Ubuntu has issued an advisory on April 15: https://usn.ubuntu.com/3947-1/ Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to our registered libxslt maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
Critical severity issue according to: https://www.openwall.com/lists/oss-security/2019/04/23/5
Severity: major => critical
libxslt-1.1.33-2.mga7 uploaded for Cauldron by Shlomi to fix this.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Patched package uploaded by Shlomi for Mageia 6. Advisory: ======================== Updated libxslt packages fix security vulnerability: libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded (CVE-2019-11068). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11068 https://usn.ubuntu.com/usn/usn-3947-1 ======================== Updated packages in core/updates_testing: ======================== xsltproc-1.1.29-6.mga6 libxslt1-1.1.29-6.mga6 python-libxslt-1.1.29-6.mga6 libxslt-devel-1.1.29-6.mga6 from libxslt-1.1.29-6.mga6.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugs
The package version of the mga6 updates is the same as the previous packages. Shouldn't release be bumped up? Otherwise it will not show up in the updates. $ rpm -qi xsltproc | egrep "Name|Version|Release|Build Date|Source|Arch" Name : xsltproc Version : 1.1.29 Release : 6.mga6 Architecture: x86_64 Source RPM : libxslt-1.1.29-6.mga6.src.rpm Build Date : Sex 26 Mai 2017 07:56:20 WEST
CC: (none) => mageia
Using the QArepo tool, the listed versions appear in the updates. I can also confirm that the packages are also in the regular repo. I ran the tests from the wiki to be sure all is still OK, but this update bug seems rather useless if no real updates are in it. OK it, might just make it disappear from the list, but is that what is needed????
CC: (none) => herman.viaene
The xsltproc package in the "core updates testing" repository and the xsltproc package in the "core release" repository have the same version+release. Because of that, the update is not showing when updating the system. The release needs to be bumped up. $ wget --quiet 'http://ftp.free.fr/mirrors/mageia.org/distrib/6/x86_64/media/core/updates_testing/xsltproc-1.1.29-6.mga6.x86_64.rpm' $ rpm -qip xsltproc-1.1.29-6.mga6.x86_64.rpm .cache/ vbox/ xsltproc-1.1.29-6.mga6.x86_64.rpm $ rpm -qip xsltproc-1.1.29-6.mga6.x86_64.rpm Name : xsltproc Version : 1.1.29 Release : 6.mga6 Architecture: x86_64 Install Date: (not installed) Group : System/Libraries Size : 27084 License : MIT Signature : RSA/SHA256, Qui 25 Abr 2019 18:37:54 WEST, Key ID b742fa8b80420f66 Source RPM : libxslt-1.1.29-6.mga6.src.rpm Build Date : Qui 25 Abr 2019 18:35:59 WEST Build Host : localhost Relocations : (not relocatable) Packager : shlomif <shlomif> Vendor : Mageia.Org URL : http://xmlsoft.org/XSLT/ Summary : XSLT processor using libxslt Description : This package provides an XSLT processor based on the libxslt C library. It allows to transform XML files into other XML files (or HTML, text, ...) using the standard XSLT stylesheet transformation mechanism. $ wget --quiet 'http://ftp.free.fr/mirrors/mageia.org/distrib/6/x86_64/media/core/release/xsltproc-1.1.29-6.mga6.x86_64.rpm' $ rpm -qip xsltproc-1.1.29-6.mga6.x86_64.rpm.1 Name : xsltproc Version : 1.1.29 Release : 6.mga6 Architecture: x86_64 Install Date: (not installed) Group : System/Libraries Size : 27076 License : MIT Signature : RSA/SHA1, Sex 26 Mai 2017 08:10:38 WEST, Key ID b742fa8b80420f66 Source RPM : libxslt-1.1.29-6.mga6.src.rpm Build Date : Sex 26 Mai 2017 07:56:20 WEST Build Host : rabbit.mageia.org Relocations : (not relocatable) Packager : neoclust <neoclust> Vendor : Mageia.Org URL : http://xmlsoft.org/XSLT/ Summary : XSLT processor using libxslt Description : This package provides an XSLT processor based on the libxslt C library. It allows to transform XML files into other XML files (or HTML, text, ...) using the standard XSLT stylesheet transformation mechanism.
libxslt-1.1.29-6.1.mga6.src.rpm building now.
Installed and tested without issues. Tested using: chromium browser, php-xsl, xsltproc, tellico, inkspace. parley. The xslt libs are also directly or indirectly used by a bunch of other packages on the system and no regressions where noticed. System: Mageia 6, x86_64, Plasma DE; LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 4.14.106-desktop-1.mga6 #1 SMP Thu Mar 14 18:01:29 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep xslt.*1.1.29 | sort lib64xslt1-1.1.29-6.1.mga6 libxslt1-1.1.29-6.1.mga6 xsltproc-1.1.29-6.1.mga6
Whiteboard: (none) => MGA6-64-OK
Is anything else needed to push this update forward?
Advisory committed to svn. Validating the update.
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0175.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED