30767 – libxslt new security issue CVE-2021-30560

Bug 30767 - libxslt new security issue CVE-2021-30560

Summary: libxslt new security issue CVE-2021-30560

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-08-23 18:11 CEST by David Walser
Modified:	2022-09-21 20:16 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	libxslt-1.1.34-2.mga8.src.rpm
CVE:	CVE-2021-30560
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-08-23 18:11:16 CEST

Ubuntu has issued an advisory on August 22:
https://ubuntu.com/security/notices/USN-5575-1

Mageia 8 is also affected.

David Walser 2022-08-23 18:11:27 CEST

Status comment: (none) => Patch available from Ubuntu
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-08-24 11:03:48 CEST

No obvious packager for this SRPM, so assigning globally.
CC'ing DanF who updated it relatively recently.

Assignee: bugsquad => pkg-bugs
CC: (none) => dan

Comment 2 David Walser 2022-08-25 17:30:31 CEST

Debian has issued an advisory for this on August 24:
https://www.debian.org/security/2022/dsa-5216

Comment 3 Nicolas Salguero 2022-08-29 10:02:12 CEST

Hi,

That CVE is fixed in version 1.1.35 so Cauldron is not affected.

Best regards,

Nico.

CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Assignee: pkg-bugs => nicolas.salguero
Source RPM: libxslt-1.1.35-2.mga9.src.rpm => libxslt-1.1.34-2.mga8.src.rpm
Version: Cauldron => 8

Comment 4 Nicolas Salguero 2022-08-29 13:22:02 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-30560)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30560
https://ubuntu.com/security/notices/USN-5575-1
https://www.debian.org/security/2022/dsa-5216
========================

Updated packages in core/updates_testing:
========================
lib(64)exslt0-1.1.34-2.1.mga8
lib(64)xslt1-1.1.34-2.1.mga8
lib(64)xslt-devel-1.1.34-2.1.mga8
xsltproc-1.1.34-2.1.mga8

from SRPM:
libxslt-1.1.34-2.1.mga8.src.rpm

Status comment: Patch available from Ubuntu => (none)
Status: NEW => ASSIGNED
CVE: (none) => CVE-2021-30560
Assignee: nicolas.salguero => qa-bugs

Comment 5 Thomas Andrews 2022-09-19 02:27:11 CEST

No installation issues.

Not really sure what I'm doing here, but I attempted to follow the procedure at https://wiki.mageia.org/en/QA_procedure:Libxslt

Seems OK, so I'm letting it go. Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-09-20 22:23:44 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-09-21 20:16:55 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0341.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.