-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                         ESB-2008.0760 -- [Debian]
             New libxslt packages fix arbitrary code execution
                               1 August 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              libxslt
Publisher:            Debian
Operating System:     Debian GNU/Linux 4.0
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-2935

Ref:                  ESB-2008.0758

Original Bulletin:    http://www.debian.org/security/2008/dsa-1624

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1624-1                  security@debian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
July 31, 2008                         http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : libxslt
Vulnerability  : buffer overflows
Problem type   : local(remote)
Debian-specific: no
CVE Id(s)      : CVE-2008-2935

Chris Evans discovered that a buffer overflow in the RC4 functions of 
libexslt may lead to the execution of arbitrary code.

For the stable distribution (etch), this problem has been fixed in
version 1.1.19-3.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your libxslt packages.

Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- - -------------------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt_1.1.19.orig.tar.gz
    Size/MD5 checksum:  2799906 622e5843167593c8ea39bf86c66b8fcf
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt_1.1.19-3.diff.gz
    Size/MD5 checksum:   149686 b62a7dd0aa648576a266cd20d634c216
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt_1.1.19-3.dsc
    Size/MD5 checksum:      849 7d98fdda0079574b360d4a6e2a12e2be

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_alpha.deb
    Size/MD5 checksum:   107264 4aac707640a9fcf9aabcd42336b38be3
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_alpha.deb
    Size/MD5 checksum:   365058 0e966c67dfbc374141960789fcbe96ab
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_alpha.deb
    Size/MD5 checksum:   690408 a431dcc2f32428677e7b737b971e0f9e
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_alpha.deb
    Size/MD5 checksum:   230788 55d88a4f39eeccf4a21cd2b335c35ae5
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_alpha.deb
    Size/MD5 checksum:   131312 ce983f9b6de55027f803e39d1dda2a25

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_amd64.deb
    Size/MD5 checksum:   362484 c91d2d5458f6de4002b4401f5675b742
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_amd64.deb
    Size/MD5 checksum:   225658 6d4a52da7c2ca5a4280b06bdf03875e0
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_amd64.deb
    Size/MD5 checksum:   630884 06616b7e52d2fc80530302c7d3acd540
  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_amd64.deb
    Size/MD5 checksum:   106562 7782d3653528b848ce1d98455f790196
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_amd64.deb
    Size/MD5 checksum:   131782 8e9ed3c7418725e1853ae5ccbd082c9b

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_arm.deb
    Size/MD5 checksum:   106452 9ef81b83e04979147310ec62d2682550
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_arm.deb
    Size/MD5 checksum:   346610 29566f2276ff440e778dac5fb667f346
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_arm.deb
    Size/MD5 checksum:   613436 a9a4ebc76beb7ca67f9a7e92e8029ca7
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_arm.deb
    Size/MD5 checksum:   213438 2c16e6911e26b8fb360aabd16281c0f6
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_arm.deb
    Size/MD5 checksum:   126468 b97c69ae48a06fd09a41fadc7c00366c

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_hppa.deb
    Size/MD5 checksum:   659318 c0f64453ca8cb8dbe9f3970cf157b3ab
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_hppa.deb
    Size/MD5 checksum:   238420 a7c8f14314bdb82fc51ec1578f4efad3
  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_hppa.deb
    Size/MD5 checksum:   107274 3fc49ac897c34e339b3f496700bdfd5e
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_hppa.deb
    Size/MD5 checksum:   132222 3f4dc4e5f1162e819bc534c610fad3dc
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_hppa.deb
    Size/MD5 checksum:   360748 a8c4ae1c8f2e8c348c852a0931f762c5

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_i386.deb
    Size/MD5 checksum:   105974 ea524e8b733c0aa52b797692ee2619b6
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_i386.deb
    Size/MD5 checksum:   216014 27edcf6172b7d9b5b304bf2265ce6e48
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_i386.deb
    Size/MD5 checksum:   128718 3bb1df547e3b5312a382bda417a23bc6
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_i386.deb
    Size/MD5 checksum:   352132 a7707c2b2a1014f61b79383d639c734f
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_i386.deb
    Size/MD5 checksum:   589190 ea9dbf9647d07f026c6b1fd40c0a2546

