[ubuntu/bionic-updates] libxstream-java 1.4.11.1-1~18.04.2 (Accepted)

Ubuntu Archive Robot ubuntu-archive-robot at lists.canonical.com
Tue May 11 10:58:19 UTC 2021


libxstream-java (1.4.11.1-1~18.04.2) bionic-security; urgency=medium

  * Merge from Debian.
  * SECURITY UPDATE: Arbitrary code execution.
    - debian/patches/CVE-2021-21341-to-CVE-2021-21351.patch: The type
    hierarchies for java.io.InputStream, java.nio.channels.Channel,
    javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now
    blacklisted as well as the individual types
    com.sun.corba.se.impl.activation.ServerTableEntry,
    com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
    sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and
    sun.swing.SwingLazyValue. Additionally the internal type
    Accessor$GetterSetterReflection of JAXB, the internal types
    MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of
    JAX-WS, all inner classes of javafx.collections.ObservableList and an
    internal ClassLoader used in a private BCEL copy are now part of the
    default blacklist and the deserialization of XML containing one of the two
    types will fail. You will have to enable these types by explicit
    configuration, if you need them. 
    - CVE-2021-21341
    - CVE-2021-21342
    - CVE-2021-21343
    - CVE-2021-21344
    - CVE-2021-21345
    - CVE-2021-21346
    - CVE-2021-21347
    - CVE-2021-21348
    - CVE-2021-21349
    - CVE-2021-21350
    - CVE-2021-21351

Date: 2021-05-11 08:12:27.464388+00:00
Changed-By: Eduardo Barretto <eduardo.barretto at canonical.com>
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/libxstream-java/1.4.11.1-1~18.04.2
-------------- next part --------------
Sorry, changesfile not available.


More information about the Bionic-changes mailing list