Format: 1.8 Date: Tue, 07 Mar 2023 09:33:10 +0000 Source: libxstream-java Binary: libxstream-java Architecture: all Version: 1.4.11.1-1ubuntu0.3 Distribution: focal Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Amir Naseredini Description: libxstream-java - Java library to serialize objects to XML and back again Closes: 1027754 Changes: libxstream-java (1.4.11.1-1ubuntu0.3) focal-security; urgency=medium . * Merge from Debian. * SECURITY UPDATE: RCE, DoS, and Obtain Sensitive Information. - debian/patches/CVE-2021-39154-[1-3].patch: Enable the security whitelist by default to prevent RCE vulnerabilities. XStream no longer uses a blacklist because it cannot be secured for general purpose. - CVE-2021-39139 - CVE-2021-39140 - CVE-2021-39141 - CVE-2021-39144 - CVE-2021-39145 - CVE-2021-39146 - CVE-2021-39147 - CVE-2021-39148 - CVE-2021-39149 - CVE-2021-39150 - CVE-2021-39151 - CVE-2021-39152 - CVE-2021-39153 - CVE-2021-39154 * SECURITY UPDATE: Denial of Service - debian/patches/CVE-2022-41966.patch: XStream serializes Java objects to XML and back again. Prior versions may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation of the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in this version which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable. (Closes: #1027754) - CVE-2022-41966 Checksums-Sha1: 457d446259e9e45663c725b73d8ee3e4ddadbe29 540008 libxstream-java_1.4.11.1-1ubuntu0.3_all.deb ade16973ffcccf35f66d7750e9b50243985282bf 17045 libxstream-java_1.4.11.1-1ubuntu0.3_amd64.buildinfo Checksums-Sha256: 51552b06280c73e06a48a03650c83ca1ef2eec9321003e8f8937f51ebc63d31e 540008 libxstream-java_1.4.11.1-1ubuntu0.3_all.deb ab57a2ec2051f9e7ee7888605b071389817af1a5d4120f990d3211fe1a8d5a6e 17045 libxstream-java_1.4.11.1-1ubuntu0.3_amd64.buildinfo Files: 9c4c3da66cd4b369091c0a4d74dc9d09 540008 java optional libxstream-java_1.4.11.1-1ubuntu0.3_all.deb abb51fffc180eb2e33ac18fa37563097 17045 java optional libxstream-java_1.4.11.1-1ubuntu0.3_amd64.buildinfo Original-Maintainer: Debian Java Maintainers