CVE-2011-1202
Published: 10 March 2011
The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 and earlier, as used in Google Chrome before 10.0.648.127 and other products, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function.
Priority
Status
Package | Release | Status |
---|---|---|
firefox Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
hardy |
Ignored
(end of life)
|
|
lucid |
Released
(3.6.17+build3+nobinonly-0ubuntu0.10.04.1)
|
|
maverick |
Released
(3.6.17+build3+nobinonly-0ubuntu0.10.10.1)
|
|
natty |
Released
(4.0.1+build1+nobinonly-0ubuntu0.11.04.1)
|
|
oneiric |
Not vulnerable
(5.0~b2+build1+nobinonly-0ubuntu2)
|
|
precise |
Not vulnerable
(5.0~b2+build1+nobinonly-0ubuntu2)
|
|
upstream |
Released
(3.6.17)
|
|
libxslt Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
hardy |
Released
(1.1.22-1ubuntu1.3)
|
|
karmic |
Ignored
(end of life)
|
|
lucid |
Released
(1.1.26-1ubuntu1.1)
|
|
maverick |
Ignored
(end of life)
|
|
natty |
Released
(1.1.26-6ubuntu0.1)
|
|
oneiric |
Not vulnerable
(1.1.26-7)
|
|
precise |
Not vulnerable
(1.1.26-8ubuntu1.1)
|
|
upstream |
Released
(1.1.26-7)
|
|
Patches: upstream: http://git.gnome.org/browse/libxslt/commit/?id=ecb6bcb8d1b7e44842edde3929f412d46b40c89f |
||
thunderbird Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Ignored
(end of life)
|
|
lucid |
Released
(3.1.10+build1+nobinonly-0ubuntu0.10.04.1)
|
|
maverick |
Released
(3.1.10+build1+nobinonly-0ubuntu0.10.10.1)
|
|
natty |
Released
(3.1.10+build1+nobinonly-0ubuntu0.11.04.1)
|
|
oneiric |
Not vulnerable
|
|
precise |
Not vulnerable
|
|
upstream |
Needs triage
|
|
xulrunner-1.9.2 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Released
(1.9.2.17+build3+nobinonly-0ubuntu0.8.04.1)
|
|
karmic |
Released
(1.9.2.17+build3+nobinonly-0ubuntu0.9.10.1)
|
|
lucid |
Released
(1.9.2.17+build3+nobinonly-0ubuntu0.10.04.1)
|
|
maverick |
Released
(1.9.2.17+build3+nobinonly-0ubuntu0.10.10.1)
|
|
natty |
Released
(1.9.2.17+build3+nobinonly-0ubuntu1)
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
upstream |
Released
(1.9.2.17)
|
References
- https://ubuntu.com/security/notices/USN-1112-1
- https://ubuntu.com/security/notices/USN-1121-1
- https://ubuntu.com/security/notices/USN-1122-2
- https://ubuntu.com/security/notices/USN-1122-1
- http://scarybeastsecurity.blogspot.ca/2011/03/multi-browser-heap-address-leak-in-xslt.html
- https://rhn.redhat.com/errata/RHSA-2012-1265.html
- https://ubuntu.com/security/notices/USN-1595-1
- https://www.cve.org/CVERecord?id=CVE-2011-1202
- NVD
- Launchpad
- Debian