-
Bug
-
Resolution: Done-Errata
-
Undefined
-
rhel-7.9.z
-
No
-
Important
-
ZStream
-
rhel-se-display
-
ssg_display
-
3
-
False
-
False
-
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
The %patchN directives for Patch4 and Patch7 are not specified in SPEC file of libxslt-1.1.28-8.el7_9. These 2 CVEs are not actually fixed by applying RHSA-2025:3612.
$ grep -i patch SPECS/libxslt.spec # Fedora specific patches Patch0: multilib.patch Patch1: libxslt-1.1.26-utf8-docs.patch Patch2: libxslt-1.1.28-CVE-2019-18197.patch Patch3: libxslt-1.1.28-CVE-2019-11068.patch Patch4: libxslt-1.1.34-CVE-2025-24855.patch Patch7: libxslt-1.1.34-CVE-2024-55549.patch %patch0 -p1 %patch1 -p1 -b .utf8 %patch2 -p1 %patch3 -p1 # Now fix up the timestamps of patched docs files - Restore timestamps for patched documentation files - Patch from Paul Howarth for converting files to utf8 (#226088) - and the previous patch was incomplte breaking the python bindings - revert a key initialization patch from 1.1.23 which seems broken
What is the impact of this issue to you?
CVE-2024-55549 and CVE-2025-24855 are both "Important Impact" vulnerability.
Please re-release the errata as soon as possible.
I also added a comment in following tickets.
RHEL-83491: CVE-2025-24855 libxslt: Use-After-Free in libxslt numbers.c [rhel-7-els]
RHEL-83505: CVE-2024-55549 libxslt: Use-After-Free in libxslt (xsltGetInheritedNsList) [rhel-7-els]
Please provide the package NVR for which the bug is seen:
How reproducible is this bug?:
Steps to reproduce
Expected results
Actual results
- links to
-
RHSA-2025:148394 libxslt security update