Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libxml-security-java
User: [email protected]
Usertags: pu
* CVE-2023-44483: Private Key disclosure in debug-log output
(Closes: #1059313)
diffstat for libxml-security-java-2.1.7 libxml-security-java-2.1.7
changelog | 8 ++++++++
patches/0001-Logging-improvements.patch | 24 ++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 33 insertions(+)
diff -Nru libxml-security-java-2.1.7/debian/changelog
libxml-security-java-2.1.7/debian/changelog
--- libxml-security-java-2.1.7/debian/changelog 2023-01-22 19:31:41.000000000
+0200
+++ libxml-security-java-2.1.7/debian/changelog 2026-05-09 16:15:20.000000000
+0300
@@ -1,3 +1,11 @@
+libxml-security-java (2.1.7-3+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2023-44483: Private Key disclosure in debug-log output
+ (Closes: #1059313)
+
+ -- Adrian Bunk <[email protected]> Sat, 09 May 2026 16:15:20 +0300
+
libxml-security-java (2.1.7-3) unstable; urgency=medium
* Team upload
diff -Nru
libxml-security-java-2.1.7/debian/patches/0001-Logging-improvements.patch
libxml-security-java-2.1.7/debian/patches/0001-Logging-improvements.patch
--- libxml-security-java-2.1.7/debian/patches/0001-Logging-improvements.patch
1970-01-01 02:00:00.000000000 +0200
+++ libxml-security-java-2.1.7/debian/patches/0001-Logging-improvements.patch
2026-05-09 16:14:45.000000000 +0300
@@ -0,0 +1,24 @@
+From bfefaed07eb583b5048ac1639bb45eaef21dcc94 Mon Sep 17 00:00:00 2001
+From: Sean Mullan <[email protected]>
+Date: Fri, 6 Oct 2023 09:40:14 -0400
+Subject: Logging improvements.
+
+---
+ .../org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git
a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java
b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java
+index bf3d86d7..0e1db58a 100644
+---
a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java
++++
b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java
+@@ -261,7 +261,6 @@ public abstract class DOMSignatureMethod extends
AbstractDOMSignatureMethod {
+ }
+ signature.initSign((PrivateKey)key);
+ LOG.debug("Signature provider: {}", signature.getProvider());
+- LOG.debug("Signing with key: {}", key);
+ LOG.debug("JCA Algorithm: {}", getJCAAlgorithm());
+
+ try (SignerOutputStream outputStream = new
SignerOutputStream(signature)) {
+--
+2.47.3
+
diff -Nru libxml-security-java-2.1.7/debian/patches/series
libxml-security-java-2.1.7/debian/patches/series
--- libxml-security-java-2.1.7/debian/patches/series 2023-01-22
18:15:12.000000000 +0200
+++ libxml-security-java-2.1.7/debian/patches/series 2026-05-09
16:15:20.000000000 +0300
@@ -1,3 +1,4 @@
no-errorprone.patch
exclude-tests.patch
remove-XMLUtilsPerformanceTest.java.patch
+0001-Logging-improvements.patch
