Comment 0 for bug 1906470

CVE-2019-11068: libxslt: bypass of protection mechanism

CVSSv2: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Description:
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.

References:
https://nvd.nist.gov/vuln/detail/CVE-2019-11068
https://access.redhat.com/errata/RHSA-2020:4005
https://lists.centos.org/pipermail/centos-cr-announce/2020-October/012768.html*

Required package version:
libxslt-1.1.28-6.el7.src.rpm

Packages:
libxslt

Found during November 2020 StarlingX CVE Scan