oss-sec mailing list archives

Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets

From: Markus Koschany <apo () debian org>
Date: Mon, 17 Oct 2022 23:57:45 +0200

Hi,

it appears the underlying bug is in Apache Commons bcel and not in Apache Xalan
itself. See

https://bugs.debian.org/1015860

and

https://github.com/apache/commons-bcel/pull/147

https://github.com/apache/commons-bcel/commit/f3267cbcc900f80851d561bdd16b239d936947f5

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets Markus Koschany (Oct 18)