[3.6] libxslt: security framework bypass (CVE-2019-11068)

libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon
receiving a –1 error code. xsltCheckRead can return –1 for a crafted URL that is not actually invalid and is subsequently loaded.

References:

https://nvd.nist.gov/vuln/detail/CVE-2019-11068
https://security-tracker.debian.org/tracker/CVE-2019-11068

Patch:

https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6

(from redmine: issue id 10281, created on 2019-04-17, closed on 2019-04-18)

Relations:
- parent #10276 (closed)
Changesets:
- Revision ef2dd8d4 by Natanael Copa on 2019-04-17T07:57:45Z:

main/libxslt: security fix for CVE-2019-11068

fixes #10281

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information