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_ia64.deb
    Size/MD5 checksum:   364096 277f76958053137cd94f84d3543bfd75
  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_ia64.deb
    Size/MD5 checksum:   110406 2636a094ea4494abb2d972c6a7911689
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_ia64.deb
    Size/MD5 checksum:   688406 f8a2642f68f1afb6c2fe980acaef4db5
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_ia64.deb
    Size/MD5 checksum:   135214 69e26e4d34a753112f8b4101f7c39812
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_ia64.deb
    Size/MD5 checksum:   286960 5e0ade1cf276e946cfd1a7f12160c7a0

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_mips.deb
    Size/MD5 checksum:   650964 68b73cf1d94f9e3df9bb5673270a3e4d
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_mips.deb
    Size/MD5 checksum:   128984 334fcd884357833ef1ba40e9753d856b
  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_mips.deb
    Size/MD5 checksum:   106670 d93d383465f3c7943c82dcd65d1ac560
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_mips.deb
    Size/MD5 checksum:   213704 9f9fce502a07f2466b39ff4bf7ef58b0
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_mips.deb
    Size/MD5 checksum:   374008 12305da936211d86b13a7c98090391cb

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_mipsel.deb
    Size/MD5 checksum:   625304 53e74fce7300247478e318878b06a863
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_mipsel.deb
    Size/MD5 checksum:   365834 48789b75049ec966939982fafa7fa83e
  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_mipsel.deb
    Size/MD5 checksum:   106716 d99ec4062b95d872f66a4a68cbd4bb60
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_mipsel.deb
    Size/MD5 checksum:   128606 3ec247d95450b7091ffef7df0adad247
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_mipsel.deb
    Size/MD5 checksum:   213946 5ebc6eb3e75d70a0c093b2e9d65884d7

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_powerpc.deb
    Size/MD5 checksum:   223150 195bcb8c18c3024d4dbf15ad06d3d96c
  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_powerpc.deb
    Size/MD5 checksum:   108146 332071c2aabb087b7ee3e6a12e6d2633
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_powerpc.deb
    Size/MD5 checksum:   130170 1f2348ff3cb769eb72bb5a941afc1124
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_powerpc.deb
    Size/MD5 checksum:   612084 76ca146446c6470fab227e5cf4b91445
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_powerpc.deb
    Size/MD5 checksum:   367182 ec6a577956bedc887267bc6185abcedd

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_s390.deb
    Size/MD5 checksum:   601870 11a81ef5cf32bb11102b43b62c1d1371
  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_s390.deb
    Size/MD5 checksum:   106834 f3ed9fc6410f2f78de38348736116eee
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_s390.deb
    Size/MD5 checksum:   131760 1d7705741271ea0227cdf15eae46f846
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_s390.deb
    Size/MD5 checksum:   226842 7700a4e49d319d5726074de70ff9a68f
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_s390.deb
    Size/MD5 checksum:   359430 f11c56a8baaa1bd61ef074324aea9068

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dev_1.1.19-3_sparc.deb
    Size/MD5 checksum:   599292 568ee2c44a15e4d5b1d27abb5f3f80ad
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1.1_1.1.19-3_sparc.deb
    Size/MD5 checksum:   218166 953db53eba1934c6279875e4ff8b6834
  http://security.debian.org/pool/updates/main/libx/libxslt/xsltproc_1.1.19-3_sparc.deb
    Size/MD5 checksum:   106372 c9eae6bbdde15ada4613922ab216c6ed
  http://security.debian.org/pool/updates/main/libx/libxslt/python-libxslt1_1.1.19-3_sparc.deb
    Size/MD5 checksum:   129172 8a97bb6cd74fe353383be290ea14298b
  http://security.debian.org/pool/updates/main/libx/libxslt/libxslt1-dbg_1.1.19-3_sparc.deb
    Size/MD5 checksum:   337986 2f869f832a7ecdcb7a6ae50b12d0e916


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkiSHgUACgkQXm3vHE4uylqklACgqpn4TCMTytxvAJYBaGdEKAYe
w00AoObSWdP8IKI3e1DnEPisiPRUlUFV
=Oc7f
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSJKCkSh9+71yA2DNAQJRHwP+LnbWXJoez4G+MC87bLrzwfeiUVnSKAbW
dwwe+nLEZGG3xDF9eNOgOj5qKDQrwTcnrM9hxvZz2eZq+vyrTNV2AD4cUyxi2cd/
Sf97n1Enf3/pn5+RwOnjcisOQCRky7lENaw0Y8Zak9yRWvvb3kFQV6pqHUnvML6F
Ju5kIjw9VoU=
=sIFH
-----END PGP SIGNATURE-----