Format: 1.8 Date: Thu, 29 Apr 2021 11:59:58 +0200 Source: libxstream-java Binary: libxstream-java Architecture: all Version: 1.4.11.1-2ubuntu0.1 Distribution: groovy Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Eduardo Barretto Description: libxstream-java - Java library to serialize objects to XML and back again Changes: libxstream-java (1.4.11.1-2ubuntu0.1) groovy-security; urgency=medium . * Merge from Debian * SECURITY UPDATE: Command Injection Vulnerability - debian/patches/CVE-2020-26217.patch: New predefined blacklist avoids vulnerability due to improper setup and update security vulnerability test to test default. - debian/patches/CVE-2020-26259.patch: Fix arbitrary File Deletion on the local host. - CVE-2020-26217 - CVE-2020-26259 * SECURITY UPDATE: Server-Side Request Forgery Vulnerability - debian/patches/CVE-2020-26258.patch: Fix access data streams from an arbitrary URL. - CVE-2020-26258 * SECURITY UPDATE: Arbitrary code execution. - debian/patches/CVE-2021-21341-to-CVE-2021-21351.patch: The type hierarchies for java.io.InputStream, java.nio.channels.Channel, javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now blacklisted as well as the individual types com.sun.corba.se.impl.activation.ServerTableEntry, com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator, sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and sun.swing.SwingLazyValue. Additionally the internal type Accessor$GetterSetterReflection of JAXB, the internal types MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of JAX-WS, all inner classes of javafx.collections.ObservableList and an internal ClassLoader used in a private BCEL copy are now part of the default blacklist and the deserialization of XML containing one of the two types will fail. You will have to enable these types by explicit configuration, if you need them. - CVE-2021-21341 - CVE-2021-21342 - CVE-2021-21343 - CVE-2021-21344 - CVE-2021-21345 - CVE-2021-21346 - CVE-2021-21347 - CVE-2021-21348 - CVE-2021-21349 - CVE-2021-21350 - CVE-2021-21351 * Add a new maven rule to fix FTBFS. - debian/maven.ignoreRules: Add com.sun.xml.ws jaxws-rt. Checksums-Sha1: b15bcbe47221d93214a00f0116dfe293fe3f52c3 538232 libxstream-java_1.4.11.1-2ubuntu0.1_all.deb 5ae0a97fe160d1c0e92a1965262d27bfca9ade7f 16555 libxstream-java_1.4.11.1-2ubuntu0.1_amd64.buildinfo Checksums-Sha256: 4348012e6b7d2310a47b17f4fdc485c5b6f160e9713247a871a481874611071e 538232 libxstream-java_1.4.11.1-2ubuntu0.1_all.deb 807e14e6aeaafbb4bd276cd65a1b1ca1ce97076af2fdb584a57aaa5f29d921d0 16555 libxstream-java_1.4.11.1-2ubuntu0.1_amd64.buildinfo Files: 65d75c1122b757d9fe74cf7bc708e64d 538232 java optional libxstream-java_1.4.11.1-2ubuntu0.1_all.deb 48127d90340c420a47fcd8b21a9045be 16555 java optional libxstream-java_1.4.11.1-2ubuntu0.1_amd64.buildinfo Original-Maintainer: Debian Java Maintainers