Your message dated Fri, 08 May 2026 11:34:12 +0000
with message-id <[email protected]>
and subject line Bug#1059313: fixed in libxml-security-java 2.1.8-1.1
has caused the Debian Bug report #1059313,
regarding libxml-security-java: CVE-2023-44483
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1059313: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059313
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxml-security-java
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for libxml-security-java.
CVE-2023-44483[0]:
| All versions of Apache Santuario - XML Security for Java prior to
| 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable
| to an issue where a private key may be disclosed in log files when
| generating an XML Signature and logging with debug level is
| enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4,
| or 3.0.3, which fixes this issue.
https://www.openwall.com/lists/oss-security/2023/10/20/5
https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55
https://santuario.apache.org/secadv.data/CVE-2023-44483.txt.asc
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-44483
https://www.cve.org/CVERecord?id=CVE-2023-44483
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: libxml-security-java
Source-Version: 2.1.8-1.1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libxml-security-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated libxml-security-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 May 2026 14:46:58 +0300
Source: libxml-security-java
Architecture: source
Version: 2.1.8-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1059313
Changes:
libxml-security-java (2.1.8-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2023-44483: Private Key disclosure in debug-log output
(Closes: #1059313)
Checksums-Sha1:
ecdd41c4d60bafd045f978d8702c79a5c2447397 2438
libxml-security-java_2.1.8-1.1.dsc
eaa68cb53a7ce256a4d576216d3bea745576f348 7752
libxml-security-java_2.1.8-1.1.debian.tar.xz
Checksums-Sha256:
874c14d66764dd1a61f58b2720d193f47bf97af674004bce13bd3bcac07d8b5e 2438
libxml-security-java_2.1.8-1.1.dsc
11c0955f93456942a12eaadd4f76cabda1e2c2f24d5f595cf409e6a45ded84ee 7752
libxml-security-java_2.1.8-1.1.debian.tar.xz
Files:
81a3ab8d54fcb4e36f929905f47d4e32 2438 java optional
libxml-security-java_2.1.8-1.1.dsc
d2db021ba59131f548a6682a253543ea 7752 java optional
libxml-security-java_2.1.8-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmn8iJMACgkQiNJCh6LY
mLFvAw/9EZtCS37FbKXl2YDZywHb7+IsiBD2jXC67qx/cHLYmgDDUooxzbfxsh/n
hRhTO3txmwLUWfBohKbAA4y300mBX/HSIe8Q/R2L5kVHAaDEslwYDpQ3DioR6Vqr
aLAFhuTa0uZf5l1loyQfayr15x332W3K5MfLXKkghx9wdhIacPWh58vZubkI/1nK
C5EeDfN1ksP2uqFi7Hkf/PvCClRJ8ndMR27gI2CbxKuCgxXWpqOeD2wj2WbRJTQo
0cyrJeW6nICZrTikQLaU1VIwAjZ7uU+dwRsqDyJjRBkHEPm46lSBvqfMOCFN0E5j
TfDNE5UrqmyTfrSi8G/xgzxOyFftY4Tb0ABcIktl7loDWPXcywV5JRevlSwwjaC/
vFlWQc+Qu/Li6KJN7sSOHkFSRCKXwz2Y439l+jFWys5v7yNkRSZcXrHiUgH5RxiT
QEOgS4GxdC6SVLckQaYMSxTse7JbfNwTpUuoR4o9oOgtpcyzEqe7yJP40aLmQ9Rg
zR0mF+JENYZTFOYKVM9LGRgq8cC+H3m5rZIz5XkktPqpTwDdLHRUzqjPQIqctEBH
kGB9kIUxFXnWZUwbwzSsD1okmHZKGSh5Lx69POSkXp/xnT3hpmlnn6HW+03+XTIV
yXaDLSg9QfKBiGNH2EPAobrldNaGpa0eM/n79YUQF7OAOW8iF3s=
=lAoH
-----END PGP SIGNATURE-----
pgpsmIP16okN2.pgp
Description: PGP signature
--- End Message ---
