Your message dated Thu, 23 Sep 2021 22:18:39 +0000 with message-id <e1mtx39-000azh...@fasolo.debian.org> and subject line Bug#935548: fixed in libxml-security-java 2.1.7-1 has caused the Debian Bug report #935548, regarding libxml-security-java: CVE-2019-12400 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 935548: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935548 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libxml-security-java Version: 2.0.10-2 Severity: grave Tags: security upstream Hi, The following vulnerability was published for libxml-security-java. CVE-2019-12400[0]: |Apache Santuario potentially loads XML parsing code from an |untrusted source If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-12400 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12400 [1] http://santuario.apache.org/secadv.data/CVE-2019-12400.asc Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libxml-security-java Source-Version: 2.1.7-1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of libxml-security-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 935...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated libxml-security-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 23 Sep 2021 23:29:16 +0200 Source: libxml-security-java Architecture: source Version: 2.1.7-1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 935548 994569 Changes: libxml-security-java (2.1.7-1) unstable; urgency=high . * Team upload. * New upstream version 2.1.7. - Fix CVE-2019-12400: In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4. (Closes: #935548) - Fix CVE-2021-40690: All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. (Closes: #994569) * Switch to debhelper-compat = 13. * Declare compliance with Debian Policy 4.6.0. * Drop 0001-Recover-old-API-for-libitext5-java.patch. This appears to work now. * Add no-errorprone.patch and ignore errorprone core artifact. * Update debian/watch and detect new releases on github.com. * Remove old orig-tar.sh script and use the Files-Excluded mechanism instead. Checksums-Sha1: 9b8026996bacd5ea0012d1cac5133847d5d44a84 2707 libxml-security-java_2.1.7-1.dsc 4e4c7760c56406679c51263559158f4daf52df29 754192 libxml-security-java_2.1.7.orig.tar.xz 877b7a1105dbbd165f935ff5b90b717a253e395f 5824 libxml-security-java_2.1.7-1.debian.tar.xz ac15866c3822923ba84d5e8b29944c0956a3465c 17097 libxml-security-java_2.1.7-1_amd64.buildinfo Checksums-Sha256: e8141eb120d087bcfe15c71947549ba508e923287d29adf478eb4c369df71f52 2707 libxml-security-java_2.1.7-1.dsc 3ae6295caf43d9376e132b3d2fdea7c5a7af4a3c82554c257fc9b55426b2d6ee 754192 libxml-security-java_2.1.7.orig.tar.xz f370b63dff0ce82be0ba01391d885304cc13846b97e325edf78a8e4a12c1056d 5824 libxml-security-java_2.1.7-1.debian.tar.xz 987cafe5faa3d8fb168b316b341e5bbc8ebc88f148e814e21ebd4e1e515e7be7 17097 libxml-security-java_2.1.7-1_amd64.buildinfo Files: 94b5120e0ef8c007304ede73e324ae43 2707 java optional libxml-security-java_2.1.7-1.dsc 3da3ddcfe27e498fe4b79dce9a4cd9e9 754192 java optional libxml-security-java_2.1.7.orig.tar.xz d38b59c37c7da582adc2bcd430bc55a3 5824 java optional libxml-security-java_2.1.7-1.debian.tar.xz 468296c75711a30ce044f6c9b858bf75 17097 java optional libxml-security-java_2.1.7-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmFM+B1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk0fEQAKc6uytNcwI6v/vJn34oRMW6RmI7x2udWU18 6yaPTqRgpdu8P8/k6iCQv/48gUdAM+qKHBTulqcsoP4+cByK0X4pX+KoCqpxt+V0 oa+6jJj8Zjo9Vj14pREBfTXUg+rgZWXwc1+qMthVqSHaHQYCvsmi6kwsS2aHWnMP RRwsp3yGU+ys3quj62gCusuZ0CS3AygFAApnB7m342GoXY2V9jPVkMRuVqgXGV++ seVmFRrBil4MMjIUcd7iz1Trm6TeaFblGM/DeD1vr0W0fEG9fqLOry4LQWmMc3oS f1/L1PYy03URGR3LriT7pRIsbKVRgxxhN4TlHh++4uAzQpXSef7LRr7AxQc4rCsk B7le3UtawXzHf6mSHevxX7Pp8osiBtNj4Tm3StjLt9+jrxQcEpwXSK6qimR7T7Pe Bt1EUY3ftGkbmL3nxRIQrt91hb2MYieLUzbwslWnfF26ypdzDeVfOr3vXoTOKiN+ VF45JgEBOdI5Ugqvzpn44NYhoIbxCBCULIBwoWYiutAjpvIlx2KP/cZbqlVU5+X+ hj/IXLGOZW9ZbaWqIGRqZZK7t1qhVrbQYoAyUapVIHQ2DXbQblygjLUq92b9Tjb+ YgC86iqa+4nFHQYMXobRGAQh3JkjOWM9G6cqbYsgo02qfUnceikuWNOSYylVI4AR bNnbTOHE =uAaY -----END PGP SIGNATURE-----
--- End Message ---
