Nicolas Gregoire discovered several vulnerabilities in libxalan2-java, a Java library for XSLT processing. Crafted XSLT programs could access system properties or load arbitrary classes, resulting in information disclosure and, potentially, arbitrary code execution.

For the oldstable distribution (squeeze), this problem has been fixed in version 2.7.1-5+deb6u1. For the stable distribution (wheezy), this problem has been fixed in version 2.7.1-7+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 2.7.1-9. We recommend that you upgrade your libxalan2-java packages.

Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements the W3C Recommendations for XSL Transformations (XSLT) and the XML Path Language (XPath). It can be used from the command line, in an applet or a servlet, or as a module in other programs.

libxalan2-java on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2014/dsa-2886.html

---

Updated on 2015-03-25