Bug#1015860: libxalan2-java: CVE-2022-34169
Markus Koschany
apo at debian.org
Thu Oct 13 20:36:09 BST 2022
Hi,
I just had a go at this issue and I discovered that libxalan2-java in Debian is
not affected but rather bcel.
https://tracker.debian.org/pkg/bcel
The fixing commit in OpenJDK addresses the same code which is nowhere to be
found in libxalan2-java but is present in bcel. The bcel upstream commit can be
found at
https://github.com/apache/commons-bcel/commit/f3267cbcc900f80851d561bdd16b239d936947f5
I suggest to reassign the bug to bcel. I agree that libxalan2-java should be
retired eventually. It is required by quite some reverse-dependencies though
and it may take some time to achieve that. In theory everything should work
without the library, because the code is in OpenJDK already?
I am not sure if we should request to clarify the CVE description or at least
post on oss-security to make other people aware of it. I assume the official
xalan2 release ships an internal copy of bcel and that might be the reason for
the confusion.
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20221013/f48d6cba/attachment.sig>
More information about the pkg-java-maintainers
mailing list