CVE-2011-1425

NameCVE-2011-1425
Descriptionxslt.c in XML Security Library (aka xmlsec) before 1.2.17, as used in WebKit and other products, when XSLT is enabled, allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-2219-1
Debian Bugs620560

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xmlsec1 (PTS)jessie1.2.20-2fixed
stretch (lts), stretch1.2.27-2~deb9u1fixed
buster1.2.27-2fixed
bullseye1.2.31-1fixed
bookworm1.2.37-2fixed
sid, trixie1.2.41-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xmlsec1sourcelenny1.2.9-5+lenny1DSA-2219-1
xmlsec1sourcesqueeze1.2.14-1+squeeze1DSA-2219-1
xmlsec1source(unstable)1.2.14-1.1620560

Notes

http://www.aleksey.com/xmlsec/news.html
Search for package or bug name: Reporting problems