Bug 19732 - libxslt new security issue CVE-2016-4738
Summary: libxslt new security issue CVE-2016-4738
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/705815/
Whiteboard: advisory MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-11-07 18:40 CET by David Walser
Modified: 2016-11-21 23:18 CET (History)
5 users (show)

See Also:
Source RPM: libxslt-1.1.29-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-11-07 18:40:59 CET
Debian-LTS has issued an advisory on November 5:
http://lwn.net/Alerts/705796/
David Walser 2016-11-07 18:41:09 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-11-07 19:46:41 CET
Assigning to the registered maintainer

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 Nicolas Lécureuil 2016-11-15 15:54:02 CET
Fixed on cauldron

CC: (none) => mageia

Comment 3 Nicolas Lécureuil 2016-11-15 16:01:23 CET
fixed on mga5 too.

Assignee: shlomif => qa-bugs

Comment 4 David Walser 2016-11-15 16:13:07 CET
Advisory:
========================

Updated libxslt packages fix security vulnerability:

A heap overread bug was found in libxslt, which can cause arbitrary code
execution or denial of service (CVE-2016-4738).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4738
https://www.debian.org/security/2016/dsa-3709
========================

Updated packages in core/updates_testing:
========================
xsltproc-1.1.29-1.1.mga5
libxslt1-1.1.29-1.1.mga5
python-libxslt-1.1.29-1.1.mga5
libxslt-devel-1.1.29-1.1.mga5

from libxslt-1.1.29-1.1.mga5.src.rpm

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Dave Hodgins 2016-11-17 21:46:04 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 5 Herman Viaene 2016-11-18 10:52:12 CET
MGA5-32 on Acer D620 Xfce
No installation issues
Using at CLI
# urpmq --whatrequires libxslt1
shows a.o. dia
Used strace -o ~/Documenten/libxslt.txt dia, created two squares and a connecting line in dia.
The resulting trace shows 4 calls to libxslt

CC: (none) => herman.viaene
Whiteboard: advisory => advisory MGA5-32-OK

Dave Hodgins 2016-11-21 21:53:28 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2016-11-21 23:18:53 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0394.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.