libxslt-1.1.43

[Bruce Dubbs]

New point version.

[Douglas R. Reno]

Major changes
The non-standard EXSLT crypto extensions and support for dynamically
loaded plugins are now disabled by default. These features can be
enabled by passing --with-crypto or --with-plugins to configure.
In a future release, these features will be removed.
Debug output and the debugger are disabled by default and can be
enabled by passing --with-debug or --with-debugger.

Security

[CVE-2025-24855] Fix use-after-free of XPath context node
[CVE-2024-55549] Fix UAF related to excluded namespaces

Bug fixes

variables: Fix non-deterministic generated IDs

libxml2 related cleanup

python: Don't use removed libxml2 macro
tests: Skip test_bad.xsl with libxml2 before 2.13
python: Don't include nanoftp.h and nanohttp.h
tests: Avoid namespace warning on Windows
numbers: Stop using libxml2 XPath axis API
numbers: Use private copy of xmlCopyCharMultiByte
documents: Use xmlCtxtParseDocument if available
tests: Make runtest compile with older libxml2 versions
utils: Account for libxml2 change
tests: Make bug-219.xsl compatible with older libxml2
extensions: always include stdlib.h (Hugo Beauzée-Luyssen)
extensions: Don't use libxml2's "modules" feature

Code cleanup

numbers: Make static variables const
variables: Remove debug code

Portability

python: Declare init func with PyMODINIT_FUNC
exslt: Use C99 NAN macro

Build

cmake: Always build Python module as shared library
cmake: Fix compatibility in package version file
configure.ac: Find libgcrypt via pkg-config (Alessandro Astone)

It looks like the impacts range from denial of service to information disclosure to arbitrary code execution.

[Bruce Dubbs]

Fixed at commits

ea30edd900 Update to ncftp-3.2.8.
47fc04e92f Update to pango-1.56.2.
dc8346794f Update to libxmlb-0.3.22.
1f57b0f321 Update to libxslt-1.1.43.
e29b12e335 Update to pygobject3-3.52.2 (Python module).

[Douglas R. Reno]

SA-12.3-004 issued