The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 7 Extended LTS:
ELA-185-1: libxslt security update
Debian GNU/Linux 8 LTS:
DLA 1973-1: libxslt security update
DLA 1974-1: proftpd-dfsg security update
Debian GNU/Linux 7 Extended LTS:
ELA-185-1: libxslt security update
Debian GNU/Linux 8 LTS:
DLA 1973-1: libxslt security update
DLA 1974-1: proftpd-dfsg security update
ELA-185-1: libxslt security update
Package: libxslt
Version: 1.1.26-14.1+deb7u7
Related CVE: CVE-2019-18197
A security vulnerability was discovered in libxslt, a XSLT 1.0 processing library written in C.
In xsltCopyText in transform.c, a pointer variable is not reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.
For Debian 7 Wheezy, these problems have been fixed in version 1.1.26-14.1+deb7u7.
We recommend that you upgrade your libxslt packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
DLA 1973-1: libxslt security update
Package : libxslt
Version : 1.1.28-2+deb8u6
CVE ID : CVE-2019-18197
Debian Bug : 942646
A security vulnerability was discovered in libxslt, a XSLT 1.0
processing library written in C.
In xsltCopyText in transform.c, a pointer variable is not reset under
certain circumstances. If the relevant memory area happened to be freed
and reused in a certain way, a bounds check could fail and memory
outside a buffer could be written to, or uninitialized data could be
disclosed.
For Debian 8 "Jessie", this problem has been fixed in version
1.1.28-2+deb8u6.
We recommend that you upgrade your libxslt packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1974-1: proftpd-dfsg security update
Package : proftpd-dfsg
Version : 1.3.5e+r1.3.5-2+deb8u4
CVE ID : CVE-2019-18217
An issue has been found in proftp-dfsg, a versatile, virtual-hosting FTP
daemon.
Due to incorrect handling of overly long commands, a remote
unauthenticated user could trigger a denial-of-service by reaching an
endless loop.
For Debian 8 "Jessie", this problem has been fixed in version
1.3.5e+r1.3.5-2+deb8u4.
We recommend that you upgrade your proftpd-dfsg packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
