Source: tiles Version: 3.0.7-5 Severity: important Tags: security upstream X-Debbugs-Cc: a...@debian.org, ebo...@apache.org, car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for tiles. CVE-2023-49735[0]: | ** UNSUPPORTED WHEN ASSIGNED ** The value set as the | DefaultLocaleResolver.LOCALE_KEY attribute on the session was not | validated while resolving XML definition files, leading to possible | path traversal and eventually SSRF/XXE when passing user-controlled | data to this key. Passing user-controlled data to this key may be | relatively common, as it was also used like that to set the language | in the 'tiles-test' application shipped with Tiles. This issue | affects Apache Tiles from version 2 onwards. NOTE: This | vulnerability only affects products that are no longer supported by | the maintainer. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. The project is dead-upstream TTBOMK, so not sure if/what we can do at all for this issue. Removal seems not possible as per: carnil@respighi:~$ dak rm --suite=unstable -n -R tiles Will remove the following packages from unstable: libtiles-java | 3.0.7-5 | all libtiles-java-doc | 3.0.7-5 | all tiles | 3.0.7-5 | source Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> ------------------- Reason ------------------- ---------------------------------------------- Checking reverse dependencies... # Broken Build-Depends: libspring-java: libtiles-java (>= 3.0) Dependency problem found. carnil@respighi:~$ But maybe we can set it as "no-dsa", is it only used as build dependency for libspring-java and not sensible outside? For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49735 https://www.cve.org/CVERecord?id=CVE-2023-49735 Please adjust the affected versions in the BTS as needed. Regards, Salvatore