-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                         ESB-2008.0559 -- [Debian]
           New libxslt packages fix execution of arbitrary code
                                29 May 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              libxslt
Publisher:            Debian
Operating System:     Debian GNU/Linux 4.0
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-1767

Ref:                  ESB-2008.0524

Original Bulletin:    http://www.debian.org/security/2008/dsa-1589

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1589-1                  security@debian.org
http://www.debian.org/security/                               Steve Kemp
May 28, 2008                          http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : libxslt
Vulnerability  : buffer overflow
Problem type   : local
Debian-specific: no
CVE Id(s)      : CVE-2008-1767
Debian Bug     : 482664

It was discovered that libxslt, an XSLT processing runtime library,
could be coerced into executing arbitrary code via a buffer overflow
when an XSL style sheet file with a long XSLT "transformation match"
condition triggered a large number of steps.

For the stable distribution (etch), this problem has been fixed in version
1.1.19-2.

For the unstable distribution (sid), this problem has been fixed in
version 1.1.24-1.

We recommend that you upgrade your libxslt package.


Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- - -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt_1.1.19.orig.tar.gz
    Size/MD5 checksum:  2799906 622e5843167593c8ea39bf86c66b8fcf
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt_1.1.19-2.dsc
    Size/MD5 checksum:      849 27df832e1c58fa0b4ee2fc08ae23eb52
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt_1.1.19-2.diff.gz
    Size/MD5 checksum:   149924 3135ddae6ed99518ca98cb6dd32f9cf5

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_alpha.deb
    Size/MD5 checksum:   107220 cb23c0170e99f97ba4a6328b6c15d4e8
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_alpha.deb
    Size/MD5 checksum:   131268 264ec9a09e6fd46eb6acb82b6e2e458f
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_alpha.deb
    Size/MD5 checksum:   690048 6af24b16a70e3eda53cf9b01aeb72abe
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_alpha.deb
    Size/MD5 checksum:   362862 b0bfc373c7b2b029bdecc32fe3c6b393
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_alpha.deb
    Size/MD5 checksum:   230516 c613baf2799aca2b10f704c72d65f6dd

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_amd64.deb
    Size/MD5 checksum:   131736 bd359cba79ae664919f1d28bb7ee7bb9
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_amd64.deb
    Size/MD5 checksum:   630600 9f2ce6f099ad058ddb7756c6bec0ad04
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_amd64.deb
    Size/MD5 checksum:   225362 6fad243b75ab8773edac788ae83ff0b2
  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_amd64.deb
    Size/MD5 checksum:   106520 86122035aa23a3ac883a90f2ad206cb3
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_amd64.deb
    Size/MD5 checksum:   360490 43bf746a2e2d510dc2b42bce0ebfe846

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_arm.deb
    Size/MD5 checksum:   126438 8d9a6a49d04b7b718ea4891090590ebe
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_arm.deb
    Size/MD5 checksum:   213174 5a22f4ddde902b9e62b320d595c717e4
  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_arm.deb
    Size/MD5 checksum:   106410 fa92dc9b78ddafc576c917dc634850f7
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_arm.deb
    Size/MD5 checksum:   344476 84490df6ef91ef8d59397efd08141adb
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_arm.deb
    Size/MD5 checksum:   612866 b755daf391dc131cec3cf5170f7ff3ef

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_hppa.deb
    Size/MD5 checksum:   132206 246544f21eb977706164148ac110fef4
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_hppa.deb
    Size/MD5 checksum:   656512 278e6530497e001b7af16b8c97259640
  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_hppa.deb
    Size/MD5 checksum:   107496 3c104b63b086ee54e45796cf8f8f5736
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_hppa.deb
    Size/MD5 checksum:   238066 ec3a5a9b5ed19d8cea6e207b94960b06
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_hppa.deb
    Size/MD5 checksum:   359052 99da4dbb694efd07fec538b0dfba57da

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_i386.deb
    Size/MD5 checksum:   215768 065db1534d256efaa0bdbed1d5bc2efa
  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_i386.deb
    Size/MD5 checksum:   106010 d736922f8f98e3655e0d17c47c182911
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_i386.deb
    Size/MD5 checksum:   610254 7d2f1de6b328363d404e0167b2c3d0b2
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_i386.deb
    Size/MD5 checksum:   127542 036211c64911322aad9f5afa3c67a8ce
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_i386.deb
    Size/MD5 checksum:   350172 fbd79c2f46affc6a6daea73b95c5fe4c

