Your message dated Thu, 20 Oct 2022 20:34:20 +0000
with message-id <[email protected]>
and subject line Bug#1015860: fixed in bcel 6.5.0-1+deb11u1
has caused the Debian Bug report #1015860,
regarding libxalan2-java: CVE-2022-34169
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1015860: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015860
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxalan2-java
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for libxalan2-java.
CVE-2022-34169[0]:
| The Apache Xalan Java XSLT library is vulnerable to an integer
| truncation issue when processing malicious XSLT stylesheets. This can
| be used to corrupt Java class files generated by the internal XSLTC
| compiler and execute arbitrary Java bytecode. The Apache Xalan Java
| project is dormant and in the process of being retired. No future
| releases of Apache Xalan Java to address this issue are expected.
| Note: Java runtimes (such as OpenJDK) include repackaged copies of
| Xalan.
https://www.openwall.com/lists/oss-security/2022/07/19/5
The patch in the openjdk-internal version seems to be
https://github.com/openjdk/jdk/commit/41ef2b249073450172e11163a4d05762364b1297
so that might be potential way to fix this.
Given the package is retired by Apache we should however also work
to get it removed from Debian?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-34169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34169
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: bcel
Source-Version: 6.5.0-1+deb11u1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
bcel, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated bcel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 18 Oct 2022 17:41:54 CEST
Source: bcel
Architecture: source
Version: 6.5.0-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Checksums-Sha1:
6d552599a48cfeb3c74e92bcdd5cd7c92b665f56 2354 bcel_6.5.0-1+deb11u1.dsc
da213005869e74facf518ba22967b047ef5c00a4 707820 bcel_6.5.0.orig.tar.xz
76ffc1c948f33c11161cf689230bba73679c645d 7344
bcel_6.5.0-1+deb11u1.debian.tar.xz
9d524fd968b22e0ee1819d800fbbcbb109b1f475 14297
bcel_6.5.0-1+deb11u1_amd64.buildinfo
Checksums-Sha256:
59e6c71562b86c219f51c6dd8c22f486ff32b308bfd6f32215f40cb8cf18938f 2354
bcel_6.5.0-1+deb11u1.dsc
14c4489220b11643b9cdbaa8b5d0521f593d296f00aae1025ca7052cd7940422 707820
bcel_6.5.0.orig.tar.xz
a90f374395757b2bd7add4b92c44e49e670bb8d7e275f44268c67e54a7b91aae 7344
bcel_6.5.0-1+deb11u1.debian.tar.xz
9ee9fe13a0b417b7951d192132ef8e1a41e6126d68367218d4ef0409b948833c 14297
bcel_6.5.0-1+deb11u1_amd64.buildinfo
Closes: 1015860
Changes:
bcel (6.5.0-1+deb11u1) bullseye-security; urgency=high
.
* Team upload.
* Fix CVE-2022-34169:
The Apache Xalan Java XSLT library is vulnerable to an integer truncation
issue when processing malicious XSLT stylesheets. This can be used to
corrupt Java class files generated by the internal XSLTC compiler and
execute arbitrary Java bytecode. In Debian the vulnerable code is in the
bcel source package. (Closes: #1015860)
Files:
e1ee34343dbc98f30413a25d9daa60e0 2354 java optional bcel_6.5.0-1+deb11u1.dsc
03ca482ec9fc77fb8ab4a8c742e375fc 707820 java optional bcel_6.5.0.orig.tar.xz
b3709de7be44c3affa414ecc183a8d0d 7344 java optional
bcel_6.5.0-1+deb11u1.debian.tar.xz
18f2466690a8b3a4427e6938d4963de7 14297 java optional
bcel_6.5.0-1+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmNOyU9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkzVgQAMITdP932bH3TO569rSTVD+LIzYjXtADwC7j
dJEvHWODyYXJWxXxGazy3n+i+guPT+gA2YHynygc0JB7hmK/hmtHNXHP+mek2BeB
96Vr96gDnKq8kkshzjsqJzPRz7ZnRfE3aAC+QOzJJEpqlisAItT/eYj8htAYim0j
n78gBhXlDjEh92gfip4sll3IqJoCJpX5+Iqbks16BjUXGzYP0x6GSmYfAkSxtxfk
xP8of9ci5fKyBo7VA4dT3swLRM17BhBXZhMykfKFqQsN8dtsUFz+D2UrpoYgrd5W
Fjnqs3uSieLZSQUWHmveiP35u7B94pi1px2uFA98eaU3GDr73EZfzH+8q7AHLUqR
8nckvf5jZcHmw9tjJ6CdB82tn8IILyjmMJNGUyhRUdfqFR9Qj8mP76XMyZODH3Av
x7+xJ2Dh3l2aFPmZ+xPn5nsoTaSRHwwR33+YpCVXU8+0bBm8aUVy/rbepbG8+ozQ
g8PmYdUDEb0YrBP/sbNtaW5l7cr/mia8jmMYkw8SVkMYvlQi0aqcO6cDSYw4dCgo
APG6URwb8DD5VQajJL6Bih0bkJ+GIn51LC6MIzrfwKVeR8GW9b8DXG6pkVALqWd5
QLOb22/C8l3uEWDVaGxraaNBmzpSgILLHvP1ilwUA396bTEQj+aGviRMjGCSffcY
tdrvH60v
=1K1V
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
