USN-1358-1 missing NEWS entry about XSLT write operations disabled by default
Bug #931342 reported by
Rafal Skucha
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php5 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
After upgrading to php5-xsl 5.3.6-13ubuntu3.5 I'm getting
PHP Warning: XSLTProcessor:
and
PHP Warning: XSLTProcessor:
Everything works fine after downgrading plus all file access permissions are fine.
CVE References
To post a comment you must log in.
http:// www.ubuntu. com/usn/ usn-1358- 1/
It was discovered that PHP did not properly enforce libxslt security
settings. This could allow a remote attacker to create arbitrary
files via a crafted XSLT stylesheet that uses the libxslt output
extension. (CVE-2012-0057)
I think Steve missed adding few notes to debian/NEWS (from Debian security update):
* The following new directives were added as part of security fixes:
- max_input_vars - specifies how many GET/POST/COOKIE input variables
may be accepted. Default value is set to 1000.
- xsl.security_prefs - define forbidden operations within XSLT
stylesheets. Write operations are now disabled by default.