CVE-2022-34169: The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan. Some details in tracker, seems like the bcel fix is: https://github.com/apache/commons-bcel/commit/f3267cbcc900f80851d561bdd16b239d936947f5 which is in 6.6.0, please stabilize ASAP. Not sure how I missed filing this, sorry about that.
Thanks!
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b6c826bc4b8c4398636265b63367f66ced5f8c5 commit 6b6c826bc4b8c4398636265b63367f66ced5f8c5 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2022-11-09 06:44:22 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-09 13:49:02 +0000 dev-java/bcel: CVE-2022-42920, drop 6.5.0, 6.5.0-r3 Bug: https://bugs.gentoo.org/880447 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/28198 Signed-off-by: John Helmert III <ajak@gentoo.org> dev-java/bcel/Manifest | 2 - dev-java/bcel/bcel-6.5.0-r3.ebuild | 85 -------------------------------------- dev-java/bcel/bcel-6.5.0.ebuild | 31 -------------- 3 files changed, 118 deletions(-)
Thank you!
