Hi, I just had a go at this issue and I discovered that libxalan2-java in Debian is not affected but rather bcel.
https://tracker.debian.org/pkg/bcel The fixing commit in OpenJDK addresses the same code which is nowhere to be found in libxalan2-java but is present in bcel. The bcel upstream commit can be found at https://github.com/apache/commons-bcel/commit/f3267cbcc900f80851d561bdd16b239d936947f5 I suggest to reassign the bug to bcel. I agree that libxalan2-java should be retired eventually. It is required by quite some reverse-dependencies though and it may take some time to achieve that. In theory everything should work without the library, because the code is in OpenJDK already? I am not sure if we should request to clarify the CVE description or at least post on oss-security to make other people aware of it. I assume the official xalan2 release ships an internal copy of bcel and that might be the reason for the confusion. Regards, Markus
signature.asc
Description: This is a digitally signed message part
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.