-
libxstream-java (1.4.11.1-1ubuntu0.3) focal-security; urgency=medium
* Merge from Debian.
* SECURITY UPDATE: RCE, DoS, and Obtain Sensitive Information.
- debian/patches/CVE-2021-39154-[1-3].patch: Enable the security
whitelist by default to prevent RCE vulnerabilities. XStream no longer
uses a blacklist because it cannot be secured for general purpose.
- CVE-2021-39139
- CVE-2021-39140
- CVE-2021-39141
- CVE-2021-39144
- CVE-2021-39145
- CVE-2021-39146
- CVE-2021-39147
- CVE-2021-39148
- CVE-2021-39149
- CVE-2021-39150
- CVE-2021-39151
- CVE-2021-39152
- CVE-2021-39153
- CVE-2021-39154
* SECURITY UPDATE: Denial of Service
- debian/patches/CVE-2022-41966.patch: XStream serializes Java objects to
XML and back again. Prior versions may allow a remote attacker to
terminate the application with a stack overflow error, resulting in a
denial of service only via manipulation of the processed input stream.
The attack uses the hash code implementation for collections and maps
to force recursive hash calculation causing a stack overflow. This
issue is patched in this version which handles the stack overflow and
raises an InputManipulationException instead. A potential workaround
for users who only use HashMap or HashSet and whose XML refers these
only as default map or set, is to change the default implementation of
java.util.Map and java.util per the code example in the referenced
advisory. However, this implies that your application does not care
about the implementation of the map and all elements are comparable.
(Closes: #1027754)
- CVE-2022-41966
-- Amir Naseredini <email address hidden> Tue, 07 Mar 2023 09:33:10 +0000
-
libxstream-java (1.4.11.1-1ubuntu0.2) focal-security; urgency=medium
* Merge from Debian.
* SECURITY UPDATE: Arbitrary code execution.
- debian/patches/CVE-2021-21341-to-CVE-2021-21351.patch: The type
hierarchies for java.io.InputStream, java.nio.channels.Channel,
javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now
blacklisted as well as the individual types
com.sun.corba.se.impl.activation.ServerTableEntry,
com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and
sun.swing.SwingLazyValue. Additionally the internal type
Accessor$GetterSetterReflection of JAXB, the internal types
MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of
JAX-WS, all inner classes of javafx.collections.ObservableList and an
internal ClassLoader used in a private BCEL copy are now part of the
default blacklist and the deserialization of XML containing one of the two
types will fail. You will have to enable these types by explicit
configuration, if you need them.
- CVE-2021-21341
- CVE-2021-21342
- CVE-2021-21343
- CVE-2021-21344
- CVE-2021-21345
- CVE-2021-21346
- CVE-2021-21347
- CVE-2021-21348
- CVE-2021-21349
- CVE-2021-21350
- CVE-2021-21351
-- Eduardo Barretto <email address hidden> Wed, 28 Apr 2021 15:01:42 +0200
-
libxstream-java (1.4.11.1-1ubuntu0.1) focal-security; urgency=medium
* SECURITY UPDATE: Command Injection Vulnerability
- debian/patches/CVE-2020-26217.patch: New predefined blacklist avoids
vulnerability due to improper setup and update security vulnerability
test to test default.
- debian/patches/CVE-2020-26259.patch: Fix arbitrary File Deletion on the
local host.
- CVE-2020-26217
- CVE-2020-26259
* SECURITY UPDATE: Server-Side Request Forgery Vulnerability
- debian/patches/CVE-2020-26258.patch: Fix access data streams from an
arbitrary URL.
- CVE-2020-26258
* Add a new maven rule to fix FTBFS.
- debian/maven.ignoreRules: Add com.sun.xml.ws jaxws-rt.
-- Paulo Flabiano Smorigo <email address hidden> Wed, 27 Jan 2021 12:57:43 +0000
-
libxstream-java (1.4.11.1-1) unstable; urgency=medium
* Team upload.
* New upstream version 1.4.11.1.
-- Markus Koschany <email address hidden> Sun, 11 Nov 2018 00:04:59 +0100
