Information Exposure Affecting libxslt package, versions <1.1.26-7
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN9-LIBXSLT-308048
- published 11 Mar 2011
- disclosed 11 Mar 2011
Introduced: 11 Mar 2011
CVE-2011-1202 Open this link in a new tabHow to fix?
Upgrade Debian:9 libxslt to version 1.1.26-7 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian.
See How to fix? for Debian:9 relevant fixed versions and status.
The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 and earlier, as used in Google Chrome before 10.0.648.127 and other products, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function.
References
- http://googlechromereleases.blogspot.com/2011/03/chrome-stable-release.html
- http://code.google.com/p/chromium/issues/detail?id=73716
- https://security-tracker.debian.org/tracker/CVE-2011-1202
- http://downloads.avaya.com/css/P8/documents/100144158
- http://git.gnome.org/browse/libxslt/commit/?id=ecb6bcb8d1b7e44842edde3929f412d46b40c89f
- http://scarybeastsecurity.blogspot.com/2011/03/multi-browser-heap-address-leak-in-xslt.html
- http://www.vupen.com/english/advisories/2011/0628
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14244
- https://bugzilla.redhat.com/show_bug.cgi?id=684386
- http://www.securityfocus.com/bid/46785
- https://exchange.xforce.ibmcloud.com/vulnerabilities/65966
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:079
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:164