-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 01 Dec 2020 23:35:51 +0100 Source: libxstream-java Binary: libxstream-java Architecture: source all Version: 1.4.11.1-1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libxstream-java - Java library to serialize objects to XML and back again Changes: libxstream-java (1.4.11.1-1+deb10u1) buster-security; urgency=high . * Team upload. * Fix CVE-2020-26217: It was found that XStream is vulnerable to Remote Code Execution. The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Users who rely on blocklists are affected (the default in Debian). We strongly recommend to use the whitelist approach of XStream's Security Framework because there are likely more class combinations the blacklist approach may not address. Checksums-Sha1: 75d14cdeaef834d1489f9d5cc039b5ff723d27a7 2588 libxstream-java_1.4.11.1-1+deb10u1.dsc 958ef46115948865e5abd02b71cce149950dbc3d 445116 libxstream-java_1.4.11.1.orig.tar.xz 808047ace349f1289b3fd22083f7bf36da93d936 9632 libxstream-java_1.4.11.1-1+deb10u1.debian.tar.xz 65d55b30e91485ef9e325d74a81282cfe98a2053 538428 libxstream-java_1.4.11.1-1+deb10u1_all.deb cb09205b1e75899d35c964f95ab6b84db9d41f72 16333 libxstream-java_1.4.11.1-1+deb10u1_amd64.buildinfo Checksums-Sha256: ea3ae764b43ba2bfa01317e401157711b1a9a2681a1cb20855c7bcd83c2cd8b3 2588 libxstream-java_1.4.11.1-1+deb10u1.dsc 24eb3173a9c4be2d30cdf7271336870c147e1bb0cee0bcc512d6198d7a12d038 445116 libxstream-java_1.4.11.1.orig.tar.xz 8d9df9f0c224d08ccaa0e8af198cf2517b68de6178368ae584051375a96b0698 9632 libxstream-java_1.4.11.1-1+deb10u1.debian.tar.xz caed67069706594dcc6fe64470e9c10233e02417295650310e98f4ebf605ca98 538428 libxstream-java_1.4.11.1-1+deb10u1_all.deb 0f9d6f70ef68c8f47805d44b2464d7d4fa12eb223cf8fb87584d4c1cc14a80d4 16333 libxstream-java_1.4.11.1-1+deb10u1_amd64.buildinfo Files: 9ff60a7a494d3214d269e847f1701ae8 2588 java optional libxstream-java_1.4.11.1-1+deb10u1.dsc 57da21b324c393f8fb239e3f73626419 445116 java optional libxstream-java_1.4.11.1.orig.tar.xz f3b24616aca4fcb3217c4ffefdba4ac4 9632 java optional libxstream-java_1.4.11.1-1+deb10u1.debian.tar.xz 2db07d337fe4e9d6464d0870295325d4 538428 java optional libxstream-java_1.4.11.1-1+deb10u1_all.deb 25918a3b8c2ae5caa9afd2f6f1d42130 16333 java optional libxstream-java_1.4.11.1-1+deb10u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl/WisZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk1NUP/01y1fH3mVJ/+ChjUSLFfvP2ie2+iqoTmgD9 ehSBGpAG1FB+GaRDJAx7yjgCcGANleIDRT88ydGU9ox0iv+dqO7d2wjtE0JO0Ade BMJ7XSnLhrlb7xlAk7PS0zlhdF7GrPe8ntu49Lm2OqRRIg8SkYAjPZLw7nvBadnX 7eX9zitkWrgm112hZgPoEVFwGhONLOsFrz0pEa7yaYQMTm2teuppJ4lqMPhMBhPY ifnsN8Mlu37iZk+gU84GdPaK6Ui2i70oTr5nfd6lyyQbV9VVJk6U0I18b0Zw3Hgq LsTXzvaswAQ/Bh+abvBfoNaK9l1W/KHFzqV9Z7WbmGZN46J8hiBG5/Hy0NFXqNX0 11erTbb7cR0MO+YvQJc2zTwrbMcRJdSzordjoyraBAF2spAsGnLAIQPPIV25zSdP 9K4s3m/IKgUAshxtU38Cz5+PcBeD/yOCWlwImqRmeOV9kX9nTjTfqBS93bloDmFQ 9A3SU1y+9eoaTbKYHpAp6W9oko+RU3CRcyM6evuXteCxUF9bGrdJH3RyK+zz83t2 dEbxvkwLvTIvXfGNCbmQqq+0JbJZKmkkInV8o4w1M98oEPK26d92oZ1hjGmtkP/f KBj7cJT0AYbFUSKWsyEPkas+yKZQ0n7WDBC+clIf0kTF778qmEVUZONzbvlq9YdG g4tp9DwW =3xza -----END PGP SIGNATURE-----