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_ia64.deb
    Size/MD5 checksum:   110354 a086d9e71e7152286ff25d6c28d1c188
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_ia64.deb
    Size/MD5 checksum:   688004 a39cdbeb7e2bec2db123baf9fb936141
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_ia64.deb
    Size/MD5 checksum:   286602 c417da9ebd63d8338401253df1194e01
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_ia64.deb
    Size/MD5 checksum:   361472 3643ac55a03571fa185c4e0700298e82
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_ia64.deb
    Size/MD5 checksum:   135176 9cdb256571bf9606ed56840a1e88ddb4

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_mips.deb
    Size/MD5 checksum:   106622 5f3f9bff564736decdac2c69983211a0
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_mips.deb
    Size/MD5 checksum:   213366 128a0294b6a09059fedb618371ec9d09
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_mips.deb
    Size/MD5 checksum:   650424 55eab53a1978e3e2a7c1f7dbd68fc04c
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_mips.deb
    Size/MD5 checksum:   128934 3d52f0f986dd862e8119eabeca944e35
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_mips.deb
    Size/MD5 checksum:   371998 8f2ea540fd91ca75559d8589c8855de7

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_mipsel.deb
    Size/MD5 checksum:   213564 c405f7eef65b01491758e64551b7977f
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_mipsel.deb
    Size/MD5 checksum:   624640 9d2b59c3820eb9c99671399f967e0f3e
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_mipsel.deb
    Size/MD5 checksum:   363788 09bdf35805a2de68a4d1dfe15c28dcfc
  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_mipsel.deb
    Size/MD5 checksum:   106668 2633adeeddc2edc4e36e45a7e4e92c2f
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_mipsel.deb
    Size/MD5 checksum:   128564 c768001b8441118205f9f513af83e485

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_powerpc.deb
    Size/MD5 checksum:   611678 3d3acc7b7be03bd0bb2e31dcadf05720
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_powerpc.deb
    Size/MD5 checksum:   365012 94f6735cc42e233a67fd46df084120ee
  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_powerpc.deb
    Size/MD5 checksum:   108104 bca54d59be466884a5cfde0532a324df
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_powerpc.deb
    Size/MD5 checksum:   222790 12aef46d1088d93375ab824b73702bc2
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_powerpc.deb
    Size/MD5 checksum:   130124 37bb5353c81ed15374acc7305cc54839

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_s390.deb
    Size/MD5 checksum:   106798 0a96df71e63deb7d7124aab48152a5df
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_s390.deb
    Size/MD5 checksum:   131712 89e70e2d2fadd7b7ec9268d907a62d29
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_s390.deb
    Size/MD5 checksum:   226596 751b28fafff17f6fcb8b2f4c0df370c0
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_s390.deb
    Size/MD5 checksum:   601572 85051174031d0ff2c22fb87d1ab759c0
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_s390.deb
    Size/MD5 checksum:   357722 661c9551483bf52573e52646aaa13b60

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-2_sparc.deb
    Size/MD5 checksum:   106330 e6c23ad0752b3c7c22857c935befb984
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-2_sparc.deb
    Size/MD5 checksum:   129134 e6c3f1402576da329d515d9411f7fd53
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-2_sparc.deb
    Size/MD5 checksum:   217862 2ce2c27d8de0dc78ee4162b9664f7144
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-2_sparc.deb
    Size/MD5 checksum:   598868 0acf342e57619d34685f76b879da8891
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-2_sparc.deb
    Size/MD5 checksum:   335962 947c59cd2f23b55b897ded3b31ccc1a6


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIPWiawM/Gs81MDZ0RAlFDAJ4r0ZndrATgh4xQO7tk0AidGIrk9ACeKtaR
0DnKvg1zG+OZlNoWRX3XyQw=
=HfoM
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSD3lxih9+71yA2DNAQKPbwQAga8RhzfUdJ0jjH2JjOXnwFVmfCqPhgKK
IbpgTKFSWIeHFd8MxRd+7nYNgcaYz1gEnXqMMLN1pQohJZ5QbILjCi4idRF6G9jE
VnuC0nt0daDsOhBWf4SqJCbifEidJdc5wXv7/EuLwWBsTtOJa1Qoz28FmIWBzWKB
4TkJYhBVMfk=
=zs1B
-----END PGP SIGNATURE-----