CVE-2011-1202
Published: 10 March 2011
The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 and earlier, as used in Google Chrome before 10.0.648.127 and other products, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
firefox Launchpad, Ubuntu, Debian |
dapper |
Ignored
(reached end-of-life)
|
| hardy |
Ignored
(uses system xulrunner)
|
|
| lucid |
Released
(3.6.17+build3+nobinonly-0ubuntu0.10.04.1)
|
|
| maverick |
Released
(3.6.17+build3+nobinonly-0ubuntu0.10.10.1)
|
|
| natty |
Released
(4.0.1+build1+nobinonly-0ubuntu0.11.04.1)
|
|
| oneiric |
Not vulnerable
(5.0~b2+build1+nobinonly-0ubuntu2)
|
|
| precise |
Not vulnerable
(5.0~b2+build1+nobinonly-0ubuntu2)
|
|
| upstream |
Released
(3.6.17)
|
|
|
libxslt Launchpad, Ubuntu, Debian |
dapper |
Ignored
(reached end-of-life)
|
| hardy |
Released
(1.1.22-1ubuntu1.3)
|
|
| karmic |
Ignored
(reached end-of-life)
|
|
| lucid |
Released
(1.1.26-1ubuntu1.1)
|
|
| maverick |
Ignored
(reached end-of-life)
|
|
| natty |
Released
(1.1.26-6ubuntu0.1)
|
|
| oneiric |
Not vulnerable
(1.1.26-7)
|
|
| precise |
Not vulnerable
(1.1.26-8ubuntu1.1)
|
|
| upstream |
Released
(1.1.26-7)
|
|
|
Patches: upstream: http://git.gnome.org/browse/libxslt/commit/?id=ecb6bcb8d1b7e44842edde3929f412d46b40c89f |
||
|
thunderbird Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Ignored
(reached end-of-life)
|
|
| lucid |
Released
(3.1.10+build1+nobinonly-0ubuntu0.10.04.1)
|
|
| maverick |
Released
(3.1.10+build1+nobinonly-0ubuntu0.10.10.1)
|
|
| natty |
Released
(3.1.10+build1+nobinonly-0ubuntu0.11.04.1)
|
|
| oneiric |
Not vulnerable
|
|
| precise |
Not vulnerable
|
|
| upstream |
Needs triage
|
|
|
xulrunner-1.9.2 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Released
(1.9.2.17+build3+nobinonly-0ubuntu0.8.04.1)
|
|
| karmic |
Released
(1.9.2.17+build3+nobinonly-0ubuntu0.9.10.1)
|
|
| lucid |
Released
(1.9.2.17+build3+nobinonly-0ubuntu0.10.04.1)
|
|
| maverick |
Released
(1.9.2.17+build3+nobinonly-0ubuntu0.10.10.1)
|
|
| natty |
Released
(1.9.2.17+build3+nobinonly-0ubuntu1)
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| upstream |
Released
(1.9.2.17)
|
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1202
- https://ubuntu.com/security/notices/USN-1112-1
- https://ubuntu.com/security/notices/USN-1121-1
- https://ubuntu.com/security/notices/USN-1122-2
- https://ubuntu.com/security/notices/USN-1122-1
- http://scarybeastsecurity.blogspot.ca/2011/03/multi-browser-heap-address-leak-in-xslt.html
- https://rhn.redhat.com/errata/RHSA-2012-1265.html
- https://ubuntu.com/security/notices/USN-1595-1
- NVD
- Launchpad
- Debian