Changelog
libxstream-java (1.4.11.1-2ubuntu0.1) groovy-security; urgency=medium
* Merge from Debian
* SECURITY UPDATE: Command Injection Vulnerability
- debian/patches/CVE-2020-26217.patch: New predefined blacklist avoids
vulnerability due to improper setup and update security vulnerability
test to test default.
- debian/patches/CVE-2020-26259.patch: Fix arbitrary File Deletion on the
local host.
- CVE-2020-26217
- CVE-2020-26259
* SECURITY UPDATE: Server-Side Request Forgery Vulnerability
- debian/patches/CVE-2020-26258.patch: Fix access data streams from an
arbitrary URL.
- CVE-2020-26258
* SECURITY UPDATE: Arbitrary code execution.
- debian/patches/CVE-2021-21341-to-CVE-2021-21351.patch: The type
hierarchies for java.io.InputStream, java.nio.channels.Channel,
javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now
blacklisted as well as the individual types
com.sun.corba.se.impl.activation.ServerTableEntry,
com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and
sun.swing.SwingLazyValue. Additionally the internal type
Accessor$GetterSetterReflection of JAXB, the internal types
MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of
JAX-WS, all inner classes of javafx.collections.ObservableList and an
internal ClassLoader used in a private BCEL copy are now part of the
default blacklist and the deserialization of XML containing one of the two
types will fail. You will have to enable these types by explicit
configuration, if you need them.
- CVE-2021-21341
- CVE-2021-21342
- CVE-2021-21343
- CVE-2021-21344
- CVE-2021-21345
- CVE-2021-21346
- CVE-2021-21347
- CVE-2021-21348
- CVE-2021-21349
- CVE-2021-21350
- CVE-2021-21351
* Add a new maven rule to fix FTBFS.
- debian/maven.ignoreRules: Add com.sun.xml.ws jaxws-rt.
-- Eduardo Barretto <email address hidden> Thu, 29 Apr 2021 11:59:58 +0200
