Am Thu, Oct 13, 2022 at 09:36:09PM +0200 schrieb Markus Koschany: > Hi, > > I just had a go at this issue and I discovered that libxalan2-java in Debian > is > not affected but rather bcel. > > https://tracker.debian.org/pkg/bcel > > The fixing commit in OpenJDK addresses the same code which is nowhere to be > found in libxalan2-java but is present in bcel. The bcel upstream commit can > be > found at > > https://github.com/apache/commons-bcel/commit/f3267cbcc900f80851d561bdd16b239d936947f5 > > > I suggest to reassign the bug to bcel. I agree that libxalan2-java should be > retired eventually. It is required by quite some reverse-dependencies though > and it may take some time to achieve that. In theory everything should work > without the library, because the code is in OpenJDK already?
Nice find! > I am not sure if we should request to clarify the CVE description or at least > post on oss-security to make other people aware of it. I assume the official > xalan2 release ships an internal copy of bcel and that might be the reason for > the confusion. Yeah, I think it would be best if you were to post to oss-security about this, then this can be picked up as a public reference to other distros (and the URL in the list archives could be used to challenge/update the CVE ID). Cheers, Moritz __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.