ESB-2019.1302 - [Debian] libxslt: Access confidential data - Remote/unauthenticated 2019-04-16

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1302
              [SECURITY] [DLA 1756-1] libxslt security update
                               16 April 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libxslt
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-11068  

Reference:         ESB-2019.1294

Original Bulletin: 
   https://security-tracker.debian.org/tracker/DLA-1756-1

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : libxslt
Version        : 1.1.28-2+deb8u4
CVE ID         : CVE-2019-11068
Debian Bug     : #926895

It was discovered that there was a authentication bypass
vulnerability in libxslt, a widely-used library for transforming
files from XML to other arbitrary format.

The xsltCheckRead and xsltCheckWrite routines permitted access upon
receiving an-1 error code and (as xsltCheckRead returned -1 for a
specially-crafted URL that is not actually invalid) the attacker was
subsequently authenticated.

For Debian 8 "Jessie", this issue has been fixed in libxslt version
1.1.28-2+deb8u4.

We recommend that you upgrade your libxslt packages.


Regards,

- - -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAly0rE4ACgkQHpU+J9Qx
Hlg1Vg/8D+4zAN887+Grk7O0mgxnphSiJjVueeeC4DUEYAoAk6dgv4WCe951/avL
RWvxpPVYmVnbg66MzWAyZiY3zNEDsj5G1tBtCJfQx8ITuVOh/W20IxANCOdnN8fw
FaEoYbAj4OiAcuR+exWw/JuUUkByEQzHVssrbISlB0SoQpoOe+tBB1kAyuCc01SX
UyEWIXWFYw9Oj2VQEvCAx7E4uSfQ9clFWpnyR27cValR5NrYCYKKq4exXr4/JxAt
fNhRGgioiMisC5d4vZNp3K+Go+v0vydHDGSTFvK8+KccnUi9T+ioqVQFdq5HHlOk
fOkaxxrtrgDgN4xMVQrhgSL1XFn7/UOqUOqkTRNLUfnwbL8+Ye3E/W2Mnv+J42ng
09l7t41eBWn6KyNbCsgk3DTthZ42TMoaJQHbaNNL4OCRnubbH132nY3VQp1OGrYX
6Mr0TdkDudSNsRu473vFw11ShYEmEjvXgpNYmVKMj7k4l2TXSjjw3e+MZOMIe99K
r8QYrfZzoHk4yXbzodFr9rv2pwVvowwboZWqpgg/OBnOiKj+thBec8Qp8cj+ctrg
YqYlncIQ2SlaWuIO/ni7k3dnLijWmoTad7XWiTyqMomJpeBg122NKKVPxFTFgcHK
yW4umtmPcngIGaSlQiuhNL9R8jWmym7GuAY8Qw1FiRdJJipEhdA=
=67Zv
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXLVJvmaOgq3Tt24GAQhfuQ//W97nCdAqucnxAkX7rOkrBqNSxCe4jYMn
ZxJoGPlGLsH1XL5v48AoupnxnxTCuEPE4A18XkEbMweLBtvsjtBzxpj9TQ/cxtrn
iSGWkHe1Ybem60cqQNyi4iFg1wnGjltquUEmjMryKFQtwEmQPt53cWda6is9qtHi
QEtIc6FrTTIB3gLAPOHd8zRCoWznCkydXs4J64rdjVeFIJsgexCB3AE++dmjdfAA
IvUylw5dxPLHiCiqxNxdFmgy0SpNYnsds3Q5jpIUcr9zgAUOJylyEQUlOVW1OyRi
iQH6SIh/24THRjgIowLVfLrkD78qgt1+EZskpu5n197nYuOYCLlOHqqhEAwlp5pQ
xISU0HC5p1HhuEqGDBSQqm+R3zsEsna2SDqN6OwNiYhyiisS71tuQbBqv97i0WYf
YxwCw1DZ7t1QtoX8LPOor2P0zojmqLhXyYY/rpxOPlxTaEK+ak3mDBHxMO0FiOUE
NWChs8YwBBXHiQ3dr9QDkwEx+B/2jay2mgwk+RR0exNzzhtTolZuxfJecysrxmjU
8Po7ny9BSxr20kJtCsRRh1xJre9Kqlx3UiW2qgb91YtMexP9x8kd8Da7wonqdUCV
yMyrnQVC5QzyMxEiz73tbRJIG3iRgbxYBTzCv51dhqUByJItEgGFztoqjnbMM1y7
6N74hjDP9GE=
=TWRF
-----END PGP SIGNATURE-----

« Back to bulletins