CVE-2015-9019
Published: 5 April 2017
In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.
Notes
Author | Note |
---|---|
sbeattie | upstream fixed this for xsltproc, but libxslt remains unfixed not clear what the security impact of this is |
mdeslaur | as of 2022-08-05, no indication that upstream will fix this |
ccdm94 | there is no upstream patch provided for this issue. The random function in libxslt does not guarantee it will adhere to all cryptographic requirements, and applications using libxslt are expected to be the ones performing the seeding of the system's PRNG in order to achieve proper randomness. For this reason, status for all releases will be set to ignored. |
Priority
Status
Package | Release | Status |
---|---|---|
libxslt Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Ignored
(see notes)
|
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Ignored
(see notes)
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Ignored
(see notes)
|
|
kinetic |
Ignored
(end of life, was ignored [see notes])
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Ignored
(see notes)
|
|
upstream |
Needed
|
|
xenial |
Ignored
(see notes)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.3 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |