Vulnerability CVE-2019-11068: Information
Description
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
|---|---|---|---|---|---|---|
| libxslt | sisyphus | 1.1.33-alt2 | 1.1.39-alt1 | ALT-PU-2019-2688-1 | 237506 | Fixed |
| libxslt | p10 | 1.1.33-alt2 | 1.1.34-alt3 | ALT-PU-2019-2688-1 | 237506 | Fixed |
| libxslt | p9 | 1.1.34-alt1.p9.1 | 1.1.34-alt1.p9.1 | ALT-PU-2020-3348-1 | 261811 | Fixed |
| libxslt | c10f1 | 1.1.33-alt2 | 1.1.37-alt1 | ALT-PU-2019-2688-1 | 237506 | Fixed |
| libxslt | c9f2 | 1.1.34-alt1.p9.1 | 1.1.34-alt3 | ALT-PU-2020-3302-1 | 261812 | Fixed |
| libxslt | p11 | 1.1.33-alt2 | 1.1.39-alt1 | ALT-PU-2019-2688-1 | 237506 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
|---|---|
| https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 |
|
| [debian-lts-announce] 20190415 [SECURITY] [DLA 1756-1] libxslt security update |
|
| USN-3947-2 |
|
| [oss-security] 20190422 Nokogiri security update v1.10.3 |
|
| USN-3947-1 |
|
| [oss-security] 20190423 Re: Nokogiri security update v1.10.3 |
|
| openSUSE-SU-2019:1433 |
|
| openSUSE-SU-2019:1430 |
|
| openSUSE-SU-2019:1428 |
|
| openSUSE-SU-2019:1527 |
|
| openSUSE-SU-2019:1824 |
|
| https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html |
|
| https://security.netapp.com/advisory/ntap-20191017-0001/ |
|
| FEDORA-2019-e21c77ffae | |
| FEDORA-2019-320d5295fc | |
| FEDORA-2019-e74d639587 |