Debian 10261 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-185-1: libxslt security update

Debian GNU/Linux 8 LTS:
DLA 1973-1: libxslt security update
DLA 1974-1: proftpd-dfsg security update



ELA-185-1: libxslt security update

Package: libxslt
Version: 1.1.26-14.1+deb7u7
Related CVE: CVE-2019-18197

A security vulnerability was discovered in libxslt, a XSLT 1.0 processing library written in C.

In xsltCopyText in transform.c, a pointer variable is not reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.

For Debian 7 Wheezy, these problems have been fixed in version 1.1.26-14.1+deb7u7.

We recommend that you upgrade your libxslt packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1973-1: libxslt security update

Package : libxslt
Version : 1.1.28-2+deb8u6
CVE ID : CVE-2019-18197
Debian Bug : 942646

A security vulnerability was discovered in libxslt, a XSLT 1.0
processing library written in C.

In xsltCopyText in transform.c, a pointer variable is not reset under
certain circumstances. If the relevant memory area happened to be freed
and reused in a certain way, a bounds check could fail and memory
outside a buffer could be written to, or uninitialized data could be
disclosed.

For Debian 8 "Jessie", this problem has been fixed in version
1.1.28-2+deb8u6.

We recommend that you upgrade your libxslt packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1974-1: proftpd-dfsg security update

Package : proftpd-dfsg
Version : 1.3.5e+r1.3.5-2+deb8u4
CVE ID : CVE-2019-18217


An issue has been found in proftp-dfsg, a versatile, virtual-hosting FTP
daemon.

Due to incorrect handling of overly long commands, a remote
unauthenticated user could trigger a denial-of-service by reaching an
endless loop.


For Debian 8 "Jessie", this problem has been fixed in version
1.3.5e+r1.3.5-2+deb8u4.

We recommend that you upgrade your proftpd-dfsg packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS