libowasp-esapi-java (2.4.0.0-0+deb11u1) bullseye-security; urgency=high

  * Team upload.
  * Fix CVE-2022-23457:
    ESAPI (The OWASP Enterprise Security API) is a free, open source, web
    application security control library. Prior to this update the default
    implementation of `Validator.getValidDirectoryPath(String, String, File,
    boolean)` may incorrectly treat the tested input string as a child of the
    specified parent directory. This potentially could allow control-flow
    bypass checks to be defeated if an attack can specify the entire string
    representing the 'input' path.
  * Fix CVE-2022-24891:
    There is a potential for a cross-site scripting vulnerability in ESAPI
    caused by a incorrect regular expression for "onsiteURL" in the
    **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs
    to fail to be correctly sanitized.
  * Warn about CVE-2025-5878:
    This issue affects the interface Encoder.encodeForSQL of the
    SQL Injection Defense. An attack leads to an improper neutralization of
    special elements. We are not aware of any affected reverse-dependencies in
    Debian but if you use ESAPI in a stand-alone project, you should be aware
    that the Encoder.encodeForSQL method has been deprecated and will be
    removed eventually. In addition the DB2Codec, MySQLCodec and OracleCodec
    classes have been deprecated too. We recommend to carefully assess if
    your project might be affected by these classes and methods and if you have
    to implement additional steps to secure your application. The update does
    not automatically protect you from any potential risks.

 -- Markus Koschany <apo@debian.org>  Mon, 21 Jul 2025 23:10:16 +0200

libowasp-esapi-java (2.4.0.0-2) unstable; urgency=medium

  * Team upload.
  * Replace libservlet3.1-java with libservlet-api-java
  * Drop libowasp-esapi-java-doc (see Debian bug #1028166)
  * Bump Standards-Version to 4.6.2
  * Freshen years in debian/copyright
  * Add lintian overrides for long HTML lines
  * Set Rules-Requires-Root: no in debian/control

 -- tony mancill <tmancill@debian.org>  Sun, 08 Jan 2023 10:29:05 -0800

libowasp-esapi-java (2.4.0.0-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.4.0.0.
    - Fix CVE-2022-23457 and CVE-2022-24891 and a potential DoS vulnerability
      (CVE-2022-28366). (Closes: #1010339)
    Thanks to Neil Williams for the report.
  * Drop servlet-api.patch because it is no longer required.
  * Use canonical VCS URI.

 -- Markus Koschany <apo@debian.org>  Fri, 29 Apr 2022 15:30:01 +0200

libowasp-esapi-java (2.2.3.1-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.2.3.1.
  * Switch to debhelper-compat = 13.
  * Declare compliance with Debian Policy 4.6.0.
  * Switch to commons-collections 4.
  * Rebase 01-servlet-api-compatibility.patch

 -- Markus Koschany <apo@debian.org>  Tue, 12 Oct 2021 15:27:54 +0200

libowasp-esapi-java (2.1.0-3) unstable; urgency=medium

  * Team upload.
  * Transition to the Servlet API 3.1 (Closes: #801021)
  * Build with the DH sequencer instead of CDBS
  * Standards-Version updated to 3.9.8 (no changes)
  * Use secure Vcs-* URLs

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 20 Jun 2016 17:06:57 +0200

libowasp-esapi-java (2.1.0-2) unstable; urgency=low

  * This version to be for unstable
  * Put into git (and add appropriate headers to debian/control)
  * Note the 2 Apache-2.0 licensed files

 -- Matthew Vernon <matthew@debian.org>  Thu, 29 May 2014 18:27:31 +0100

libowasp-esapi-java (2.1.0-1) experimental; urgency=low

  * Initial release (closes: #741416)
  * This is (indirectly) a dependency of the Shibboleth IdP

 -- Matthew Vernon <matthew@debian.org>  Wed, 19 Feb 2014 16:24:11 +0000
