ELA-1525-1 libxslt security update

multiple vulnerabilities

2025-09-25
Packagelibxslt
Version1.1.29-2.1+deb9u5 (stretch), 1.1.32-2.2~deb10u4 (buster)
Related CVEs CVE-2023-40403 CVE-2025-7424


CVE-2023-40403

It was discovered that the generate-id() function could return deterministic values and could leak the memory layout of different XML objects, which might lead to information disclosure.

CVE-2025-7424

Ivan Fratric discovered a type confusion vulnerability in xmlNode.psvi between stylesheet and source nodes, which could lead to application crash.



For Debian 10 buster, these problems have been fixed in version 1.1.32-2.2~deb10u4.

For Debian 9 stretch, these problems have been fixed in version 1.1.29-2.1+deb9u5.

We recommend that you upgrade your libxslt packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.