[ubuntu/groovy-security] libxstream-java 1.4.11.1-2ubuntu0.1 (Accepted)

Eduardo Barretto eduardo.barretto at canonical.com
Tue May 11 09:43:14 UTC 2021 

libxstream-java (1.4.11.1-2ubuntu0.1) groovy-security; urgency=medium

  * Merge from Debian
  * SECURITY UPDATE: Command Injection Vulnerability
    - debian/patches/CVE-2020-26217.patch: New predefined blacklist avoids
      vulnerability due to improper setup and update security vulnerability
      test to test default.
    - debian/patches/CVE-2020-26259.patch: Fix arbitrary File Deletion on the
      local host.
    - CVE-2020-26217
    - CVE-2020-26259
  * SECURITY UPDATE: Server-Side Request Forgery Vulnerability
    - debian/patches/CVE-2020-26258.patch: Fix access data streams from an
      arbitrary URL.
    - CVE-2020-26258
  * SECURITY UPDATE: Arbitrary code execution.
    - debian/patches/CVE-2021-21341-to-CVE-2021-21351.patch: The type
    hierarchies for java.io.InputStream, java.nio.channels.Channel,
    javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now
    blacklisted as well as the individual types
    com.sun.corba.se.impl.activation.ServerTableEntry,
    com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
    sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and
    sun.swing.SwingLazyValue. Additionally the internal type
    Accessor$GetterSetterReflection of JAXB, the internal types
    MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of
    JAX-WS, all inner classes of javafx.collections.ObservableList and an
    internal ClassLoader used in a private BCEL copy are now part of the
    default blacklist and the deserialization of XML containing one of the two
    types will fail. You will have to enable these types by explicit
    configuration, if you need them.
    - CVE-2021-21341
    - CVE-2021-21342
    - CVE-2021-21343
    - CVE-2021-21344
    - CVE-2021-21345
    - CVE-2021-21346
    - CVE-2021-21347
    - CVE-2021-21348
    - CVE-2021-21349
    - CVE-2021-21350
    - CVE-2021-21351
  * Add a new maven rule to fix FTBFS.
    - debian/maven.ignoreRules: Add com.sun.xml.ws jaxws-rt.

Date: 2021-05-11 08:06:08.938014+00:00
Changed-By: Eduardo Barretto <eduardo.barretto at canonical.com>
https://launchpad.net/ubuntu/+source/libxstream-java/1.4.11.1-2ubuntu0.1
-------------- next part --------------
Sorry, changesfile not available.

More information about the Groovy-changes mailing list