[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-41842,libcommons-jxpath-java: Link to proposed upstream changes

Thu, 27 Oct 2022 09:43:06 -0700 


Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
83af9505 by Markus Koschany at 2022-10-27T18:34:48+02:00
CVE-2022-41842,libcommons-jxpath-java: Link to proposed upstream changes

The upstream discussion is ongoing. They intend to implement either a whitelist
or a blacklist. Maven requires jxpath as a build-dependency. We should wait for
the outcome of that discussion

- - - - -
4c46ba1e by Markus Koschany at 2022-10-27T18:42:12+02:00
Add libcommons-jxpath-java to dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5178,6 +5178,8 @@ CVE-2022-41853 (Those using java.sql.Statement or 
java.sql.PreparedStatement in
 CVE-2022-41852 (Those using JXPath to interpret untrusted XPath expressions 
may be vul ...)
        - libcommons-jxpath-java <unfixed>
        NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133
+       NOTE: https://github.com/apache/commons-jxpath/pull/25
+       NOTE: https://github.com/apache/commons-jxpath/pull/26
 CVE-2022-41851 (A vulnerability has been identified in JTTK (All versions &lt; 
V11.1.1 ...)
        NOT-FOR-US: JTTK
 CVE-2022-41836 (When an 'Attack Signature False Positive Mode' enabled 
security policy ...)


=====================================
data/dla-needed.txt
=====================================
@@ -98,6 +98,10 @@ kopanocore
   NOTE: 20220801: Programming language: C++.
   NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973)
 --
+libcommons-jxpath-java
+  NOTE: 20221027: Programming language: Java.
+  NOTE: 20221027: Maintainer notes: Wait for the outcome of upstream 
discussion. See CVE-2022-41852 for pull requests.
+--
 libreoffice
   NOTE: 20221012: Programming language: C++.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/257634c3285ad3cb989508e20d4703e596835672...4c46ba1ef93f6027787ca6fba7577590eb6f91f5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/257634c3285ad3cb989508e20d4703e596835672...4c46ba1ef93f6027787ca6fba7577590eb6f91f5
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to