[ubuntu/kinetic-security] libxstream-java 1.4.19-1ubuntu0.1 (Accepted)
Amir Naseredini
amir.naseredini at canonical.com
Mon Mar 13 10:39:29 UTC 2023
libxstream-java (1.4.19-1ubuntu0.1) kinetic-security; urgency=medium
* SECURITY UPDATE: Denial of Service
- debian/patches/CVE-2022-41966.patch: XStream serializes Java objects to
XML and back again. Prior versions may allow a remote attacker to
terminate the application with a stack overflow error, resulting in a
denial of service only via manipulation of the processed input stream.
The attack uses the hash code implementation for collections and maps
to force recursive hash calculation causing a stack overflow. This
issue is patched in this version which handles the stack overflow and
raises an InputManipulationException instead. A potential workaround
for users who only use HashMap or HashSet and whose XML refers these
only as default map or set, is to change the default implementation of
java.util.Map and java.util per the code example in the referenced
advisory. However, this implies that your application does not care
about the implementation of the map and all elements are comparable.
(Closes: #1027754)
- CVE-2022-41966
Date: 2023-03-10 11:53:09.064123+00:00
Changed-By: Amir Naseredini <amir.naseredini at canonical.com>
https://launchpad.net/ubuntu/+source/libxstream-java/1.4.19-1ubuntu0.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the kinetic-changes
mailing list