Your message dated Sat, 16 May 2026 10:23:17 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1136092,
regarding trixie-pu: package libxml-security-java/2.1.8-1.1~deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136092: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136092
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: security
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libxml-security-java
User: [email protected]
Usertags: pu
* CVE-2023-44483: Private Key disclosure in debug-log output
(Closes: #1059313)
diffstat for libxml-security-java-2.1.8 libxml-security-java-2.1.8
changelog | 15 +++++++++++++++
patches/0001-Logging-improvements.patch | 24 ++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 40 insertions(+)
diff -Nru libxml-security-java-2.1.8/debian/changelog
libxml-security-java-2.1.8/debian/changelog
--- libxml-security-java-2.1.8/debian/changelog 2024-01-03 16:36:06.000000000
+0200
+++ libxml-security-java-2.1.8/debian/changelog 2026-05-09 15:43:44.000000000
+0300
@@ -1,3 +1,18 @@
+libxml-security-java (2.1.8-1.1~deb13u1) trixie; urgency=medium
+
+ * Non-maintainer upload.
+ * Rebuild for trixie.
+
+ -- Adrian Bunk <[email protected]> Sat, 09 May 2026 15:43:44 +0300
+
+libxml-security-java (2.1.8-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2023-44483: Private Key disclosure in debug-log output
+ (Closes: #1059313)
+
+ -- Adrian Bunk <[email protected]> Thu, 07 May 2026 14:46:58 +0300
+
libxml-security-java (2.1.8-1) unstable; urgency=medium
* Removed the -java-doc package
diff -Nru
libxml-security-java-2.1.8/debian/patches/0001-Logging-improvements.patch
libxml-security-java-2.1.8/debian/patches/0001-Logging-improvements.patch
--- libxml-security-java-2.1.8/debian/patches/0001-Logging-improvements.patch
1970-01-01 02:00:00.000000000 +0200
+++ libxml-security-java-2.1.8/debian/patches/0001-Logging-improvements.patch
2026-05-07 14:46:31.000000000 +0300
@@ -0,0 +1,24 @@
+From acd0d1e92e7c96b70c4fa19e74640b89cacf77dd Mon Sep 17 00:00:00 2001
+From: Sean Mullan <[email protected]>
+Date: Fri, 6 Oct 2023 09:40:14 -0400
+Subject: Logging improvements.
+
+---
+ .../org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git
a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java
b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java
+index ce2e5445..5570427c 100644
+---
a/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java
++++
b/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java
+@@ -296,7 +296,6 @@ public abstract class DOMSignatureMethod extends
AbstractDOMSignatureMethod {
+ }
+ signature.initSign((PrivateKey)key);
+ LOG.debug("Signature provider: {}", signature.getProvider());
+- LOG.debug("Signing with key: {}", key);
+ LOG.debug("JCA Algorithm: {}", getJCAAlgorithm());
+
+ try (SignerOutputStream outputStream = new
SignerOutputStream(signature)) {
+--
+2.47.3
+
diff -Nru libxml-security-java-2.1.8/debian/patches/series
libxml-security-java-2.1.8/debian/patches/series
--- libxml-security-java-2.1.8/debian/patches/series 2024-01-03
15:56:29.000000000 +0200
+++ libxml-security-java-2.1.8/debian/patches/series 2026-05-07
14:46:58.000000000 +0300
@@ -1,3 +1,4 @@
no-errorprone.patch
exclude-tests.patch
remove-XMLUtilsPerformanceTest.java.patch
+0001-Logging-improvements.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.5
This update has been released as part of Debian 13.5.
--- End Message ---
