That sounds of a potential denial of service vulnerability. How likely is it that Xalan would be used with untrusted stylesheets supplied by attackers? If you don't think it would be possible to fix it you can ask the release team for a jessie-ignore tag, reportbug release.debian.org, choose "3 other", explain your reasoning. You could also reimplement the libxslt solution for this in Xalan. -- bye, pabs https://wiki.debian.org/PaulWise