-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 30 Nov 2020 00:04:50 +0100 Source: libxstream-java Binary: libxstream-java Architecture: source Version: 1.4.9-2+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libxstream-java - Java library to serialize objects to XML and back again Changes: libxstream-java (1.4.9-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the LTS team. * XStream is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. Checksums-Sha1: bdeca483090de74e51c87449950eabd3a0ed0eb2 2585 libxstream-java_1.4.9-2+deb9u1.dsc 0495145c1d88722ee4331265a30ce93d5dab6bda 419660 libxstream-java_1.4.9.orig.tar.xz 20ae8deaa497aa981f795147af0c734e26f0cbde 8528 libxstream-java_1.4.9-2+deb9u1.debian.tar.xz 882c815822bf6dd1476ee22095f009fbb8a93427 16450 libxstream-java_1.4.9-2+deb9u1_amd64.buildinfo Checksums-Sha256: 4f562f98571ca8c34c46e2d962b7babdaeb6820f478b6c1edfa0415e08b84298 2585 libxstream-java_1.4.9-2+deb9u1.dsc f97c2c723e03892859c69242397815a00b10ae1da0ca78d6c9b1f51397752c66 419660 libxstream-java_1.4.9.orig.tar.xz dcecfee0f869221ca257a0831e30e143f65b3b730053217a2c3d63a61506ceac 8528 libxstream-java_1.4.9-2+deb9u1.debian.tar.xz e8af22be96a7f93ee72101410b59fe513cafa549a9064d45f2c79f1cf412208c 16450 libxstream-java_1.4.9-2+deb9u1_amd64.buildinfo Files: e5347157c462c6cb1d34a2864a5b7e06 2585 java optional libxstream-java_1.4.9-2+deb9u1.dsc 259d2a02e54c3b6deb41fe2861f74d87 419660 java optional libxstream-java_1.4.9.orig.tar.xz 0d0020c2f5902649b737b4522c022aea 8528 java optional libxstream-java_1.4.9-2+deb9u1.debian.tar.xz 1f1223219f4f7061098ff8e14b87b94d 16450 java optional libxstream-java_1.4.9-2+deb9u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl/Fkf9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkmZYP/icgqQ1qzXltpz4DECcB1ZCSF9b9z3CiPMn1 J1SiYVVendClu4X/bVuZoGr2aoHC0tBFM0sDfQiV0mKo79M5jvg/n0uqJ1j33oN/ 2oIc0c44vkW3eKu1izRGc87EuxHP6fzQ8OEqHYiUvTpBLn1oiBpucn4/uasKhdig PoDo05aC39z+HOT40spITjHzTr+tNP0gJnv/FoCwwRCwYeqjD3ILD1hi4eT9405b rxqkB/+IdRKkhhXVEOsttg9OaqyFmlm6C3js5MHna6cXaQMgxdi5hkMUUdwe70mY duwZiGqc1mB09YVi+gywgCPf5SvAc+IfKBDfJb4VsDO4BVCvnfmlt2SvzKod8Fz3 zbzFr7MiEgWQfEt286BQpb9rQRyG750RVf9zrenZEU0qKvG/A3T0r/Bk9+8lgmud KdTUM9rNR2aO4PB8NMQEMVgoOZR+3cjQmPP29mtNlqgNPasWpa8+SWHrnxj9y/2U l050UuuSvD1KP3z3OJKvqmwxgWUH9X4UFzz40ZIHftMiQeWwiXIYzEiID/J5Jie+ JJdz3+uJmvMSxxa8pOqRd/VbgVtBE/Kcu7+AjG3+pobpuDehaB0TLdRBsQzD4k0k NC8fDXL8jhU8609bDA6Z1GX35QukBDjYDTpAYEjTlLGJM5hGhQnvMXtUR3KK8pz8 f0SNg+JV =PgJk -----END PGP SIGNATURE-----