Source: libsass Version: 3.4.3-1 Severity: important Tags: upstream security
Hi, the following vulnerabilities were published for libsass. CVE-2017-11554[0]: | There is a stack consumption vulnerability in the lex function in | parser.hpp (as used in sassc) in LibSass 3.4.5. A crafted input will | lead to a remote denial of service. CVE-2017-11555[1]: | There is an illegal address access in the Eval::operator function in | eval.cpp in LibSass 3.4.5. A crafted input will lead to a remote denial | of service. CVE-2017-11556[2]: | There is a stack consumption vulnerability in the | Parser::advanceToNextToken function in parser.cpp in LibSass 3.4.5. A | crafted input may lead to remote denial of service. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-11554 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11554 [1] https://security-tracker.debian.org/tracker/CVE-2017-11555 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11555 [2] https://security-tracker.debian.org/tracker/CVE-2017-11556 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11556 All of those were reported upstream, and tested on Red Hat as well for older version like 3.4.1. Regards, Salvatore
