Bug#1015860: libxalan2-java: CVE-2022-34169
Moritz Mühlenhoff
jmm at inutil.org
Fri Oct 14 19:25:02 BST 2022
Am Thu, Oct 13, 2022 at 09:36:09PM +0200 schrieb Markus Koschany:
> Hi,
>
> I just had a go at this issue and I discovered that libxalan2-java in Debian is
> not affected but rather bcel.
>
> https://tracker.debian.org/pkg/bcel
>
> The fixing commit in OpenJDK addresses the same code which is nowhere to be
> found in libxalan2-java but is present in bcel. The bcel upstream commit can be
> found at
>
> https://github.com/apache/commons-bcel/commit/f3267cbcc900f80851d561bdd16b239d936947f5
>
>
> I suggest to reassign the bug to bcel. I agree that libxalan2-java should be
> retired eventually. It is required by quite some reverse-dependencies though
> and it may take some time to achieve that. In theory everything should work
> without the library, because the code is in OpenJDK already?
Nice find!
> I am not sure if we should request to clarify the CVE description or at least
> post on oss-security to make other people aware of it. I assume the official
> xalan2 release ships an internal copy of bcel and that might be the reason for
> the confusion.
Yeah, I think it would be best if you were to post to oss-security about this,
then this can be picked up as a public reference to other distros (and the
URL in the list archives could be used to challenge/update the CVE ID).
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list