libxstream-java 1.4.11.1-1ubuntu0.3 source package in Ubuntu
Changelog
libxstream-java (1.4.11.1-1ubuntu0.3) focal-security; urgency=medium
* Merge from Debian.
* SECURITY UPDATE: RCE, DoS, and Obtain Sensitive Information.
- debian/patches/CVE-2021-39154-[1-3].patch: Enable the security
whitelist by default to prevent RCE vulnerabilities. XStream no longer
uses a blacklist because it cannot be secured for general purpose.
- CVE-2021-39139
- CVE-2021-39140
- CVE-2021-39141
- CVE-2021-39144
- CVE-2021-39145
- CVE-2021-39146
- CVE-2021-39147
- CVE-2021-39148
- CVE-2021-39149
- CVE-2021-39150
- CVE-2021-39151
- CVE-2021-39152
- CVE-2021-39153
- CVE-2021-39154
* SECURITY UPDATE: Denial of Service
- debian/patches/CVE-2022-41966.patch: XStream serializes Java objects to
XML and back again. Prior versions may allow a remote attacker to
terminate the application with a stack overflow error, resulting in a
denial of service only via manipulation of the processed input stream.
The attack uses the hash code implementation for collections and maps
to force recursive hash calculation causing a stack overflow. This
issue is patched in this version which handles the stack overflow and
raises an InputManipulationException instead. A potential workaround
for users who only use HashMap or HashSet and whose XML refers these
only as default map or set, is to change the default implementation of
java.util.Map and java.util per the code example in the referenced
advisory. However, this implies that your application does not care
about the implementation of the map and all elements are comparable.
(Closes: #1027754)
- CVE-2022-41966
-- Amir Naseredini <email address hidden> Tue, 07 Mar 2023 09:33:10 +0000
Upload details
- Uploaded by:
- Amir Naseredini
- Uploaded to:
- Focal
- Original maintainer:
- Ubuntu Developers
- Architectures:
- all
- Section:
- java
- Urgency:
- Medium Urgency
See full publishing history Publishing
| Series | Published | Component | Section | |
|---|---|---|---|---|
| Focal | updates | universe | libs | |
| Focal | security | universe | libs |
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| libxstream-java_1.4.11.1.orig.tar.xz | 434.7 KiB | 24eb3173a9c4be2d30cdf7271336870c147e1bb0cee0bcc512d6198d7a12d038 |
| libxstream-java_1.4.11.1-1ubuntu0.3.debian.tar.xz | 15.3 KiB | 34db882cce90e4ea962660ce63155cfdc07ed6818788b6f4c9fa785184f75307 |
| libxstream-java_1.4.11.1-1ubuntu0.3.dsc | 2.3 KiB | b0a9ae8ca29bbefa653c17765833f07eedc86e38dc63e09088a71b60e9bf8506 |
Available diffs
Binary packages built by this source
- libxstream-java: Java library to serialize objects to XML and back again
The features of the XStream library are:
.
- Ease of use. A high level facade is supplied that simplifies common
use cases.
- No mappings required. Most objects can be serialized without need
for specifying mappings.
- Performance. Speed and low memory footprint are a crucial part of
the design, making it suitable for large object graphs or systems
with high message throughput.
- Clean XML. No information is duplicated that can be obtained via
reflection. This results in XML that is easier to read for humans
and more compact than native Java serialization.
- Requires no modifications to objects. Serializes internal fields,
including private and final. Supports non-public and inner classes.
Classes are not required to have default constructor.
- Full object graph support. Duplicate references encountered in the
object-model will be maintained. Supports circular references.
- Integrates with other XML APIs. By implementing an interface,
XStream can serialize directly to/from any tree structure (not just
XML).
- Customizable conversion strategies. Strategies can be registered
allowing customization of how particular types are represented as
XML.
- Error messages. When an exception occurs due to malformed XML,
detailed diagnostics are provided to help isolate and fix the
problem.
- Alternative output format. The modular design allows other output
formats. XStream ships currently with JSON support and morphing.
