CVE-2009-1699

Name	CVE-2009-1699
Description	The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."
Source	CVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
References	DSA-1988-1
NVD severity	high (attack range: remote, user-initiated)
Debian Bugs	535793
Debian/oldstable	not vulnerable.
Debian/stable	not vulnerable.
Debian/testing	not vulnerable.
Debian/unstable	not vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
kde4libs (PTS)	squeeze	4:4.4.5-2+squeeze3	fixed
	squeeze (lts)	4:4.4.5-2+squeeze4	fixed
	wheezy, wheezy (security)	4:4.8.4-4+deb7u1	fixed
	jessie, sid	4:4.14.2-5	fixed
kdelibs (PTS)	squeeze	4:3.5.10.dfsg.1-5	fixed
qt4-x11 (PTS)	squeeze	4:4.6.3-4+squeeze1	fixed
	squeeze (lts)	4:4.6.3-4+squeeze2	fixed
	wheezy	4:4.8.2+dfsg-11	fixed
	jessie, sid	4:4.8.6+git64-g5dc8b2b+dfsg-2	fixed
webkit (PTS)	squeeze	1.2.7-0+squeeze2	fixed
	squeeze (security)	1.2.7-0+squeeze1	fixed
	wheezy	1.8.1-3.4	fixed

The information above is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
kde4libs	source	(unstable)	(not affected)
kdelibs	source	(unstable)	(not affected)
qt4-x11	source	(unstable)	4:4.5.2-2	high
qt4-x11	source	etch	(not affected)
qt4-x11	source	lenny	4.4.3-1+lenny1	high	DSA-1988-1
webkit	source	(unstable)	1.0.1-4	medium		535793

[etch] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)