Debian Bug report logs -
#994569
libxml-security-java: CVE-2021-40690
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 17 Sep 2021 19:54:01 UTC
Severity: grave
Tags: security, upstream
Found in version libxml-security-java/2.0.10-2
Fixed in version libxml-security-java/2.1.7-1
Done: Markus Koschany <apo@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#994569; Package src:libxml-security-java.
(Fri, 17 Sep 2021 19:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 17 Sep 2021 19:54:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libxml-security-java
Version: 2.0.10-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for libxml-security-java.
CVE-2021-40690[0]:
| Bypass of the secureValidation property
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-40690
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40690
[1] https://santuario.apache.org/secadv.data/CVE-2021-40690.txt.asc
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Thu, 23 Sep 2021 22:21:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 23 Sep 2021 22:21:05 GMT) (full text, mbox, link).
Message #10 received at 994569-close@bugs.debian.org (full text, mbox, reply):
Source: libxml-security-java
Source-Version: 2.1.7-1
Done: Markus Koschany <apo@debian.org>
We believe that the bug you reported is fixed in the latest version of
libxml-security-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 994569@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated libxml-security-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 23 Sep 2021 23:29:16 +0200
Source: libxml-security-java
Architecture: source
Version: 2.1.7-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 935548 994569
Changes:
libxml-security-java (2.1.7-1) unstable; urgency=high
.
* Team upload.
* New upstream version 2.1.7.
- Fix CVE-2019-12400:
In version 2.0.3 Apache Santuario XML Security for Java, a caching
mechanism was introduced to speed up creating new XML documents using a
static pool of DocumentBuilders. However, if some untrusted code can
register a malicious implementation with the thread context class loader
first, then this implementation might be cached and re-used by Apache
Santuario - XML Security for Java, leading to potential security flaws
when validating signed documents, etc. The vulnerability affects Apache
Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x
releases before 2.1.4.
(Closes: #935548)
- Fix CVE-2021-40690:
All versions of Apache Santuario - XML Security for Java prior to 2.2.3
and 2.1.7 are vulnerable to an issue where the "secureValidation"
property is not passed correctly when creating a KeyInfo from a
KeyInfoReference element. This allows an attacker to abuse an XPath
Transform to extract any local .xml files in a RetrievalMethod element.
(Closes: #994569)
* Switch to debhelper-compat = 13.
* Declare compliance with Debian Policy 4.6.0.
* Drop 0001-Recover-old-API-for-libitext5-java.patch. This appears to work
now.
* Add no-errorprone.patch and ignore errorprone core artifact.
* Update debian/watch and detect new releases on github.com.
* Remove old orig-tar.sh script and use the Files-Excluded mechanism instead.
Checksums-Sha1:
9b8026996bacd5ea0012d1cac5133847d5d44a84 2707 libxml-security-java_2.1.7-1.dsc
4e4c7760c56406679c51263559158f4daf52df29 754192 libxml-security-java_2.1.7.orig.tar.xz
877b7a1105dbbd165f935ff5b90b717a253e395f 5824 libxml-security-java_2.1.7-1.debian.tar.xz
ac15866c3822923ba84d5e8b29944c0956a3465c 17097 libxml-security-java_2.1.7-1_amd64.buildinfo
Checksums-Sha256:
e8141eb120d087bcfe15c71947549ba508e923287d29adf478eb4c369df71f52 2707 libxml-security-java_2.1.7-1.dsc
3ae6295caf43d9376e132b3d2fdea7c5a7af4a3c82554c257fc9b55426b2d6ee 754192 libxml-security-java_2.1.7.orig.tar.xz
f370b63dff0ce82be0ba01391d885304cc13846b97e325edf78a8e4a12c1056d 5824 libxml-security-java_2.1.7-1.debian.tar.xz
987cafe5faa3d8fb168b316b341e5bbc8ebc88f148e814e21ebd4e1e515e7be7 17097 libxml-security-java_2.1.7-1_amd64.buildinfo
Files:
94b5120e0ef8c007304ede73e324ae43 2707 java optional libxml-security-java_2.1.7-1.dsc
3da3ddcfe27e498fe4b79dce9a4cd9e9 754192 java optional libxml-security-java_2.1.7.orig.tar.xz
d38b59c37c7da582adc2bcd430bc55a3 5824 java optional libxml-security-java_2.1.7-1.debian.tar.xz
468296c75711a30ce044f6c9b858bf75 17097 java optional libxml-security-java_2.1.7-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmFM+B1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk0fEQAKc6uytNcwI6v/vJn34oRMW6RmI7x2udWU18
6yaPTqRgpdu8P8/k6iCQv/48gUdAM+qKHBTulqcsoP4+cByK0X4pX+KoCqpxt+V0
oa+6jJj8Zjo9Vj14pREBfTXUg+rgZWXwc1+qMthVqSHaHQYCvsmi6kwsS2aHWnMP
RRwsp3yGU+ys3quj62gCusuZ0CS3AygFAApnB7m342GoXY2V9jPVkMRuVqgXGV++
seVmFRrBil4MMjIUcd7iz1Trm6TeaFblGM/DeD1vr0W0fEG9fqLOry4LQWmMc3oS
f1/L1PYy03URGR3LriT7pRIsbKVRgxxhN4TlHh++4uAzQpXSef7LRr7AxQc4rCsk
B7le3UtawXzHf6mSHevxX7Pp8osiBtNj4Tm3StjLt9+jrxQcEpwXSK6qimR7T7Pe
Bt1EUY3ftGkbmL3nxRIQrt91hb2MYieLUzbwslWnfF26ypdzDeVfOr3vXoTOKiN+
VF45JgEBOdI5Ugqvzpn44NYhoIbxCBCULIBwoWYiutAjpvIlx2KP/cZbqlVU5+X+
hj/IXLGOZW9ZbaWqIGRqZZK7t1qhVrbQYoAyUapVIHQ2DXbQblygjLUq92b9Tjb+
YgC86iqa+4nFHQYMXobRGAQh4JkjOWM9G6cqbYsgo02qfUnceikuWNOSYylVI4AR
bNnbTOHE
=uAaY
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Oct 1 14:17:21 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon