libxstream-java source package in Ubuntu


libxstream-java ( groovy-security; urgency=medium

  * Merge from Debian
  * SECURITY UPDATE: Command Injection Vulnerability
    - debian/patches/CVE-2020-26217.patch: New predefined blacklist avoids
      vulnerability due to improper setup and update security vulnerability
      test to test default.
    - debian/patches/CVE-2020-26259.patch: Fix arbitrary File Deletion on the
      local host.
    - CVE-2020-26217
    - CVE-2020-26259
  * SECURITY UPDATE: Server-Side Request Forgery Vulnerability
    - debian/patches/CVE-2020-26258.patch: Fix access data streams from an
      arbitrary URL.
    - CVE-2020-26258
  * SECURITY UPDATE: Arbitrary code execution.
    - debian/patches/CVE-2021-21341-to-CVE-2021-21351.patch: The type
    hierarchies for, java.nio.channels.Channel,
    javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now
    blacklisted as well as the individual types,$NameProcessIterator,
    sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and
    sun.swing.SwingLazyValue. Additionally the internal type
    Accessor$GetterSetterReflection of JAXB, the internal types
    MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of
    JAX-WS, all inner classes of javafx.collections.ObservableList and an
    internal ClassLoader used in a private BCEL copy are now part of the
    default blacklist and the deserialization of XML containing one of the two
    types will fail. You will have to enable these types by explicit
    configuration, if you need them.
    - CVE-2021-21341
    - CVE-2021-21342
    - CVE-2021-21343
    - CVE-2021-21344
    - CVE-2021-21345
    - CVE-2021-21346
    - CVE-2021-21347
    - CVE-2021-21348
    - CVE-2021-21349
    - CVE-2021-21350
    - CVE-2021-21351
  * Add a new maven rule to fix FTBFS.
    - debian/maven.ignoreRules: Add jaxws-rt.

 -- Eduardo Barretto <email address hidden>  Thu, 29 Apr 2021 11:59:58 +0200

Upload details

Uploaded by:
Eduardo Barretto
Uploaded to:
Original maintainer:
Ubuntu Developers
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section
Groovy updates universe libs
Groovy security universe libs


Groovy: [FULLYBUILT] amd64


File Size SHA-256 Checksum
libxstream-java_1.4.11.1.orig.tar.xz 434.7 KiB 24eb3173a9c4be2d30cdf7271336870c147e1bb0cee0bcc512d6198d7a12d038
libxstream-java_1.4.11.1-2ubuntu0.1.debian.tar.xz 12.3 KiB ee7628dfb781350943715cb51825ffda9e2d010dc6f5efcfdf90d80c890d1185
libxstream-java_1.4.11.1-2ubuntu0.1.dsc 2.4 KiB c9bfe1b2f8da39ae51a5368f7e35cdf6d3f21a792056b86a3f82e38a6100abca

View changes file

Binary packages built by this source

libxstream-java: Java library to serialize objects to XML and back again

 The features of the XStream library are:
  - Ease of use. A high level facade is supplied that simplifies common
    use cases.
  - No mappings required. Most objects can be serialized without need
    for specifying mappings.
  - Performance. Speed and low memory footprint are a crucial part of
    the design, making it suitable for large object graphs or systems
    with high message throughput.
  - Clean XML. No information is duplicated that can be obtained via
    reflection. This results in XML that is easier to read for humans
    and more compact than native Java serialization.
  - Requires no modifications to objects. Serializes internal fields,
    including private and final. Supports non-public and inner classes.
    Classes are not required to have default constructor.
  - Full object graph support. Duplicate references encountered in the
    object-model will be maintained. Supports circular references.
  - Integrates with other XML APIs. By implementing an interface,
    XStream can serialize directly to/from any tree structure (not just
  - Customizable conversion strategies. Strategies can be registered
    allowing customization of how particular types are represented as
  - Error messages. When an exception occurs due to malformed XML,
    detailed diagnostics are provided to help isolate and fix the
  - Alternative output format. The modular design allows other output
    formats. XStream ships currently with JSON support and morphing.