[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-41842,libcommons-jxpath-java: Link to proposed upstream changes

Markus Koschany (@apo) apo at debian.org
Thu Oct 27 17:42:48 BST 2022 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
83af9505 by Markus Koschany at 2022-10-27T18:34:48+02:00
CVE-2022-41842,libcommons-jxpath-java: Link to proposed upstream changes

The upstream discussion is ongoing. They intend to implement either a whitelist
or a blacklist. Maven requires jxpath as a build-dependency. We should wait for
the outcome of that discussion

- - - - -
4c46ba1e by Markus Koschany at 2022-10-27T18:42:12+02:00
Add libcommons-jxpath-java to dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5178,6 +5178,8 @@ CVE-2022-41853 (Those using java.sql.Statement or java.sql.PreparedStatement in
 CVE-2022-41852 (Those using JXPath to interpret untrusted XPath expressions may be vul ...)
 	- libcommons-jxpath-java <unfixed>
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133
+	NOTE: https://github.com/apache/commons-jxpath/pull/25
+	NOTE: https://github.com/apache/commons-jxpath/pull/26
 CVE-2022-41851 (A vulnerability has been identified in JTTK (All versions < V11.1.1 ...)
 	NOT-FOR-US: JTTK
 CVE-2022-41836 (When an 'Attack Signature False Positive Mode' enabled security policy ...)


=====================================
data/dla-needed.txt
=====================================
@@ -98,6 +98,10 @@ kopanocore
   NOTE: 20220801: Programming language: C++.
   NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973)
 --
+libcommons-jxpath-java
+  NOTE: 20221027: Programming language: Java.
+  NOTE: 20221027: Maintainer notes: Wait for the outcome of upstream discussion. See CVE-2022-41852 for pull requests.
+--
 libreoffice
   NOTE: 20221012: Programming language: C++.
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/257634c3285ad3cb989508e20d4703e596835672...4c46ba1ef93f6027787ca6fba7577590eb6f91f5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/257634c3285ad3cb989508e20d4703e596835672...4c46ba1ef93f6027787ca6fba7577590eb6f91f5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221027/ff66f5fd/attachment.htm>

More information about the debian-security-tracker-commits mailing list