVEs (Closes: #689422):
     - CVE-2012-2870 by Daniel Veillard and Chris Evans
     - CVE-2012-2871 by Daniel Veillard
     - CVE-2012-2893 by Chris Evans
Checksums-Sha1: 
 f0651c3b985a6ca2df9df4adbfd93d0ef53c59ba 1770 libxslt_1.1.26-6+squeeze2.dsc
 69f74df8228b504a87e2b257c2d5238281c65154 3401513 libxslt_1.1.26.orig.tar.gz
 fa20858fdb130e66742f5cfbd6596ba9baa17c92 97452 libxslt_1.1.26-6+squeeze2.diff.gz
 f31c115ccc97fc4fa5bf724cddd004611164b3a7 248946 libxslt1.1_1.1.26-6+squeeze2_amd64.deb
 176834cf616780e8924267b143e5acc008b47cf7 635718 libxslt1-dev_1.1.26-6+squeeze2_amd64.deb
 6c0e046a4a134f481bd715d2140207c00a22f93e 370502 libxslt1-dbg_1.1.26-6+squeeze2_amd64.deb
 432d8519cee8fc61ca902769b9813bf558522183 115830 xsltproc_1.1.26-6+squeeze2_amd64.deb
 b0ad42fe8c093388c9eb6304beb3404f0b9ddfa5 168748 python-libxslt1_1.1.26-6+squeeze2_amd64.deb
 ef10a0477d9388dd17bb0b4843e38fcb824119cc 372402 python-libxslt1-dbg_1.1.26-6+squeeze2_amd64.deb
Checksums-Sha256: 
 2247542e2457c9ebb360538c0a00add793a50f7f9afed2acfe734dd1344d4c70 1770 libxslt_1.1.26-6+squeeze2.dsc
 55dd52b42861f8a02989d701ef716d6280bfa02971e967c285016f99c66e3db1 3401513 libxslt_1.1.26.orig.tar.gz
 373de7249cb2689d3ba02969dba20635762967987d87af56f3845cf5cb70d3a4 97452 libxslt_1.1.26-6+squeeze2.diff.gz
 8d0db3f60fc8b67efbf63a9806440df21a90d738a2a73e8ae5711b8973fdbb11 248946 libxslt1.1_1.1.26-6+squeeze2_amd64.deb
 bf23293eb4de98a28704cc496fb42b0dedf45cb4db8af0c7e983203b8ecf7962 635718 libxslt1-dev_1.1.26-6+squeeze2_amd64.deb
 f4ab731590cbff663dbe81c81276664831e5e82945a6340400a11b4a5087081c 370502 libxslt1-dbg_1.1.26-6+squeeze2_amd64.deb
 dcdcbdc4a76dcdb1258cff2ccf41ebef80cef7f00de16aa99a6f5cc2fb4aa9fd 115830 xsltproc_1.1.26-6+squeeze2_amd64.deb
 a15d3f7f4de8902b69cd5091c990f4c0ea85bc04805ac86e6cbcee98e08da646 168748 python-libxslt1_1.1.26-6+squeeze2_amd64.deb
 a3f7eb5fd72e4977c2b16c32ad56da021e744b5a9405773bd534ed8221e92810 372402 python-libxslt1-dbg_1.1.26-6+squeeze2_amd64.deb
Files: 
 f9303ee79578870ae3b4d8c7fa61771b 1770 text optional libxslt_1.1.26-6+squeeze2.dsc
 e61d0364a30146aaa3001296f853b2b9 3401513 text optional libxslt_1.1.26.orig.tar.gz
 039b45993dbc2682266f379cd1a5dbdf 97452 text optional libxslt_1.1.26-6+squeeze2.diff.gz
 77882d6694c61c006df6f373b249207b 248946 libs optional libxslt1.1_1.1.26-6+squeeze2_amd64.deb
 4f001754dd803497def0eb723c4b447a 635718 libdevel optional libxslt1-dev_1.1.26-6+squeeze2_amd64.deb
 9d83601b4a49a4ca14307fcf31a1ecc2 370502 debug extra libxslt1-dbg_1.1.26-6+squeeze2_amd64.deb
 73947f71ba88e618ca65fa1c4397b153 115830 text optional xsltproc_1.1.26-6+squeeze2_amd64.deb
 756254b3c11b61ea5ed5d1cb0b9f5196 168748 python optional python-libxslt1_1.1.26-6+squeeze2_amd64.deb
 a34cb05757eff9258047d00e55039b8d 372402 debug extra python-libxslt1-dbg_1.1.26-6+squeeze2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJQbeYIAAoJEIAhAkTu07wNDRYH/iDkjfgnZocjd+M+we8YOYp2
YQbiuYP8lJa+xGr/CCOtXIXcn2KXwiNxidXQkNg5QGg8Aienfjq6RB4sXmI2pF8G
IYolvljERNpYXc9tGNV6REcnPgz3a8x8SAAAw6IUAVpQ84TIyH516XG42y9m4+Xs
5SC1IWprlOz1k//MjzG6Wm6rw1FUIk3vT/to59WL30ZdbtmEUV1I9UrF+bCspfl9
QulY7QNzqsJasvfiKTT8FIqFL/B09BuHRFJQtjnHPJJPYwGtrnczeoBw9QFYhbic
8yLSejGS4vlMYqfIxZqdSVIT45/1QVHxsLUj320wuhETE+nGKYqD30gTnhmbca0=
=c2EX
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Feb 2013 07:26:29 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:01:21 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started