Accepted libxml-security-java 2.1.7-1 (source) into unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 23 Sep 2021 23:29:16 +0200
Source: libxml-security-java
Architecture: source
Version: 2.1.7-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 935548 994569
Changes:
libxml-security-java (2.1.7-1) unstable; urgency=high
.
* Team upload.
* New upstream version 2.1.7.
- Fix CVE-2019-12400:
In version 2.0.3 Apache Santuario XML Security for Java, a caching
mechanism was introduced to speed up creating new XML documents using a
static pool of DocumentBuilders. However, if some untrusted code can
register a malicious implementation with the thread context class loader
first, then this implementation might be cached and re-used by Apache
Santuario - XML Security for Java, leading to potential security flaws
when validating signed documents, etc. The vulnerability affects Apache
Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x
releases before 2.1.4.
(Closes: #935548)
- Fix CVE-2021-40690:
All versions of Apache Santuario - XML Security for Java prior to 2.2.3
and 2.1.7 are vulnerable to an issue where the "secureValidation"
property is not passed correctly when creating a KeyInfo from a
KeyInfoReference element. This allows an attacker to abuse an XPath
Transform to extract any local .xml files in a RetrievalMethod element.
(Closes: #994569)
* Switch to debhelper-compat = 13.
* Declare compliance with Debian Policy 4.6.0.
* Drop 0001-Recover-old-API-for-libitext5-java.patch. This appears to work
now.
* Add no-errorprone.patch and ignore errorprone core artifact.
* Update debian/watch and detect new releases on github.com.
* Remove old orig-tar.sh script and use the Files-Excluded mechanism instead.
Checksums-Sha1:
9b8026996bacd5ea0012d1cac5133847d5d44a84 2707 libxml-security-java_2.1.7-1.dsc
4e4c7760c56406679c51263559158f4daf52df29 754192 libxml-security-java_2.1.7.orig.tar.xz
877b7a1105dbbd165f935ff5b90b717a253e395f 5824 libxml-security-java_2.1.7-1.debian.tar.xz
ac15866c3822923ba84d5e8b29944c0956a3465c 17097 libxml-security-java_2.1.7-1_amd64.buildinfo
Checksums-Sha256:
e8141eb120d087bcfe15c71947549ba508e923287d29adf478eb4c369df71f52 2707 libxml-security-java_2.1.7-1.dsc
3ae6295caf43d9376e132b3d2fdea7c5a7af4a3c82554c257fc9b55426b2d6ee 754192 libxml-security-java_2.1.7.orig.tar.xz
f370b63dff0ce82be0ba01391d885304cc13846b97e325edf78a8e4a12c1056d 5824 libxml-security-java_2.1.7-1.debian.tar.xz
987cafe5faa3d8fb168b316b341e5bbc8ebc88f148e814e21ebd4e1e515e7be7 17097 libxml-security-java_2.1.7-1_amd64.buildinfo
Files:
94b5120e0ef8c007304ede73e324ae43 2707 java optional libxml-security-java_2.1.7-1.dsc
3da3ddcfe27e498fe4b79dce9a4cd9e9 754192 java optional libxml-security-java_2.1.7.orig.tar.xz
d38b59c37c7da582adc2bcd430bc55a3 5824 java optional libxml-security-java_2.1.7-1.debian.tar.xz
468296c75711a30ce044f6c9b858bf75 17097 java optional libxml-security-java_2.1.7-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmFM+B1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk0fEQAKc6uytNcwI6v/vJn34oRMW6RmI7x2udWU18
6yaPTqRgpdu8P8/k6iCQv/48gUdAM+qKHBTulqcsoP4+cByK0X4pX+KoCqpxt+V0
oa+6jJj8Zjo9Vj14pREBfTXUg+rgZWXwc1+qMthVqSHaHQYCvsmi6kwsS2aHWnMP
RRwsp3yGU+ys3quj62gCusuZ0CS3AygFAApnB7m342GoXY2V9jPVkMRuVqgXGV++
seVmFRrBil4MMjIUcd7iz1Trm6TeaFblGM/DeD1vr0W0fEG9fqLOry4LQWmMc3oS
f1/L1PYy03URGR3LriT7pRIsbKVRgxxhN4TlHh++4uAzQpXSef7LRr7AxQc4rCsk
B7le3UtawXzHf6mSHevxX7Pp8osiBtNj4Tm3StjLt9+jrxQcEpwXSK6qimR7T7Pe
Bt1EUY3ftGkbmL3nxRIQrt91hb2MYieLUzbwslWnfF26ypdzDeVfOr3vXoTOKiN+
VF45JgEBOdI5Ugqvzpn44NYhoIbxCBCULIBwoWYiutAjpvIlx2KP/cZbqlVU5+X+
hj/IXLGOZW9ZbaWqIGRqZZK7t1qhVrbQYoAyUapVIHQ2DXbQblygjLUq92b9Tjb+
YgC86iqa+4nFHQYMXobRGAQh3JkjOWM9G6cqbYsgo02qfUnceikuWNOSYylVI4AR
bNnbTOHE
=uAaY
-----END PGP SIGNATURE-----