CVE-2015-9019

Publication date 5 April 2017

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

5.3 · Medium

Score breakdown

In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.

Read the notes from the security team

Status

Package Ubuntu Release Status
libxslt 22.10 kinetic Ignored end of life, was ignored [see notes]
22.04 LTS jammy Ignored see notes
21.10 impish Ignored end of life
21.04 hirsute Ignored end of life
20.10 groovy Ignored end of life
20.04 LTS focal Ignored see notes
19.10 eoan Ignored end of life
19.04 disco Ignored end of life
18.10 cosmic Ignored end of life
18.04 LTS bionic Ignored see notes
17.10 artful Ignored end of life
17.04 zesty Ignored end of life
16.10 yakkety Ignored end of life
16.04 LTS xenial Ignored see notes
14.04 LTS trusty Ignored end of ESM support, was ignored [see notes]
12.04 LTS precise Ignored end of life

Notes


sbeattie

upstream fixed this for xsltproc, but libxslt remains unfixed not clear what the security impact of this is


mdeslaur

as of 2022-08-05, no indication that upstream will fix this


ccdm94

there is no upstream patch provided for this issue. The random function in libxslt does not guarantee it will adhere to all cryptographic requirements, and applications using libxslt are expected to be the ones performing the seeding of the system's PRNG in order to achieve proper randomness. For this reason, status for all releases will be set to ignored.

Severity score breakdown

Parameter Value
Base score 5.3 · Medium
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality Low
Integrity impact None
Availability impact None
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N