libowasp-esapi-java (2.1.0-3ubuntu0.20.04.1~esm1) focal-security; urgency=medium

  * SECURITY UPDATE: Directory path validation bypass during path verification
    - debian/patches/CVE-2022-23457-1.patch: Use canonical path objects in
      src/main/java/org/owasp/esapi/reference/DefaultValidator.java
    - debian/patches/CVE-2022-23457-2.patch: Add validation regression tests in
      src/test/java/org/owasp/esapi/reference/ValidatorTest.java
    - CVE-2022-23457
  * SECURITY UPDATE: Cross-site scripting in onsiteURL sanitization
    - debian/patches/CVE-2022-24891.patch: Tighten AntiSamy URL regexes in
      configuration/esapi/antisamy-esapi.xml, and add related tests in
      src/test/resources/antisamy-esapi-CP.xml and
      src/test/resources/esapi/antisamy-esapi.xml
    - CVE-2022-24891
  * SECURITY UPDATE: Improper SQL special-element neutralization
    - debian/patches/CVE-2025-5878.patch: Deprecate SQL encodings in
      src/main/java/org/owasp/esapi/Encoder.java,
      src/main/java/org/owasp/esapi/codecs/DB2Codec.java,
      src/main/java/org/owasp/esapi/codecs/MySQLCodec.java,
      src/main/java/org/owasp/esapi/codecs/OracleCodec.java and
      src/main/java/org/owasp/esapi/reference/DefaultEncoder.java
    - CVE-2025-5878

 -- Shafayat Hossain Majumder <shafayat.majumder@canonical.com>  Wed, 15 Apr 2026 08:57:58 -0400

libowasp-esapi-java (2.1.0-3) unstable; urgency=medium

  * Team upload.
  * Transition to the Servlet API 3.1 (Closes: #801021)
  * Build with the DH sequencer instead of CDBS
  * Standards-Version updated to 3.9.8 (no changes)
  * Use secure Vcs-* URLs

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 20 Jun 2016 17:06:57 +0200

libowasp-esapi-java (2.1.0-2) unstable; urgency=low

  * This version to be for unstable
  * Put into git (and add appropriate headers to debian/control)
  * Note the 2 Apache-2.0 licensed files
  
 -- Matthew Vernon <matthew@debian.org>  Thu, 29 May 2014 18:27:31 +0100

libowasp-esapi-java (2.1.0-1) experimental; urgency=low

  * Initial release (closes: #741416)
  * This is (indirectly) a dependency of the Shibboleth IdP

 -- Matthew Vernon <matthew@debian.org>  Wed, 19 Feb 2014 16:24:11 +0000
