-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 03 Apr 2021 19:17:05 +0200 Source: libxstream-java Binary: libxstream-java Architecture: source Version: 1.4.11.1-1+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libxstream-java - Java library to serialize objects to XML and back again Changes: libxstream-java (1.4.11.1-1+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2021-21341 to CVE-2021-21351: In XStream there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. . The type hierarchies for java.io.InputStream, java.nio.channels.Channel, javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now blacklisted as well as the individual types com.sun.corba.se.impl.activation.ServerTableEntry, com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator, sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and sun.swing.SwingLazyValue. Additionally the internal type Accessor$GetterSetterReflection of JAXB, the internal types MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of JAX-WS, all inner classes of javafx.collections.ObservableList and an internal ClassLoader used in a private BCEL copy are now part of the default blacklist and the deserialization of XML containing one of the two types will fail. You will have to enable these types by explicit configuration, if you need them. Checksums-Sha1: 4f40f7c65aadfb411e6031b688b41b331021e5af 2586 libxstream-java_1.4.11.1-1+deb9u2.dsc 4708b69aa92f67b34abfec9b2a74c4eb243a43a3 12416 libxstream-java_1.4.11.1-1+deb9u2.debian.tar.xz 3239d111a6eb83a4c7ade6fff74b7b1b367d908a 16561 libxstream-java_1.4.11.1-1+deb9u2_amd64.buildinfo Checksums-Sha256: 284116d98a421c429f2bb948191e0c4884e720cf4007084ee7f04603eda2bdad 2586 libxstream-java_1.4.11.1-1+deb9u2.dsc fa7eff07154c7a46f1fed8db0c9e1560d863f64a701138eb65eb21c79d9cfd5e 12416 libxstream-java_1.4.11.1-1+deb9u2.debian.tar.xz cb40f713d8ae303d22b6be895a2f7240dba6f7acffe38529cb447707cb13c364 16561 libxstream-java_1.4.11.1-1+deb9u2_amd64.buildinfo Files: c384d5899e3a1a465bf0aba5e7690fe1 2586 java optional libxstream-java_1.4.11.1-1+deb9u2.dsc 0a6275c721f29c7b373fc5cb605e93a7 12416 java optional libxstream-java_1.4.11.1-1+deb9u2.debian.tar.xz e7297960a7fc71f8a3311ac67c18156d 16561 java optional libxstream-java_1.4.11.1-1+deb9u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmBou/tfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkW8AQAJO5ynoGr5gjoskLSG4QflIXuuuYsFTXIhXv cJo09DduuJLdxKHzG1haDrc5XDE13c1WJyG7k3q3GRW5Ud6ZjG3wscMre45PI+/W kULtTAwozTGrCPeggH6V8L2d3LxA7LiFkRu7asAiTyn/14+d4t4+/fC5NR6d/d9W 2vX8gq7ATMhpme7SkYS0zIBySUrWBsy2td5fyoPjPXPY45EafGJ4Ui0wlz+X3LcO jrf8NOdcqcNTllF3yEXs4DSTXPu1Mt5/WV3dmiowB6qX25o8Zwu2l2l5n/i6s1px +/p9s2PKTBfay1tIqvz7fZSUsdi8F2yha7AzLKIdzLYLqlpTS3UZi0Vu9lfdawWK WdMTLmd6QUxl6Ih0mOBikFCMkYhbPzFyF1hBBEgc/WbwUgHAwNDB+DTD2irS/wkK asCL++Xk3qtQdnahu4osobA98aoYAYZ2uD/UIyUVRWvCvFUttznaJHUgAnO/4Z3L wle9LrwW/FldoQXjxpKVGTvvFRRKwNDJYMPEVKPup6bro9xMet6HGjuYXTJ92X1n WbvUqOnbSsQZhLzV26QafAO/Wap/WFzz89shI8HR6NhghUAI945g3i2cVxZmUxD+ z6MqzbhfVC2aWBvgWBCZ0rp/ng+yFzCCogUOhgjejwQZ4zkgv2cOH4O5OS8zdgIu +FYpORbR =VI3P -----END PGP SIGNATURE-----
