Accepted libowasp-esapi-java 2.4.0.0-0+deb11u1 (source) into oldstable-security

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted libowasp-esapi-java 2.4.0.0-0+deb11u1 (source) into oldstable-security
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Mon, 21 Jul 2025 23:10:27 +0000
Message-id: <[🔎] E1udzeN-0025iy-0O@seger.debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 22 Jul 2025 00:47:40 CEST
Source: libowasp-esapi-java
Architecture: source
Version: 2.4.0.0-0+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 3da6f8b7860303637e5f8594ee87b6424e8b3713 2566 libowasp-esapi-java_2.4.0.0-0+deb11u1.dsc
 128ef33dadaf0a250903def449f92d1d39a2a34b 6077824 libowasp-esapi-java_2.4.0.0.orig.tar.gz
 ec83be707a06b3af35030c28e20e9a519f7ec449 13068 libowasp-esapi-java_2.4.0.0-0+deb11u1.debian.tar.xz
 8f998a5b34f07184c6847602376c7289a0448ed7 13798 libowasp-esapi-java_2.4.0.0-0+deb11u1_amd64.buildinfo
Checksums-Sha256:
 7b84939e8bdc8b031b586bd68edf70da77d0e383e066de8aabfdd63d673d98a6 2566 libowasp-esapi-java_2.4.0.0-0+deb11u1.dsc
 010123823540c1eafa818527404cdb1b35adb3c9f197418c754a69fe46df45ee 6077824 libowasp-esapi-java_2.4.0.0.orig.tar.gz
 c4a17e124ea23ac3c89f1bf8bdbc499f55ec5116ec78904f386a27a903065822 13068 libowasp-esapi-java_2.4.0.0-0+deb11u1.debian.tar.xz
 d4f640965481d39988e9d825bf7431808811cadba3d8f09125560a4fe5b0742a 13798 libowasp-esapi-java_2.4.0.0-0+deb11u1_amd64.buildinfo
Changes:
 libowasp-esapi-java (2.4.0.0-0+deb11u1) bullseye-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2022-23457:
     ESAPI (The OWASP Enterprise Security API) is a free, open source, web
     application security control library. Prior to this update the default
     implementation of `Validator.getValidDirectoryPath(String, String, File,
     boolean)` may incorrectly treat the tested input string as a child of the
     specified parent directory. This potentially could allow control-flow
     bypass checks to be defeated if an attack can specify the entire string
     representing the 'input' path.
   * Fix CVE-2022-24891:
     There is a potential for a cross-site scripting vulnerability in ESAPI
     caused by a incorrect regular expression for "onsiteURL" in the
     **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs
     to fail to be correctly sanitized.
   * Warn about CVE-2025-5878:
     This issue affects the interface Encoder.encodeForSQL of the
     SQL Injection Defense. An attack leads to an improper neutralization of
     special elements. We are not aware of any affected reverse-dependencies in
     Debian but if you use ESAPI in a stand-alone project, you should be aware
     that the Encoder.encodeForSQL method has been deprecated and will be
     removed eventually. In addition the DB2Codec, MySQLCodec and OracleCodec
     classes have been deprecated too. We recommend to carefully assess if
     your project might be affected by these classes and methods and if you have
     to implement additional steps to secure your application. The update does
     not automatically protect you from any potential risks.
Files:
 0ffccafb7abea1e53e152ef87f9d03bc 2566 java optional libowasp-esapi-java_2.4.0.0-0+deb11u1.dsc
 0135a0411677780c9fb1acc2536849ad 6077824 java optional libowasp-esapi-java_2.4.0.0.orig.tar.gz
 0369abc19d120aaae06dd87c2c4fad2b 13068 java optional libowasp-esapi-java_2.4.0.0-0+deb11u1.debian.tar.xz
 a7bc07562894b3b4d86b7eb6d0022601 13798 java optional libowasp-esapi-java_2.4.0.0-0+deb11u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmh+xBNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkmXcQAIJIqwHtNhv6BoPtLD5GNCiyD9F281b0DKPl
pUKlpLtRwMilLE87gG+2NctvrGliGB2HxX5Jbtnn8UHZ62Ve31w+r4MTOyFqYEAq
pZIe39hG8E082Pz5AOkm3we+P7D027Ms+KGDtZ8P+0oebP+Mw77qeQpCCP1qNxOa
dZNuQXWKn69dbVGO74M862xG28EtMzBB9Wj9ZkHW4bc4i0gwP5KxX+n3jzha6kHG
h5O3lfRuvOPyAkMa5q3LHbjcgEDplMqY1YPC8/u7lFJ9M8eq1+hSamAWTAdn9ori
O0YDfJXAVPtJ7zNZ7ojYhMgrZaj0MVVoxLdDkW4Pjvr6VyurLNN6lqd7bGFF3Kvx
ZIMaE/zFlGrOhm9IO+thdjUigf0ZLmUNBXHkoklQZglR28B/+xpBB2ujK1xnRv2c
fwWwz6MEBGfCV6DvwGrq+hIt4JjobQKAc2cyC65ykgqCaI+8ngsmrBol6fKbuufE
5t8Anis4gi+drGG+Oedc+d37RA6huHFnN2BD9fOciBf2Xzo78FCdD5Nrw7giFv1E
Mb6BC73muamzAffxdEXkuXhzKq/hi2G8PF4EdT6PR28Gd6/NXZnbVqhh3/DTopWU
yr9M9N3XoePIev31jvePIxKqNVVAJa81eBM4Q24WStaM0qFjQeHY3yxNt+DSZeg1
p11/dDWG
=ywCH
-----END PGP SIGNATURE-----

Attachment: pgprJNqimS0Yh.pgp
Description: PGP signature

Reply to:

Prev by Date: Accepted libcommons-fileupload-java 1.4-1+deb11u1 (source) into oldstable-security
Next by Date: Accepted openjdk-11 11.0.28+6-1~deb11u1 (source) into oldstable-security
Previous by thread: Accepted libcommons-fileupload-java 1.4-1+deb11u1 (source) into oldstable-security
Next by thread: Accepted openjdk-11 11.0.28+6-1~deb11u1 (source) into oldstable-security
Index(es):
- Date
- Thread