-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 03 Apr 2021 19:17:05 +0200 Source: libxstream-java Architecture: source Version: 1.4.15-2 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Changes: libxstream-java (1.4.15-2) unstable; urgency=high . * Team upload. * Fix CVE-2021-21341 to CVE-2021-21351: In XStream there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. . The type hierarchies for java.io.InputStream, java.nio.channels.Channel, javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now blacklisted as well as the individual types com.sun.corba.se.impl.activation.ServerTableEntry, com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator, sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and sun.swing.SwingLazyValue. Additionally the internal type Accessor$GetterSetterReflection of JAXB, the internal types MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of JAX-WS, all inner classes of javafx.collections.ObservableList and an internal ClassLoader used in a private BCEL copy are now part of the default blacklist and the deserialization of XML containing one of the two types will fail. You will have to enable these types by explicit configuration, if you need them. Checksums-Sha1: 4106403e5f284cb63258de75e931fd8318c0583e 2520 libxstream-java_1.4.15-2.dsc 10277135cc9f618cbd20f63cbf690db731be8c68 9356 libxstream-java_1.4.15-2.debian.tar.xz fa521b2e7ac9571929bfa7c4e408ce1811b4bb24 16173 libxstream-java_1.4.15-2_amd64.buildinfo Checksums-Sha256: f7c80c5cac9c5d3e75ac3d954af015b4453e49dd0972a9fc78b6bd20dc28bf07 2520 libxstream-java_1.4.15-2.dsc 7153677cd945bb416bbd1ef69107fb7d65894e0724826180d2d2af7768e7eb24 9356 libxstream-java_1.4.15-2.debian.tar.xz f024198b051527f839f2815b729813a62900371ed55ca8bc98a1c52176b726a9 16173 libxstream-java_1.4.15-2_amd64.buildinfo Files: f7744fd239d65a29bf7e15dbc24963d2 2520 java optional libxstream-java_1.4.15-2.dsc aaad219056ca093fb1ee99b9fa272e8f 9356 java optional libxstream-java_1.4.15-2.debian.tar.xz f99732e82e8573054eb189e11b8400a1 16173 java optional libxstream-java_1.4.15-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmBowGFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkhP0P/3vq+4wmo0s3IYc5fQOsqVu0FXDwBYXDN3W/ ZZpHnPeAzetvA3WiiQZv5y9a+DlJ/Ga2VRaTqEnJtMg1X3zrQ/6GOtYO3IpBuLKI 2B5eOCXUYTVyiJS/3EW4Aeciu+PFH0J/aEUVGlVzfxkVhne/dSiQY/EDJhkyU7AT o9rVsj/KIWcK/5mveIR6ZSVvfGRLMO1GkF1sqGWNCah8w3VFmMZrAD3cayv3YNeu 71Ykvp1xFwdEXKc2R8cE8TdgI62/yJW7bomeoEwllmj1UsVELPBqBThGj4Y1969T 407A99Y75TU924hhUsYpzAZjKJmzW5KArtBMq0uHgi6BXvoqMaMdOj+J6cKE4TJD Z1VYhuhyHNPN+1LBWlA+CFUa3rnD/yw5k2To+UWZfg8+OQXxgrcb4aiTiZtA7+eA LCbPGAuGAcWNQSOPU0qWzm2miMjQ4Y18cD1ot8M1VsLi0WX7goYPQRknFpInE3v7 jP5fWtTOTCxhg1RLkvJFrxCve95KCxUmI/GYM9nwq2j/rsCYS7DxMrHn1T8WL1k3 IkGqzywihdJTTj0FVL0lRzeB/jbNtwUSRfs/TxD4WE1XQsc3J7ShB3PKzo92KFQ1 4JHpJyBxmd4uhmetxVBHCC2zjEhM30jsKq5x3hlNj1IlOjC5JrORsKDinpwfm56y SRwOd938 =dl2W -----END PGP SIGNATURE-----
