Package        : libxslt
Version        : 1.1.28-2+deb8u5
CVE ID         : CVE-2016-4609 CVE-2016-4610 CVE-2019-13117
  		 CVE-2019-13118
Debian Bug     : 932321 932320

Several vulnerabilities were found in libxslt the XSLT 1.0 processing
library.

CVE-2016-4610

    Invalid memory access leading to DoS at exsltDynMapFunction. libxslt
    allows remote attackers to cause a denial of service (memory
    corruption) or possibly have unspecified other impact via unknown
    vectors.

CVE-2016-4609

    Out-of-bounds read at xmlGetLineNoInternal()
    libxslt allows remote attackers to cause a denial of service (memory
    corruption) or possibly have unspecified other impact via unknown
    vectors.

CVE-2019-13117

    An xsl:number with certain format strings could lead to an
    uninitialized read in xsltNumberFormatInsertNumbers. This could
    allow an attacker to discern whether a byte on the stack contains
    the characters A, a, I, i, or 0, or any other character.

CVE-2019-13118

    A type holding grouping characters of an xsl:number instruction was
    too narrow and an invalid character/length combination could be
    passed to xsltNumberFormatDecimal, leading to a read of
    uninitialized stack data.

For Debian 8 "Jessie", these problems have been fixed in version
1.1.28-2+deb8u5.

We recommend that you upgrade your libxslt packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS