CVE-2024-55549

NameCVE-2024-55549
DescriptionxsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4089-1, DSA-5884-1
Debian Bugs1100565

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libxslt (PTS)bullseye1.1.34-4+deb11u1vulnerable
bullseye (security)1.1.34-4+deb11u2fixed
bookworm1.1.35-1vulnerable
bookworm (security)1.1.35-1+deb12u1fixed
sid, trixie1.1.35-1.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libxsltsourcebullseye1.1.34-4+deb11u2DLA-4089-1
libxsltsourcebookworm1.1.35-1+deb12u1DSA-5884-1
libxsltsource(unstable)1.1.35-1.21100565

Notes

https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
Fixed by: https://gitlab.gnome.org/GNOME/libxslt/-/commit/46041b65f2fbddf5c284ee1a1332fa2c515c0515 (v1.1.43)
https://project-zero.issues.chromium.org/issues/382015274
Search for package or bug name: Reporting problems