You are here

RHN Errata Alert: Insecure DocBook stylesheet option

AlbLinux's picture

RHN Errata Alert: Insecure DocBook stylesheet option

Red Hat Network has determined that the following advisory is applicable to one or more of the systems you have registered:

Complete information about this errata can be found at the following location:

Security Advisory - RHSA-2002:062-08

RHN Errata Alert: Insecure DocBook stylesheet option

Insecure DocBook stylesheet option

DocBook is a document markup language that can be transformed into other formats using a stylesheet. The default stylesheet provided with Red Hat Linux has an insecure option enabled.

The default stylesheet used when converting a DocBook document to multiple HTML files allows an untrusted document to write files outside of the current directory. This is because element identifiers (specified in the document) are used to form the names of the output files. If an untrusted document uses a full pathname as an identifier, it can cause that file to be written to -- as long as the user performing the conversion has write access.

Updated docbook-utils packages are available that disable this feature and enable filenames to be generated based on the type of the element rather than its identifier.

The Common Vulnerabilities and Exposures project ( has assigned the name CAN-2002-0169 to this issue.


Taking Action
You may address the issues outlined in this advisory in two ways:

- select your server name by clicking on its name from the list
available at the following location, and then schedule an
errata update for it:

- run the Update Agent on each affected server.

Changing Notification Preferences
To enable/disable your Errata Alert preferences globally please log in to RHN and navigate from "Your RHN" / "Your Account" to the "Preferences" tab.


You can also enable/disable notification on a per system basis by selecting an individual system from the "Systems List". From the individual system view click the "Details" tab.

Affected Systems List
This Errata Advisory may apply to the systems listed below. If you know that this errata does not apply to a system listed, it might be possible that the package profile for that server is out of date. In that case you should run 'up2date -p' as root on the system in question to refresh your software profile.