Bug 20921

Summary: libxslt new security issue CVE-2015-9019
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, mageia, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: libxslt-1.1.29-5.mga6.src.rpm CVE: CVE-2015-9019
Status comment:

Description David Walser 2017-05-24 12:24:04 CEST 
openSUSE has issued an advisory on May 23:
https://lists.opensuse.org/opensuse-updates/2017-05/msg00079.html

We had previously fixed the other issues, but CVE-2015-9019 is a new one.

The SUSE bug has more information on this:
https://bugzilla.suse.com/show_bug.cgi?id=934119

Mageia 5 is also affected.
David Walser 2017-05-24 12:24:12 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Nicolas Lécureuil 2017-05-26 08:53:35 CEST 
Fixed in cauldron

Version: Cauldron => 5
CC: (none) => mageia
Whiteboard: MGA5TOO => (none)
CVE: (none) => CVE-2015-9019

Comment 2 Marja Van Waes 2017-05-28 06:07:54 CEST 
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 3 Nicolas Lécureuil 2017-06-01 23:30:57 CEST 
pushed in updates_testing:

src.rpm:  libxslt-1.1.29-1.3.mga5

Assignee: shlomif => qa-bugs

Comment 4 David Walser 2017-06-02 03:04:46 CEST 
Advisory:
========================

Updated libxslt packages fix security vulnerability:

The libxslt library failed to seed its random number generator, resulting in
predictable random values (CVE-2015-9019).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9019
https://lists.opensuse.org/opensuse-updates/2017-05/msg00079.html
========================

Updated packages in core/updates_testing:
========================
xsltproc-1.1.29-1.3.mga5
libxslt1-1.1.29-1.3.mga5
python-libxslt-1.1.29-1.3.mga5
libxslt-devel-1.1.29-1.3.mga5

from libxslt-1.1.29-1.3.mga5.src.rpm
Comment 5 Herman Viaene 2017-06-05 10:32:01 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues
Followed test procedure as per bug 20760 Comment 4 (tx Dave), all tests OK.

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

Lewis Smith 2017-06-09 21:29:50 CEST

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 6 David Walser 2017-06-10 15:35:42 CEST 
Procedure works fine on Mageia 5 x86_64:
https://wiki.mageia.org/en/QA_procedure:Libxslt

Whiteboard: MGA5-32-OK advisory => MGA5-32-OK MGA5-64-OK advisory

Comment 7 Lewis Smith 2017-06-10 20:47:25 CEST 
Thank you both Herman & David for testing this OK. Am validating it.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2017-06-12 09:43:02 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0169.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED