[From nobody Sun May 10 10:37:05 2026 Received: (at submit) by bugs.debian.org; 22 Dec 2023 13:38:23 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02 (2021-04-09) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=4.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 26; hammy, 150; neutral, 49; spammy, 0. spammytokens: hammytokens:0.000-+--H*RU:inutil.org, 0.000-+--H*r:jmm, 0.000-+--UD:security-tracker.debian.org, 0.000-+--security-tracker.debian.org, 0.000-+--securitytrackerdebianorg Return-path: <jmm@inutil.org> Received: from inutil.org ([109.69.64.57]:42906 helo=viruvalge.hosting.plutex.de) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from <jmm@inutil.org>) id 1rGfjJ-009v7X-LD for submit@bugs.debian.org; Fri, 22 Dec 2023 13:38:23 +0000 Received: by viruvalge.hosting.plutex.de (Postfix, from userid 112) id D1D3E403DB; Fri, 22 Dec 2023 14:38:19 +0100 (CET) Received: from hullmann.fritz.box (p548dc64c.dip0.t-ipconnect.de [84.141.198.76]) by viruvalge.hosting.plutex.de (Postfix) with ESMTPSA id 8320C40240 for <submit@bugs.debian.org>; Fri, 22 Dec 2023 14:38:19 +0100 (CET) Received: from jmm by hullmann.fritz.box with local (Exim 4.96) (envelope-from <jmm@hullmann.westfalen.local>) id 1rGfjH-0005OP-0t for submit@bugs.debian.org; Fri, 22 Dec 2023 14:38:19 +0100 Date: Fri, 22 Dec 2023 14:38:19 +0100 To: submit@bugs.debian.org Subject: libxml-security-java: CVE-2023-44483 Message-ID: <ZYWRS9o86IwnCiuN@pisco.westfalen.local> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit From: =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= <jmm@inutil.org> Delivered-To: submit@bugs.debian.org Source: libxml-security-java X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libxml-security-java. CVE-2023-44483[0]: | All versions of Apache Santuario - XML Security for Java prior to | 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable | to an issue where a private key may be disclosed in log files when | generating an XML Signature and logging with debug level is | enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, | or 3.0.3, which fixes this issue. https://www.openwall.com/lists/oss-security/2023/10/20/5 https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 https://santuario.apache.org/secadv.data/CVE-2023-44483.txt.asc If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44483 https://www.cve.org/CVERecord?id=CVE-2023-44483 Please adjust the affected versions in the BTS as needed. ]