UbuntuUpdates.org

Package "libxstream-java"

Name: libxstream-java

Description:

Java library to serialize objects to XML and back again

Latest version: 1.4.11.1-1ubuntu0.3
Release: focal (20.04)
Level: updates
Repository: universe
Homepage: http://x-stream.github.io

Links


Download "libxstream-java"


Other versions of "libxstream-java" in Focal

Repository Area Version
base universe 1.4.11.1-1
security universe 1.4.11.1-1ubuntu0.3

Changelog

Version: 1.4.11.1-1ubuntu0.3 2023-03-14 05:06:59 UTC

  libxstream-java (1.4.11.1-1ubuntu0.3) focal-security; urgency=medium

  * Merge from Debian.
  * SECURITY UPDATE: RCE, DoS, and Obtain Sensitive Information.
    - debian/patches/CVE-2021-39154-[1-3].patch: Enable the security
      whitelist by default to prevent RCE vulnerabilities. XStream no longer
      uses a blacklist because it cannot be secured for general purpose.
    - CVE-2021-39139
    - CVE-2021-39140
    - CVE-2021-39141
    - CVE-2021-39144
    - CVE-2021-39145
    - CVE-2021-39146
    - CVE-2021-39147
    - CVE-2021-39148
    - CVE-2021-39149
    - CVE-2021-39150
    - CVE-2021-39151
    - CVE-2021-39152
    - CVE-2021-39153
    - CVE-2021-39154
  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2022-41966.patch: XStream serializes Java objects to
      XML and back again. Prior versions may allow a remote attacker to
      terminate the application with a stack overflow error, resulting in a
      denial of service only via manipulation of the processed input stream.
      The attack uses the hash code implementation for collections and maps
      to force recursive hash calculation causing a stack overflow. This
      issue is patched in this version which handles the stack overflow and
      raises an InputManipulationException instead. A potential workaround
      for users who only use HashMap or HashSet and whose XML refers these
      only as default map or set, is to change the default implementation of
      java.util.Map and java.util per the code example in the referenced
      advisory. However, this implies that your application does not care
      about the implementation of the map and all elements are comparable.
      (Closes: #1027754)
    - CVE-2022-41966

 -- Amir Naseredini <email address hidden> Tue, 07 Mar 2023 09:33:10 +0000

Source diff to previous version
1027754 libxstream-java: CVE-2022-41966
CVE-2021-39154 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load a
CVE-2021-39139 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load a
CVE-2021-39140 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to alloca
CVE-2021-39141 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load a
CVE-2021-39144 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has suffi
CVE-2021-39145 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load a
CVE-2021-39146 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load a
CVE-2021-39147 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load a
CVE-2021-39148 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load a
CVE-2021-39149 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load a
CVE-2021-39150 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to reques
CVE-2021-39151 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load a
CVE-2021-39152 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to reques
CVE-2021-39153 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load a
CVE-2022-41966 XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack

Version: 1.4.11.1-1ubuntu0.2 2021-05-11 13:06:25 UTC

  libxstream-java (1.4.11.1-1ubuntu0.2) focal-security; urgency=medium

  * Merge from Debian.
  * SECURITY UPDATE: Arbitrary code execution.
    - debian/patches/CVE-2021-21341-to-CVE-2021-21351.patch: The type
    hierarchies for java.io.InputStream, java.nio.channels.Channel,
    javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now
    blacklisted as well as the individual types
    com.sun.corba.se.impl.activation.ServerTableEntry,
    com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
    sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and
    sun.swing.SwingLazyValue. Additionally the internal type
    Accessor$GetterSetterReflection of JAXB, the internal types
    MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of
    JAX-WS, all inner classes of javafx.collections.ObservableList and an
    internal ClassLoader used in a private BCEL copy are now part of the
    default blacklist and the deserialization of XML containing one of the two
    types will fail. You will have to enable these types by explicit
    configuration, if you need them.
    - CVE-2021-21341
    - CVE-2021-21342
    - CVE-2021-21343
    - CVE-2021-21344
    - CVE-2021-21345
    - CVE-2021-21346
    - CVE-2021-21347
    - CVE-2021-21348
    - CVE-2021-21349
    - CVE-2021-21350
    - CVE-2021-21351

 -- Eduardo Barretto <email address hidden> Wed, 28 Apr 2021 15:01:42 +0200

Source diff to previous version
CVE-2021-21341 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remo
CVE-2021-21351 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote a
CVE-2021-21342 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed
CVE-2021-21343 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed
CVE-2021-21344 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a re
CVE-2021-21345 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a re
CVE-2021-21346 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a re
CVE-2021-21347 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a re
CVE-2021-21348 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a re
CVE-2021-21349 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a re
CVE-2021-21350 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a re

Version: 1.4.11.1-1ubuntu0.1 2021-01-28 22:07:03 UTC

  libxstream-java (1.4.11.1-1ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: Command Injection Vulnerability
    - debian/patches/CVE-2020-26217.patch: New predefined blacklist avoids
      vulnerability due to improper setup and update security vulnerability
      test to test default.
    - debian/patches/CVE-2020-26259.patch: Fix arbitrary File Deletion on the
      local host.
    - CVE-2020-26217
    - CVE-2020-26259
  * SECURITY UPDATE: Server-Side Request Forgery Vulnerability
    - debian/patches/CVE-2020-26258.patch: Fix access data streams from an
      arbitrary URL.
    - CVE-2020-26258
  * Add a new maven rule to fix FTBFS.
    - debian/maven.ignoreRules: Add com.sun.xml.ws jaxws-rt.

 -- Paulo Flabiano Smorigo <email address hidden> Wed, 27 Jan 2021 12:57:43 +0000

CVE-2020-26217 XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands on
CVE-2020-26259 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion o
CVE-2020-26258 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability c



About   -   Send Feedback to @ubuntu_updates