[ubuntu/bionic-security] libxstream-java 1.4.11.1-1+deb10u4build0.18.04.1 (Accepted)

Amir Naseredini amir.naseredini at canonical.com
Mon Mar 13 10:39:32 UTC 2023 

libxstream-java (1.4.11.1-1+deb10u4build0.18.04.1) bionic-security; urgency=medium

  * fake sync from Debian

libxstream-java (1.4.11.1-1+deb10u4) buster-security; urgency=high

  * Team upload.
  * Fix CVE-2022-41966:
    XStream serializes Java objects to XML and back again. Versions prior to
    1.4.11.1-1+deb10u4 may allow a remote attacker to terminate the application
    with a stack overflow error, resulting in a denial of service only via
    manipulation of the processed input stream. The attack uses the hash code
    implementation for collections and maps to force recursive hash calculation
    causing a stack overflow. This issue is patched in version
    1.4.11.1-1+deb10u4 which handles the stack overflow and raises an
    InputManipulationException instead. A potential workaround for users who
    only use HashMap or HashSet and whose XML refers these only as default map
    or set, is to change the default implementation of java.util.Map and
    java.util per the code example in the referenced advisory. However, this
    implies that your application does not care about the implementation of the
    map and all elements are
    comparable. (Closes: #1027754)

libxstream-java (1.4.11.1-1+deb10u3) buster-security; urgency=high

  * Team upload.
  * Enable the security whitelist by default to prevent RCE vulnerabilities.
    XStream no longer uses a blacklist because it cannot be secured for general
    purpose.

libxstream-java (1.4.11.1-1+deb10u2) buster-security; urgency=high

  * Team upload.
  * Fix CVE-2020-26258:
    XStream is vulnerable to a Server-Side Forgery Request which can be
    activated when unmarshalling. The vulnerability may allow a remote attacker
    to request data from internal resources that are not publicly available
    only by manipulating the processed input stream.
  * Fix CVE-2020-26259:
    Xstream is vulnerable to an Arbitrary File Deletion on the local host when
    unmarshalling. The vulnerability may allow a remote attacker to delete
    arbitrary known files on the host as long as the executing process has
    sufficient rights only by manipulating the processed input stream.

libxstream-java (1.4.11.1-1+deb10u1) buster-security; urgency=high

  * Team upload.
  * Fix CVE-2020-26217:
    It was found that XStream is vulnerable to Remote Code Execution. The
    vulnerability may allow a remote attacker to run arbitrary shell commands
    only by manipulating the processed input stream. Users who rely on
    blocklists are affected (the default in Debian). We strongly recommend to
    use the whitelist approach of XStream's Security Framework because there
    are likely more class combinations the blacklist approach may not address.

libxstream-java (1.4.11.1-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 1.4.11.1.

Date: 2023-03-10 11:49:09.365339+00:00
Changed-By: Amir Naseredini <amir.naseredini at canonical.com>
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
https://launchpad.net/ubuntu/+source/libxstream-java/1.4.11.1-1+deb10u4build0.18.04.1
-------------- next part --------------
Sorry, changesfile not available.

More information about the Bionic-changes mailing list