Bug#1136092: trixie-pu: package libxml-security-java/2.1.8-1.1~deb13u1

Adrian Bunk bunk at debian.org
Sat May 9 13:47:58 BST 2026 

Package: release.debian.org
Severity: normal
Tags: security
X-Debbugs-Cc: libxml-security-java at packages.debian.org, security at debian.org
Control: affects -1 + src:libxml-security-java
User: release.debian.org at packages.debian.org
Usertags: pu

  * CVE-2023-44483: Private Key disclosure in debug-log output
    (Closes: #1059313)
-------------- next part --------------
diffstat for libxml-security-java-2.1.8 libxml-security-java-2.1.8

 changelog                               |   15 +++++++++++++++
 patches/0001-Logging-improvements.patch |   24 ++++++++++++++++++++++++
 patches/series                          |    1 +
 3 files changed, 40 insertions(+)

diff -Nru libxml-security-java-2.1.8/debian/changelog libxml-security-java-2.1.8/debian/changelog
--- libxml-security-java-2.1.8/debian/changelog	2024-01-03 16:36:06.000000000 +0200
+++ libxml-security-java-2.1.8/debian/changelog	2026-05-09 15:43:44.000000000 +0300
@@ -1,3 +1,18 @@
+libxml-security-java (2.1.8-1.1~deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for trixie.
+
+ -- Adrian Bunk <bunk at debian.org>  Sat, 09 May 2026 15:43:44 +0300
+
+libxml-security-java (2.1.8-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2023-44483: Private Key disclosure in debug-log output
+    (Closes: #1059313)
+
+ -- Adrian Bunk <bunk at debian.org>  Thu, 07 May 2026 14:46:58 +0300
+
 libxml-security-java (2.1.8-1) unstable; urgency=medium
 
   * Removed the -java-doc package
diff -Nru libxml-security-java-2.1.8/debian/patches/0001-Logging-improvements.patch libxml-security-java-2.1.8/debian/patches/0001-Logging-improvements.patch
--- libxml-security-java-2.1.8/debian/patches/0001-Logging-improvements.patch	1970-01-01 02:00:00.000000000 +0200
+++ libxml-security-java-2.1.8/debian/patches/0001-Logging-improvements.patch	2026-05-07 14:46:31.000000000 +0300
@@ -0,0 +1,24 @@
+From acd0d1e92e7c96b70c4fa19e74640b89cacf77dd Mon Sep 17 00:00:00 2001
+From: Sean Mullan <sean.mullan at oracle.com>
+Date: Fri, 6 Oct 2023 09:40:14 -0400
+Subject: Logging improvements.
+
+---
+ .../org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java
+index ce2e5445..5570427c 100644
+--- a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java
++++ b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java
+@@ -296,7 +296,6 @@ public abstract class DOMSignatureMethod extends AbstractDOMSignatureMethod {
+         }
+         signature.initSign((PrivateKey)key);
+         LOG.debug("Signature provider: {}", signature.getProvider());
+-        LOG.debug("Signing with key: {}", key);
+         LOG.debug("JCA Algorithm: {}", getJCAAlgorithm());
+ 
+         try (SignerOutputStream outputStream = new SignerOutputStream(signature)) {
+-- 
+2.47.3
+
diff -Nru libxml-security-java-2.1.8/debian/patches/series libxml-security-java-2.1.8/debian/patches/series
--- libxml-security-java-2.1.8/debian/patches/series	2024-01-03 15:56:29.000000000 +0200
+++ libxml-security-java-2.1.8/debian/patches/series	2026-05-07 14:46:58.000000000 +0300
@@ -1,3 +1,4 @@
 no-errorprone.patch
 exclude-tests.patch
 remove-XMLUtilsPerformanceTest.java.patch
+0001-Logging-improvements.patch

More information about the pkg-java-maintainers mailing list