CVE-2009-1699

Name	CVE-2009-1699
Description	The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
References	DSA-1988-1
NVD severity	high (attack range: remote)
Debian Bugs	535793

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
kde4libs (PTS)	jessie (security), jessie	4:4.14.2-5+deb8u2	fixed
	stretch	4:4.14.26-2	fixed
	buster	4:4.14.38-1	fixed
	sid	4:4.14.38-2	fixed
qt4-x11 (PTS)	jessie	4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1	fixed
	stretch	4:4.8.7+dfsg-11	fixed
	buster, sid	4:4.8.7+dfsg-17	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
kde4libs	source	(unstable)	(not affected)
kdelibs	source	(unstable)	(not affected)
qt4-x11	source	(unstable)	4:4.5.2-2	high
qt4-x11	source	etch	(not affected)
qt4-x11	source	lenny	4.4.3-1+lenny1	high	DSA-1988-1
webkit	source	(unstable)	1.0.1-4	medium		535793

[etch] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)