Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1302 [SECURITY] [DLA 1756-1] libxslt security update 16 April 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libxslt Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-11068 Reference: ESB-2019.1294 Original Bulletin: https://security-tracker.debian.org/tracker/DLA-1756-1 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : libxslt Version : 1.1.28-2+deb8u4 CVE ID : CVE-2019-11068 Debian Bug : #926895 It was discovered that there was a authentication bypass vulnerability in libxslt, a widely-used library for transforming files from XML to other arbitrary format. The xsltCheckRead and xsltCheckWrite routines permitted access upon receiving an-1 error code and (as xsltCheckRead returned -1 for a specially-crafted URL that is not actually invalid) the attacker was subsequently authenticated. For Debian 8 "Jessie", this issue has been fixed in libxslt version 1.1.28-2+deb8u4. We recommend that you upgrade your libxslt packages. Regards, - - -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `- - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAly0rE4ACgkQHpU+J9Qx Hlg1Vg/8D+4zAN887+Grk7O0mgxnphSiJjVueeeC4DUEYAoAk6dgv4WCe951/avL RWvxpPVYmVnbg66MzWAyZiY3zNEDsj5G1tBtCJfQx8ITuVOh/W20IxANCOdnN8fw FaEoYbAj4OiAcuR+exWw/JuUUkByEQzHVssrbISlB0SoQpoOe+tBB1kAyuCc01SX UyEWIXWFYw9Oj2VQEvCAx7E4uSfQ9clFWpnyR27cValR5NrYCYKKq4exXr4/JxAt fNhRGgioiMisC5d4vZNp3K+Go+v0vydHDGSTFvK8+KccnUi9T+ioqVQFdq5HHlOk fOkaxxrtrgDgN4xMVQrhgSL1XFn7/UOqUOqkTRNLUfnwbL8+Ye3E/W2Mnv+J42ng 09l7t41eBWn6KyNbCsgk3DTthZ42TMoaJQHbaNNL4OCRnubbH132nY3VQp1OGrYX 6Mr0TdkDudSNsRu473vFw11ShYEmEjvXgpNYmVKMj7k4l2TXSjjw3e+MZOMIe99K r8QYrfZzoHk4yXbzodFr9rv2pwVvowwboZWqpgg/OBnOiKj+thBec8Qp8cj+ctrg YqYlncIQ2SlaWuIO/ni7k3dnLijWmoTad7XWiTyqMomJpeBg122NKKVPxFTFgcHK yW4umtmPcngIGaSlQiuhNL9R8jWmym7GuAY8Qw1FiRdJJipEhdA= =67Zv - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXLVJvmaOgq3Tt24GAQhfuQ//W97nCdAqucnxAkX7rOkrBqNSxCe4jYMn ZxJoGPlGLsH1XL5v48AoupnxnxTCuEPE4A18XkEbMweLBtvsjtBzxpj9TQ/cxtrn iSGWkHe1Ybem60cqQNyi4iFg1wnGjltquUEmjMryKFQtwEmQPt53cWda6is9qtHi QEtIc6FrTTIB3gLAPOHd8zRCoWznCkydXs4J64rdjVeFIJsgexCB3AE++dmjdfAA IvUylw5dxPLHiCiqxNxdFmgy0SpNYnsds3Q5jpIUcr9zgAUOJylyEQUlOVW1OyRi iQH6SIh/24THRjgIowLVfLrkD78qgt1+EZskpu5n197nYuOYCLlOHqqhEAwlp5pQ xISU0HC5p1HhuEqGDBSQqm+R3zsEsna2SDqN6OwNiYhyiisS71tuQbBqv97i0WYf YxwCw1DZ7t1QtoX8LPOor2P0zojmqLhXyYY/rpxOPlxTaEK+ak3mDBHxMO0FiOUE NWChs8YwBBXHiQ3dr9QDkwEx+B/2jay2mgwk+RR0exNzzhtTolZuxfJecysrxmjU 8Po7ny9BSxr20kJtCsRRh1xJre9Kqlx3UiW2qgb91YtMexP9x8kd8Da7wonqdUCV yMyrnQVC5QzyMxEiz73tbRJIG3iRgbxYBTzCv51dhqUByJItEgGFztoqjnbMM1y7 6N74hjDP9GE= =TWRF -----END PGP SIGNATURE-----