-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 31 Dec 2020 14:15:35 +0100 Source: libxstream-java Binary: libxstream-java Architecture: source Version: 1.4.11.1-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libxstream-java - Java library to serialize objects to XML and back again Changes: libxstream-java (1.4.11.1-1+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2020-26258: XStream is vulnerable to a Server-Side Forgery Request which can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. * Fix CVE-2020-26259: Xstream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary known files on the host as long as the executing process has sufficient rights only by manipulating the processed input stream. Checksums-Sha1: f2cf9d180227ee615935f72d532a5edcf0f60674 2586 libxstream-java_1.4.11.1-1+deb9u1.dsc b2f9350073429e4d517da3876bda5098e870f309 11152 libxstream-java_1.4.11.1-1+deb9u1.debian.tar.xz 6eb7373e20cbf1abf62d2089e7a102cf3f55e29d 16505 libxstream-java_1.4.11.1-1+deb9u1_amd64.buildinfo Checksums-Sha256: f58d879aeb62c3cbebc69ddc4f554e7602e9fdd4c5a32e28c159dc3e7ed6bef6 2586 libxstream-java_1.4.11.1-1+deb9u1.dsc a0fac3ddd5346345a6a3814c61c00620c93af8173d02347264be3992c84bb7f0 11152 libxstream-java_1.4.11.1-1+deb9u1.debian.tar.xz 3f5f2b1003f323b482d7897d0673d7b6838220c0d626fe37da9413c4220af0ba 16505 libxstream-java_1.4.11.1-1+deb9u1_amd64.buildinfo Files: 7e725b67fe0808f89cd6f539920e96ea 2586 java optional libxstream-java_1.4.11.1-1+deb9u1.dsc afeefed248560ac8aca2e4db45267d82 11152 java optional libxstream-java_1.4.11.1-1+deb9u1.debian.tar.xz c170f8b79015a8192318d68eebe57708 16505 java optional libxstream-java_1.4.11.1-1+deb9u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl/t4FFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkSwQP/iwLh6YYAAYC3PpyaFsT9xdXiTN8rdk/YWZC RgBE4DGENOCVsC7Kw++RiM9rrQKWKBG/FPjhOcNUIoNEb48VMGcFeWgrYhxhfm6h kxiI0rB/99qJMlaq/a2/e/CwLvcaUu6jE3LwgfEchSYGfTh8hmJoHfP924iJtjxn tI862yjcwPpf+p2YU0i4o6V1rhnge8jd6aSD09fu6mmy84PyxoLOTXFCIUmwMxjp NREpdlntUJKiwUlFUZbqMaTvZjvDf/AN8paaXGCkEkSqlHkrPdaDEsTKctR3kS1p LgkmgHeXBxboHyxRCap7K64CQFmIGHt7wOZLyfeVJczTY/yZVKrOhHztmxS3t3zC kcmguTC/Wi+AYWOWLAsTBc/dnX/MP0l70LTC9TiKJk6gZh4ow6HibuYIRyPYrmi2 9u7JoNgxd9O98daKSwuHF6fUGY/CUnw6Ib6e/49KPo2zdLaz9OPCCBT7zUx8hom3 rs6fjC1pBb0leSRaXvX+DR3IkR/avi3LaB0L1bVG10cU11PD7+ujUSVAtL45izZh zosUCLHeseLPxNVnoz/bcaKz/9+6nNtX8XupqkKGV4L++BO+pRReP/A0uP5MggMt 1X5hiLEBPweRXJ3jJR2D9PS8x4fV+ZO95biWz3HtcsmYS2Ns0drt2stQ7bOtKmSa nDoCNXsM =5u42 -----END PGP SIGNATURE-----