libxslt-devel-1.1.34-3.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11017 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libxslt-devel-1.1.34-3.2 on GA media These are all security issues fixed in the libxslt-devel-1.1.34-3.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11017 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11017 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2008-1767/ SUSE CVE CVE-2008-1767 page https://www.suse.com/security/cve/CVE-2015-9019/ SUSE CVE CVE-2015-9019 page https://www.suse.com/security/cve/CVE-2016-4738/ SUSE CVE CVE-2016-4738 page https://www.suse.com/security/cve/CVE-2017-5029/ SUSE CVE CVE-2017-5029 page https://www.suse.com/security/cve/CVE-2019-11068/ SUSE CVE CVE-2019-11068 page https://www.suse.com/security/cve/CVE-2019-13117/ SUSE CVE CVE-2019-13117 page https://www.suse.com/security/cve/CVE-2019-13118/ SUSE CVE CVE-2019-13118 page https://www.suse.com/security/cve/CVE-2019-18197/ SUSE CVE CVE-2019-18197 page openSUSE Tumbleweed libxslt-devel-1.1.34-3.2 libxslt-devel-32bit-1.1.34-3.2 libxslt-tools-1.1.34-3.2 libxslt1-1.1.34-3.2 libxslt1-32bit-1.1.34-3.2 libxslt-devel-1.1.34-3.2 as a component of openSUSE Tumbleweed libxslt-devel-32bit-1.1.34-3.2 as a component of openSUSE Tumbleweed libxslt-tools-1.1.34-3.2 as a component of openSUSE Tumbleweed libxslt1-1.1.34-3.2 as a component of openSUSE Tumbleweed libxslt1-32bit-1.1.34-3.2 as a component of openSUSE Tumbleweed Buffer overflow in pattern.c in libxslt before 1.1.24 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XSL style sheet file with a long XSLT "transformation match" condition that triggers a large number of steps. CVE-2008-1767 openSUSE Tumbleweed:libxslt-devel-1.1.34-3.2 openSUSE Tumbleweed:libxslt-devel-32bit-1.1.34-3.2 openSUSE Tumbleweed:libxslt-tools-1.1.34-3.2 openSUSE Tumbleweed:libxslt1-1.1.34-3.2 openSUSE Tumbleweed:libxslt1-32bit-1.1.34-3.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-1767.html CVE-2008-1767 https://bugzilla.suse.com/391920 SUSE Bug 391920 In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs. CVE-2015-9019 openSUSE Tumbleweed:libxslt-devel-1.1.34-3.2 openSUSE Tumbleweed:libxslt-devel-32bit-1.1.34-3.2 openSUSE Tumbleweed:libxslt-tools-1.1.34-3.2 openSUSE Tumbleweed:libxslt1-1.1.34-3.2 openSUSE Tumbleweed:libxslt1-32bit-1.1.34-3.2 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-9019.html CVE-2015-9019 https://bugzilla.suse.com/1123130 SUSE Bug 1123130 https://bugzilla.suse.com/934119 SUSE Bug 934119 libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. CVE-2016-4738 openSUSE Tumbleweed:libxslt-devel-1.1.34-3.2 openSUSE Tumbleweed:libxslt-devel-32bit-1.1.34-3.2 openSUSE Tumbleweed:libxslt-tools-1.1.34-3.2 openSUSE Tumbleweed:libxslt1-1.1.34-3.2 openSUSE Tumbleweed:libxslt1-32bit-1.1.34-3.2 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4738.html CVE-2016-4738 https://bugzilla.suse.com/1005591 SUSE Bug 1005591 https://bugzilla.suse.com/1123130 SUSE Bug 1123130 The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. CVE-2017-5029 openSUSE Tumbleweed:libxslt-devel-1.1.34-3.2 openSUSE Tumbleweed:libxslt-devel-32bit-1.1.34-3.2 openSUSE Tumbleweed:libxslt-tools-1.1.34-3.2 openSUSE Tumbleweed:libxslt1-1.1.34-3.2 openSUSE Tumbleweed:libxslt1-32bit-1.1.34-3.2 moderate 3.3 AV:L/AC:M/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5029.html CVE-2017-5029 https://bugzilla.suse.com/1028848 SUSE Bug 1028848 https://bugzilla.suse.com/1028875 SUSE Bug 1028875 https://bugzilla.suse.com/1035905 SUSE Bug 1035905 https://bugzilla.suse.com/1123130 SUSE Bug 1123130 libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. CVE-2019-11068 openSUSE Tumbleweed:libxslt-devel-1.1.34-3.2 openSUSE Tumbleweed:libxslt-devel-32bit-1.1.34-3.2 openSUSE Tumbleweed:libxslt-tools-1.1.34-3.2 openSUSE Tumbleweed:libxslt1-1.1.34-3.2 openSUSE Tumbleweed:libxslt1-32bit-1.1.34-3.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11068.html CVE-2019-11068 https://bugzilla.suse.com/1132160 SUSE Bug 1132160 https://bugzilla.suse.com/1154212 SUSE Bug 1154212 In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character. CVE-2019-13117 openSUSE Tumbleweed:libxslt-devel-1.1.34-3.2 openSUSE Tumbleweed:libxslt-devel-32bit-1.1.34-3.2 openSUSE Tumbleweed:libxslt-tools-1.1.34-3.2 openSUSE Tumbleweed:libxslt1-1.1.34-3.2 openSUSE Tumbleweed:libxslt1-32bit-1.1.34-3.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-13117.html CVE-2019-13117 https://bugzilla.suse.com/1140095 SUSE Bug 1140095 https://bugzilla.suse.com/1157028 SUSE Bug 1157028 https://bugzilla.suse.com/1160968 SUSE Bug 1160968 In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data. CVE-2019-13118 openSUSE Tumbleweed:libxslt-devel-1.1.34-3.2 openSUSE Tumbleweed:libxslt-devel-32bit-1.1.34-3.2 openSUSE Tumbleweed:libxslt-tools-1.1.34-3.2 openSUSE Tumbleweed:libxslt1-1.1.34-3.2 openSUSE Tumbleweed:libxslt1-32bit-1.1.34-3.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-13118.html CVE-2019-13118 https://bugzilla.suse.com/1140101 SUSE Bug 1140101 https://bugzilla.suse.com/1157028 SUSE Bug 1157028 https://bugzilla.suse.com/1160968 SUSE Bug 1160968 In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed. CVE-2019-18197 openSUSE Tumbleweed:libxslt-devel-1.1.34-3.2 openSUSE Tumbleweed:libxslt-devel-32bit-1.1.34-3.2 openSUSE Tumbleweed:libxslt-tools-1.1.34-3.2 openSUSE Tumbleweed:libxslt1-1.1.34-3.2 openSUSE Tumbleweed:libxslt1-32bit-1.1.34-3.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-18197.html CVE-2019-18197 https://bugzilla.suse.com/1154609 SUSE Bug 1154609 https://bugzilla.suse.com/1157028 SUSE Bug 1157028 https://bugzilla.suse.com/1162833 SUSE Bug 1162833 https://bugzilla.suse.com/1169511 SUSE Bug 1169511 https://bugzilla.suse.com/1190108 SUSE Bug 1190108