LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

September 2012

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA September 2012

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Important: libxslt on SL5.x, SL6.x i386/x86_64
From:	Connie Sieh <[log in to unmask]>
Reply To:	Connie Sieh <[log in to unmask]>
Date:	Fri, 14 Sep 2012 16:52:04 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (55 lines)

Synopsis:          Important: libxslt security update
Issue Date:        2012-09-13
CVE Numbers:       CVE-2011-1202
                    CVE-2011-3970
                    CVE-2012-2825
                    CVE-2012-2871
                    CVE-2012-2870

A heap-based buffer overflow flaw was found in the way libxslt applied
templates to nodes selected by certain namespaces. An attacker could use
this flaw to create a malicious XSL file that, when used by an application
linked against libxslt to perform an XSL transformation, could cause the
application to crash or, possibly, execute arbitrary code with the
privileges of the user running the application. (CVE-2012-2871)

Several denial of service flaws were found in libxslt. An attacker could
use these flaws to create a malicious XSL file that, when used by an
application linked against libxslt to perform an XSL transformation, could
cause the application to crash. (CVE-2012-2825, CVE-2012-2870,
CVE-2011-3970)

An information leak could occur if an application using libxslt processed
an untrusted XPath expression, or used a malicious XSL file to perform an
XSL transformation. If combined with other flaws, this leak could possibly
help an attacker bypass intended memory corruption protections.
(CVE-2011-1202)

All running applications linked against libxslt must be restarted for this
update to take effect.

SL5
   x86_64
     libxslt-1.1.17-4.el5_8.3.i386.rpm
     libxslt-1.1.17-4.el5_8.3.x86_64.rpm
     libxslt-python-1.1.17-4.el5_8.3.x86_64.rpm
     libxslt-devel-1.1.17-4.el5_8.3.i386.rpm
     libxslt-devel-1.1.17-4.el5_8.3.x86_64.rpm
   i386
     libxslt-1.1.17-4.el5_8.3.i386.rpm
     libxslt-python-1.1.17-4.el5_8.3.i386.rpm
     libxslt-devel-1.1.17-4.el5_8.3.i386.rpm
SL6
   x86_64
     libxslt-1.1.26-2.el6_3.1.i686.rpm
     libxslt-1.1.26-2.el6_3.1.x86_64.rpm
     libxslt-devel-1.1.26-2.el6_3.1.i686.rpm
     libxslt-devel-1.1.26-2.el6_3.1.x86_64.rpm
     libxslt-python-1.1.26-2.el6_3.1.x86_64.rpm
   i386
     libxslt-1.1.26-2.el6_3.1.i686.rpm
     libxslt-devel-1.1.26-2.el6_3.1.i686.rpm
     libxslt-python-1.1.26-2.el6_3.1.i686.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV