I've been investigating this issue as well. I contacted an upstream developer and it seems the actual fix for this issue is unknown. The version 3.2.0 was just reported as not vulnerable by the security researched who discovered this issue.
I can prepare an upgrade to the latest 3.2.x version but this will at least require libhibernate-validator-java to be unblocked as well. Emmanuel Bourg __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
