Security update for libxslt SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20201-1 Final 1 1 2025-04-23T13:11:10Z current 2025-04-23T13:11:10Z 2025-04-23T13:11:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libxslt This update for libxslt fixes the following issues: * CVE-2025-24855: Fix use-after-free of XPath context node (bsc#1239625) * CVE-2024-55549: Fix UAF related to excluded namespaces (bsc#1239637) * CVE-2023-40403: Make generate-id() deterministic (bsc#1238591) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-297 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520201-1/ Link for SUSE-SU-2025:20201-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021139.html E-Mail link for SUSE-SU-2025:20201-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1238591 SUSE Bug 1238591 https://bugzilla.suse.com/1239625 SUSE Bug 1239625 https://bugzilla.suse.com/1239637 SUSE Bug 1239637 https://www.suse.com/security/cve/CVE-2023-40403/ SUSE CVE CVE-2023-40403 page https://www.suse.com/security/cve/CVE-2024-55549/ SUSE CVE CVE-2024-55549 page https://www.suse.com/security/cve/CVE-2025-24855/ SUSE CVE CVE-2025-24855 page SUSE Linux Micro 6.0 libexslt0-1.1.38-4.1 libxslt1-1.1.38-4.1 libexslt0-1.1.38-4.1 as a component of SUSE Linux Micro 6.0 libxslt1-1.1.38-4.1 as a component of SUSE Linux Micro 6.0 The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.6, tvOS 17, iOS 16.7 and iPadOS 16.7, macOS Monterey 12.7, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14. Processing web content may disclose sensitive information. CVE-2023-40403 SUSE Linux Micro 6.0:libexslt0-1.1.38-4.1 SUSE Linux Micro 6.0:libxslt1-1.1.38-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520201-1/ https://www.suse.com/security/cve/CVE-2023-40403.html CVE-2023-40403 https://bugzilla.suse.com/1238591 SUSE Bug 1238591 xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes. CVE-2024-55549 SUSE Linux Micro 6.0:libexslt0-1.1.38-4.1 SUSE Linux Micro 6.0:libxslt1-1.1.38-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520201-1/ https://www.suse.com/security/cve/CVE-2024-55549.html CVE-2024-55549 https://bugzilla.suse.com/1239637 SUSE Bug 1239637 numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal. CVE-2025-24855 SUSE Linux Micro 6.0:libexslt0-1.1.38-4.1 SUSE Linux Micro 6.0:libxslt1-1.1.38-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520201-1/ https://www.suse.com/security/cve/CVE-2025-24855.html CVE-2025-24855 https://bugzilla.suse.com/1239625 SUSE Bug 1239625