Bug#1112671: trixie-pu: package libcommons-lang-java/2.6-10+deb13u1

Sun Aug 31 19:16:27 BST 2025

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: libcommons-lang-java at packages.debian.org
Control: affects -1 + src:libcommons-lang-java
User: release.debian.org at packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[ Reason ]

This upload attempts to fix CVE-2025-48924, an uncontrolled recursion
vulnerability that can lead to a StackOverflowError, for users of Debian
Trixie.

[ Impact ]

If the update is not approved, users might be affected by CVE-2025-48924.

[ Tests ]

The patch adds a new test to check if the fix is successful. I also did some
successful manual testing.

[ Risks ]

There is the risk of regression. But the patch is rather small and tested.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

The patch uses (a backported) rewrite that avoids the recursion.

[ Other info ]

The issue has been fixed in LTS/ELTS as well.