Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted libxml-security-java 2.1.7-1 (source) into unstable
Date: Thu, 23 Sep 2021 22:18:39 +0000
Signed by: Markus Koschany <apo@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 23 Sep 2021 23:29:16 +0200
Source: libxml-security-java
Architecture: source
Version: 2.1.7-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 935548 994569
Changes:
 libxml-security-java (2.1.7-1) unstable; urgency=high
 .
   * Team upload.
   * New upstream version 2.1.7.
     - Fix CVE-2019-12400:
       In version 2.0.3 Apache Santuario XML Security for Java, a caching
       mechanism was introduced to speed up creating new XML documents using a
       static pool of DocumentBuilders. However, if some untrusted code can
       register a malicious implementation with the thread context class loader
       first, then this implementation might be cached and re-used by Apache
       Santuario - XML Security for Java, leading to potential security flaws
       when validating signed documents, etc. The vulnerability affects Apache
       Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x
       releases before 2.1.4.
       (Closes: #935548)
     - Fix CVE-2021-40690:
       All versions of Apache Santuario - XML Security for Java prior to 2.2.3
       and 2.1.7 are vulnerable to an issue where the "secureValidation"
       property is not passed correctly when creating a KeyInfo from a
       KeyInfoReference element. This allows an attacker to abuse an XPath
       Transform to extract any local .xml files in a RetrievalMethod element.
       (Closes: #994569)
   * Switch to debhelper-compat = 13.
   * Declare compliance with Debian Policy 4.6.0.
   * Drop 0001-Recover-old-API-for-libitext5-java.patch. This appears to work
     now.
   * Add no-errorprone.patch and ignore errorprone core artifact.
   * Update debian/watch and detect new releases on github.com.
   * Remove old orig-tar.sh script and use the Files-Excluded mechanism instead.
Checksums-Sha1:
 9b8026996bacd5ea0012d1cac5133847d5d44a84 2707 libxml-security-java_2.1.7-1.dsc
 4e4c7760c56406679c51263559158f4daf52df29 754192 libxml-security-java_2.1.7.orig.tar.xz
 877b7a1105dbbd165f935ff5b90b717a253e395f 5824 libxml-security-java_2.1.7-1.debian.tar.xz
 ac15866c3822923ba84d5e8b29944c0956a3465c 17097 libxml-security-java_2.1.7-1_amd64.buildinfo
Checksums-Sha256:
 e8141eb120d087bcfe15c71947549ba508e923287d29adf478eb4c369df71f52 2707 libxml-security-java_2.1.7-1.dsc
 3ae6295caf43d9376e132b3d2fdea7c5a7af4a3c82554c257fc9b55426b2d6ee 754192 libxml-security-java_2.1.7.orig.tar.xz
 f370b63dff0ce82be0ba01391d885304cc13846b97e325edf78a8e4a12c1056d 5824 libxml-security-java_2.1.7-1.debian.tar.xz
 987cafe5faa3d8fb168b316b341e5bbc8ebc88f148e814e21ebd4e1e515e7be7 17097 libxml-security-java_2.1.7-1_amd64.buildinfo
Files:
 94b5120e0ef8c007304ede73e324ae43 2707 java optional libxml-security-java_2.1.7-1.dsc
 3da3ddcfe27e498fe4b79dce9a4cd9e9 754192 java optional libxml-security-java_2.1.7.orig.tar.xz
 d38b59c37c7da582adc2bcd430bc55a3 5824 java optional libxml-security-java_2.1.7-1.debian.tar.xz
 468296c75711a30ce044f6c9b858bf75 17097 java optional libxml-security-java_2.1.7-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmFM+B1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk0fEQAKc6uytNcwI6v/vJn34oRMW6RmI7x2udWU18
6yaPTqRgpdu8P8/k6iCQv/48gUdAM+qKHBTulqcsoP4+cByK0X4pX+KoCqpxt+V0
oa+6jJj8Zjo9Vj14pREBfTXUg+rgZWXwc1+qMthVqSHaHQYCvsmi6kwsS2aHWnMP
RRwsp3yGU+ys3quj62gCusuZ0CS3AygFAApnB7m342GoXY2V9jPVkMRuVqgXGV++
seVmFRrBil4MMjIUcd7iz1Trm6TeaFblGM/DeD1vr0W0fEG9fqLOry4LQWmMc3oS
f1/L1PYy03URGR3LriT7pRIsbKVRgxxhN4TlHh++4uAzQpXSef7LRr7AxQc4rCsk
B7le3UtawXzHf6mSHevxX7Pp8osiBtNj4Tm3StjLt9+jrxQcEpwXSK6qimR7T7Pe
Bt1EUY3ftGkbmL3nxRIQrt91hb2MYieLUzbwslWnfF26ypdzDeVfOr3vXoTOKiN+
VF45JgEBOdI5Ugqvzpn44NYhoIbxCBCULIBwoWYiutAjpvIlx2KP/cZbqlVU5+X+
hj/IXLGOZW9ZbaWqIGRqZZK7t1qhVrbQYoAyUapVIHQ2DXbQblygjLUq92b9Tjb+
YgC86iqa+4nFHQYMXobRGAQh3JkjOWM9G6cqbYsgo02qfUnceikuWNOSYylVI4AR
bNnbTOHE
=uAaY
-----END PGP SIGNATURE-----
News for package libxml-security-java
