DescriptionIn libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs859796

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libxslt (PTS)buster1.1.32-2.2~deb10u1vulnerable
buster (security)1.1.32-2.2~deb10u2vulnerable
bullseye (security), bullseye1.1.34-4+deb11u1vulnerable
bookworm, sid1.1.35-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

There's no indication that math.random() in intended to ensure cryptographic
randomness requirements. Proper seeding needs to happen in the application
using libxslt.

Search for package or bug name: Reporting problems