Your message dated Sun, 10 May 2026 09:34:15 +0000
with message-id <[email protected]>
and subject line Bug#1059313: fixed in libxml-security-java 2.1.7-3+deb12u1
has caused the Debian Bug report #1059313,
regarding libxml-security-java: CVE-2023-44483
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1059313: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059313
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxml-security-java
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for libxml-security-java.
CVE-2023-44483[0]:
| All versions of Apache Santuario - XML Security for Java prior to
| 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable
| to an issue where a private key may be disclosed in log files when
| generating an XML Signature and logging with debug level is
| enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4,
| or 3.0.3, which fixes this issue.
https://www.openwall.com/lists/oss-security/2023/10/20/5
https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55
https://santuario.apache.org/secadv.data/CVE-2023-44483.txt.asc
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-44483
https://www.cve.org/CVERecord?id=CVE-2023-44483
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: libxml-security-java
Source-Version: 2.1.7-3+deb12u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libxml-security-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated libxml-security-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 09 May 2026 16:15:20 +0300
Source: libxml-security-java
Architecture: source
Version: 2.1.7-3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1059313
Changes:
libxml-security-java (2.1.7-3+deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* CVE-2023-44483: Private Key disclosure in debug-log output
(Closes: #1059313)
Checksums-Sha1:
fff2b787cc4a05f4280b39121dfb5626e4284a87 2637
libxml-security-java_2.1.7-3+deb12u1.dsc
6ed1471d1460cb7d0453d8bd0a6deb0f1a656f05 8128
libxml-security-java_2.1.7-3+deb12u1.debian.tar.xz
Checksums-Sha256:
22ba289fec2a99c74556b6f225fc31aed3dc40f4c5f2901ccfd156bf8c125718 2637
libxml-security-java_2.1.7-3+deb12u1.dsc
8c1eb0d66de6eb55707de9fedf542b480d57926c5abe695141cfa56c3e2d0c70 8128
libxml-security-java_2.1.7-3+deb12u1.debian.tar.xz
Files:
2fd8ab6da57a812ae906dadca6b2ea95 2637 java optional
libxml-security-java_2.1.7-3+deb12u1.dsc
59327096440abf2aacb65449da570bd7 8128 java optional
libxml-security-java_2.1.7-3+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmn/NasACgkQiNJCh6LY
mLGX2A//dW0AL+rMSwy2Jwiew37KEW0tHSOY5AeHfSNTouK6NZWg2wY70ZrNfN/L
qVckprRurImJihE8cmhdOooiRu35FyFvARZECio04Ycq+GVDQfsCI/yWKiHSWdqh
ybEiOnVcS0HEkSSyIUJKIzHqO/BRqqA0aL0LzkuhfqCSbwW3qz60sh2UUFh7AN7j
c774nWzfHOQkI2yj8nx5qtk88C8/0q5c1GN2S95oBsFyl/O1PzIipzJa/dpfoZkO
CLyMlOKh0IhIRQBJ4MlgxaJZjUyORzc75zqOpdJmiOGUtLBAjJqpfGXmUUCNnw5G
VM8LuUgYhU+xfJWYchdJSdo6otvY5qZbEBq+vtP4A/uc95Lba8pjW16K//CvMTwi
77WP2JRPUpk0WA7Ll6TYPsQ1kFtCwMqpRKLEU0bYKYjlc0iqmxDE5/OiKiBv60kB
ZUym1XJEnF8KvKQxbEB3jta22nZ/jpqfL9XaNHyPWIF1pXd2gM+zJSJa67Ihf91K
JSCpc7ZQa0Bqf9HpyE5+75ky2XUaOAEn+GzoYXEcxa3o1sqddcZI+LqzMpNVdjtN
5m1eCDKBUQls4fcAEgYrd4ULmxZcNvU3oeLJYcxT9M3acOZtLdgzoLB9oc2ClTNi
TAObrWqIFj7VX5KXiLSzPSb6sFaFd/q6lzlXnHEqvK2kBM0tdC8=
=ZmFa
-----END PGP SIGNATURE-----
pgpwi4ecijo82.pgp
Description: PGP signature
--- End Message ---
