libxml-security-java (2.1.7-1)
[PTS] [DDPO]
OK: VCS matches the version in the archive
- Git: https://salsa.debian.org/java-team/libxml-security-java.git
-
- Branch: master
- Path: debian/changelog
- Browser: https://salsa.debian.org/java-team/libxml-security-java
- Last scan: 2021-10-18 09:19:24+00
- Next scan: 2021-10-27 03:36:00+00
- Debian changelog in Git:
libxml-security-java (2.1.7-1) unstable; urgency=high
* Team upload.
* New upstream version 2.1.7.
- Fix CVE-2019-12400:
In version 2.0.3 Apache Santuario XML Security for Java, a caching
mechanism was introduced to speed up creating new XML documents using a
static pool of DocumentBuilders. However, if some untrusted code can
register a malicious implementation with the thread context class loader
first, then this implementation might be cached and re-used by Apache
Santuario - XML Security for Java, leading to potential security flaws
when validating signed documents, etc. The vulnerability affects Apache
Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x
releases before 2.1.4.
(Closes: #935548)
- Fix CVE-2021-40690:
All versions of Apache Santuario - XML Security for Java prior to 2.2.3
and 2.1.7 are vulnerable to an issue where the "secureValidation"
property is not passed correctly when creating a KeyInfo from a
KeyInfoReference element. This allows an attacker to abuse an XPath
Transform to extract any local .xml files in a RetrievalMethod element.
(Closes: #994569)
* Switch to debhelper-compat = 13.
* Declare compliance with Debian Policy 4.6.0.
* Drop 0001-Recover-old-API-for-libitext5-java.patch. This appears to work
now.
* Add no-errorprone.patch and ignore errorprone core artifact.
* Update debian/watch and detect new releases on github.com.
* Remove old orig-tar.sh script and use the Files-Excluded mechanism instead.
-- Markus Koschany <apo@debian.org> Thu, 23 Sep 2021 23:29:16 +0200
- This branch is even with tag debian/2.1.7-1
