[ubuntu/focal-updates] libxstream-java 1.4.11.1-1ubuntu0.2 (Accepted)
Ubuntu Archive Robot
ubuntu-archive-robot at lists.canonical.com
Tue May 11 10:58:19 UTC 2021
libxstream-java (1.4.11.1-1ubuntu0.2) focal-security; urgency=medium
* Merge from Debian.
* SECURITY UPDATE: Arbitrary code execution.
- debian/patches/CVE-2021-21341-to-CVE-2021-21351.patch: The type
hierarchies for java.io.InputStream, java.nio.channels.Channel,
javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now
blacklisted as well as the individual types
com.sun.corba.se.impl.activation.ServerTableEntry,
com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and
sun.swing.SwingLazyValue. Additionally the internal type
Accessor$GetterSetterReflection of JAXB, the internal types
MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of
JAX-WS, all inner classes of javafx.collections.ObservableList and an
internal ClassLoader used in a private BCEL copy are now part of the
default blacklist and the deserialization of XML containing one of the two
types will fail. You will have to enable these types by explicit
configuration, if you need them.
- CVE-2021-21341
- CVE-2021-21342
- CVE-2021-21343
- CVE-2021-21344
- CVE-2021-21345
- CVE-2021-21346
- CVE-2021-21347
- CVE-2021-21348
- CVE-2021-21349
- CVE-2021-21350
- CVE-2021-21351
Date: 2021-05-11 08:11:12.368002+00:00
Changed-By: Eduardo Barretto <eduardo.barretto at canonical.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/libxstream-java/1.4.11.1-1ubuntu0.2
-------------- next part --------------
Sorry, changesfile not available.
More information about the Focal-changes
mailing list