libxml-security-java 2.1.7-1 source package in Ubuntu

Changelog

libxml-security-java (2.1.7-1) unstable; urgency=high

  * Team upload.
  * New upstream version 2.1.7.
    - Fix CVE-2019-12400:
      In version 2.0.3 Apache Santuario XML Security for Java, a caching
      mechanism was introduced to speed up creating new XML documents using a
      static pool of DocumentBuilders. However, if some untrusted code can
      register a malicious implementation with the thread context class loader
      first, then this implementation might be cached and re-used by Apache
      Santuario - XML Security for Java, leading to potential security flaws
      when validating signed documents, etc. The vulnerability affects Apache
      Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x
      releases before 2.1.4.
      (Closes: #935548)
    - Fix CVE-2021-40690:
      All versions of Apache Santuario - XML Security for Java prior to 2.2.3
      and 2.1.7 are vulnerable to an issue where the "secureValidation"
      property is not passed correctly when creating a KeyInfo from a
      KeyInfoReference element. This allows an attacker to abuse an XPath
      Transform to extract any local .xml files in a RetrievalMethod element.
      (Closes: #994569)
  * Switch to debhelper-compat = 13.
  * Declare compliance with Debian Policy 4.6.0.
  * Drop 0001-Recover-old-API-for-libitext5-java.patch. This appears to work
    now.
  * Add no-errorprone.patch and ignore errorprone core artifact.
  * Update debian/watch and detect new releases on github.com.
  * Remove old orig-tar.sh script and use the Files-Excluded mechanism instead.

 -- Markus Koschany <email address hidden>  Thu, 23 Sep 2021 23:29:16 +0200