See tracker for (few) details, apparently xalan is bundled in openjdk, according to URL: "Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan."
https://openjdk.org/groups/vulnerability/advisories/2022-07-19 "These issues have been addressed, as applicable, in the following releases: 7u351, 8u342, 11.0.16, 13.0.12, 15.0.8, 17.0.4, and 18.0.2"
The vulnerability is in bcel, seems like that's bundled here as well.
(In reply to John Helmert III from comment #1) > https://openjdk.org/groups/vulnerability/advisories/2022-07-19 > > "These issues have been addressed, as applicable, in the following releases: > 7u351, 8u342, 11.0.16, 13.0.12, 15.0.8, 17.0.4, and 18.0.2" Hm, to be clear, these are tracked in bug 859376, not here.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=192b729d81f588010b67c1e39e06aa02c513b126 commit 192b729d81f588010b67c1e39e06aa02c513b126 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-17 13:45:06 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-17 13:45:28 +0000 [ GLSA 202401-25 ] OpenJDK: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/859376 Bug: https://bugs.gentoo.org/859400 Bug: https://bugs.gentoo.org/877597 Bug: https://bugs.gentoo.org/891323 Bug: https://bugs.gentoo.org/908243 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-25.xml | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+)
