I've been investigating this issue as well. I contacted an upstream developer and it seems the actual fix for this issue is unknown. The version 3.2.0 was just reported as not vulnerable by the security researched who discovered this issue.
I can prepare an upgrade to the latest 3.2.x version but this will at least require libhibernate-validator-java to be unblocked as well. Emmanuel Bourg -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
