CVE-2015-7995 — libxslt - security update

Description

The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check if the parent node is an element, which allows attackers to cause a denial of service via a crafted XML file, related to a "type confusion" issue.

How to fix CVE-2015-7995

To remediate CVE-2015-7995, upgrade the affected package to a fixed version below.

Debian/libxslt—upgrade to 1.1.28-2.1 or later
Debian/libxslt—upgrade to 1.1.26-14.1+deb7u1 or later
Debian/libxslt—upgrade to 1.1.28-2+deb8u1 or later

Is CVE-2015-7995 being exploited?

Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 1.1.28-2.1
from 0, < 1.1.26-14.1+deb7u1
from 0, < 1.1.28-2+deb8u1

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-7995