| Summary: | libxslt new security issue CVE-2019-11068 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, mageia, marja11, shlomif, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | libxslt-1.1.33-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-04-22 23:23:57 CEST
David Walser
2019-04-22 23:24:03 CEST
Whiteboard:
(none) =>
MGA6TOO Assigning to our registered libxslt maintainer. Assignee:
bugsquad =>
shlomif Critical severity issue according to: https://www.openwall.com/lists/oss-security/2019/04/23/5 Severity:
major =>
critical libxslt-1.1.33-2.mga7 uploaded for Cauldron by Shlomi to fix this. Version:
Cauldron =>
6 Patched package uploaded by Shlomi for Mageia 6. Advisory: ======================== Updated libxslt packages fix security vulnerability: libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded (CVE-2019-11068). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11068 https://usn.ubuntu.com/usn/usn-3947-1 ======================== Updated packages in core/updates_testing: ======================== xsltproc-1.1.29-6.mga6 libxslt1-1.1.29-6.mga6 python-libxslt-1.1.29-6.mga6 libxslt-devel-1.1.29-6.mga6 from libxslt-1.1.29-6.mga6.src.rpm CC:
(none) =>
shlomif The package version of the mga6 updates is the same as the previous packages. Shouldn't release be bumped up? Otherwise it will not show up in the updates. $ rpm -qi xsltproc | egrep "Name|Version|Release|Build Date|Source|Arch" Name : xsltproc Version : 1.1.29 Release : 6.mga6 Architecture: x86_64 Source RPM : libxslt-1.1.29-6.mga6.src.rpm Build Date : Sex 26 Mai 2017 07:56:20 WEST CC:
(none) =>
mageia Using the QArepo tool, the listed versions appear in the updates. I can also confirm that the packages are also in the regular repo. I ran the tests from the wiki to be sure all is still OK, but this update bug seems rather useless if no real updates are in it. OK it, might just make it disappear from the list, but is that what is needed???? CC:
(none) =>
herman.viaene The xsltproc package in the "core updates testing" repository and the xsltproc package in the "core release" repository have the same version+release. Because of that, the update is not showing when updating the system. The release needs to be bumped up. $ wget --quiet 'http://ftp.free.fr/mirrors/mageia.org/distrib/6/x86_64/media/core/updates_testing/xsltproc-1.1.29-6.mga6.x86_64.rpm' $ rpm -qip xsltproc-1.1.29-6.mga6.x86_64.rpm .cache/ vbox/ xsltproc-1.1.29-6.mga6.x86_64.rpm $ rpm -qip xsltproc-1.1.29-6.mga6.x86_64.rpm Name : xsltproc Version : 1.1.29 Release : 6.mga6 Architecture: x86_64 Install Date: (not installed) Group : System/Libraries Size : 27084 License : MIT Signature : RSA/SHA256, Qui 25 Abr 2019 18:37:54 WEST, Key ID b742fa8b80420f66 Source RPM : libxslt-1.1.29-6.mga6.src.rpm Build Date : Qui 25 Abr 2019 18:35:59 WEST Build Host : localhost Relocations : (not relocatable) Packager : shlomif <shlomif> Vendor : Mageia.Org URL : http://xmlsoft.org/XSLT/ Summary : XSLT processor using libxslt Description : This package provides an XSLT processor based on the libxslt C library. It allows to transform XML files into other XML files (or HTML, text, ...) using the standard XSLT stylesheet transformation mechanism. $ wget --quiet 'http://ftp.free.fr/mirrors/mageia.org/distrib/6/x86_64/media/core/release/xsltproc-1.1.29-6.mga6.x86_64.rpm' $ rpm -qip xsltproc-1.1.29-6.mga6.x86_64.rpm.1 Name : xsltproc Version : 1.1.29 Release : 6.mga6 Architecture: x86_64 Install Date: (not installed) Group : System/Libraries Size : 27076 License : MIT Signature : RSA/SHA1, Sex 26 Mai 2017 08:10:38 WEST, Key ID b742fa8b80420f66 Source RPM : libxslt-1.1.29-6.mga6.src.rpm Build Date : Sex 26 Mai 2017 07:56:20 WEST Build Host : rabbit.mageia.org Relocations : (not relocatable) Packager : neoclust <neoclust> Vendor : Mageia.Org URL : http://xmlsoft.org/XSLT/ Summary : XSLT processor using libxslt Description : This package provides an XSLT processor based on the libxslt C library. It allows to transform XML files into other XML files (or HTML, text, ...) using the standard XSLT stylesheet transformation mechanism. libxslt-1.1.29-6.1.mga6.src.rpm building now. Installed and tested without issues. Tested using: chromium browser, php-xsl, xsltproc, tellico, inkspace. parley. The xslt libs are also directly or indirectly used by a bunch of other packages on the system and no regressions where noticed. System: Mageia 6, x86_64, Plasma DE; LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 4.14.106-desktop-1.mga6 #1 SMP Thu Mar 14 18:01:29 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep xslt.*1.1.29 | sort lib64xslt1-1.1.29-6.1.mga6 libxslt1-1.1.29-6.1.mga6 xsltproc-1.1.29-6.1.mga6 Whiteboard:
(none) =>
MGA6-64-OK Is anything else needed to push this update forward? Advisory committed to svn. Validating the update. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0175.html Resolution:
(none) =>
FIXED |