USN-1358-1 missing NEWS entry about XSLT write operations disabled by default
Bug #931342 reported by
Rafal Skucha
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| php5 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
After upgrading to php5-xsl 5.3.6-13ubuntu3.5 I'm getting
PHP Warning: XSLTProcessor:
and
PHP Warning: XSLTProcessor:
Everything works fine after downgrading plus all file access permissions are fine.
CVE References
Revision history for this message
| Ondřej Surý (ondrej) wrote | #1 |
| summary: |
- XSLTProcessor::transformToXml(): runtime error + USN-1358-1 missing NEWS entry about XSLT write operations disabled by + default |
| Changed in php5 (Ubuntu): | |
| status: | New → Confirmed |
Revision history for this message
| Ondřej Surý (ondrej) wrote | #2 |
Revision history for this message
| Keilo (keilo) wrote | #3 |
Revision history for this message
| Marc Deslauriers (mdeslaur) wrote | #4 |
| Changed in php5 (Ubuntu): | |
| status: | Confirmed → Invalid |
To post a comment you must log in.
http://
It was discovered that PHP did not properly enforce libxslt security
settings. This could allow a remote attacker to create arbitrary
files via a crafted XSLT stylesheet that uses the libxslt output
extension. (CVE-2012-0057)
I think Steve missed adding few notes to debian/NEWS (from Debian security update):
* The following new directives were added as part of security fixes:
- max_input_vars - specifies how many GET/POST/COOKIE input variables
may be accepted. Default value is set to 1000.
- xsl.security_prefs - define forbidden operations within XSLT
stylesheets. Write operations are now disabled by default.