[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-41842,libcommons-jxpath-java: Link to proposed upstream changes
Markus Koschany (@apo)
apo at debian.org
Thu Oct 27 17:42:48 BST 2022
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
83af9505 by Markus Koschany at 2022-10-27T18:34:48+02:00
CVE-2022-41842,libcommons-jxpath-java: Link to proposed upstream changes
The upstream discussion is ongoing. They intend to implement either a whitelist
or a blacklist. Maven requires jxpath as a build-dependency. We should wait for
the outcome of that discussion
- - - - -
4c46ba1e by Markus Koschany at 2022-10-27T18:42:12+02:00
Add libcommons-jxpath-java to dla-needed.txt
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -5178,6 +5178,8 @@ CVE-2022-41853 (Those using java.sql.Statement or java.sql.PreparedStatement in
CVE-2022-41852 (Those using JXPath to interpret untrusted XPath expressions may be vul ...)
- libcommons-jxpath-java <unfixed>
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133
+ NOTE: https://github.com/apache/commons-jxpath/pull/25
+ NOTE: https://github.com/apache/commons-jxpath/pull/26
CVE-2022-41851 (A vulnerability has been identified in JTTK (All versions < V11.1.1 ...)
NOT-FOR-US: JTTK
CVE-2022-41836 (When an 'Attack Signature False Positive Mode' enabled security policy ...)
=====================================
data/dla-needed.txt
=====================================
@@ -98,6 +98,10 @@ kopanocore
NOTE: 20220801: Programming language: C++.
NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973)
--
+libcommons-jxpath-java
+ NOTE: 20221027: Programming language: Java.
+ NOTE: 20221027: Maintainer notes: Wait for the outcome of upstream discussion. See CVE-2022-41852 for pull requests.
+--
libreoffice
NOTE: 20221012: Programming language: C++.
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/257634c3285ad3cb989508e20d4703e596835672...4c46ba1ef93f6027787ca6fba7577590eb6f91f5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/257634c3285ad3cb989508e20d4703e596835672...4c46ba1ef93f6027787ca6fba7577590eb6f91f5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221027/ff66f5fd/attachment.htm>
More information about the debian-security-tracker-commits
mailing list