On Wed, Nov 26, 2014 at 12:40:37PM +0100, Emmanuel Bourg wrote: > I've been investigating this issue as well. I contacted an upstream > developer and it seems the actual fix for this issue is unknown. The > version 3.2.0 was just reported as not vulnerable by the security > researched who discovered this issue. > > I can prepare an upgrade to the latest 3.2.x version but this will at > least require libhibernate-validator-java to be unblocked as well.
I didn't look into the specific issue, but Red Hat Bugzilla has references to isolated patches? https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0225 Cheers, Moritz __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
