libowasp-esapi-java (2.4.0.0-0+deb11u1) bullseye-security; urgency=high * Team upload. * Fix CVE-2022-23457: ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to this update the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. * Fix CVE-2022-24891: There is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. * Warn about CVE-2025-5878: This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. We are not aware of any affected reverse-dependencies in Debian but if you use ESAPI in a stand-alone project, you should be aware that the Encoder.encodeForSQL method has been deprecated and will be removed eventually. In addition the DB2Codec, MySQLCodec and OracleCodec classes have been deprecated too. We recommend to carefully assess if your project might be affected by these classes and methods and if you have to implement additional steps to secure your application. The update does not automatically protect you from any potential risks. -- Markus Koschany Mon, 21 Jul 2025 23:10:16 +0200 libowasp-esapi-java (2.4.0.0-2) unstable; urgency=medium * Team upload. * Replace libservlet3.1-java with libservlet-api-java * Drop libowasp-esapi-java-doc (see Debian bug #1028166) * Bump Standards-Version to 4.6.2 * Freshen years in debian/copyright * Add lintian overrides for long HTML lines * Set Rules-Requires-Root: no in debian/control -- tony mancill Sun, 08 Jan 2023 10:29:05 -0800 libowasp-esapi-java (2.4.0.0-1) unstable; urgency=medium * Team upload. * New upstream version 2.4.0.0. - Fix CVE-2022-23457 and CVE-2022-24891 and a potential DoS vulnerability (CVE-2022-28366). (Closes: #1010339) Thanks to Neil Williams for the report. * Drop servlet-api.patch because it is no longer required. * Use canonical VCS URI. -- Markus Koschany Fri, 29 Apr 2022 15:30:01 +0200 libowasp-esapi-java (2.2.3.1-1) unstable; urgency=medium * Team upload. * New upstream version 2.2.3.1. * Switch to debhelper-compat = 13. * Declare compliance with Debian Policy 4.6.0. * Switch to commons-collections 4. * Rebase 01-servlet-api-compatibility.patch -- Markus Koschany Tue, 12 Oct 2021 15:27:54 +0200 libowasp-esapi-java (2.1.0-3) unstable; urgency=medium * Team upload. * Transition to the Servlet API 3.1 (Closes: #801021) * Build with the DH sequencer instead of CDBS * Standards-Version updated to 3.9.8 (no changes) * Use secure Vcs-* URLs -- Emmanuel Bourg Mon, 20 Jun 2016 17:06:57 +0200 libowasp-esapi-java (2.1.0-2) unstable; urgency=low * This version to be for unstable * Put into git (and add appropriate headers to debian/control) * Note the 2 Apache-2.0 licensed files -- Matthew Vernon Thu, 29 May 2014 18:27:31 +0100 libowasp-esapi-java (2.1.0-1) experimental; urgency=low * Initial release (closes: #741416) * This is (indirectly) a dependency of the Shibboleth IdP -- Matthew Vernon Wed, 19 Feb 2014 16:24:11 +0000