Accepted libxstream-java 1.4.11.1-1+deb9u2 (source) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 03 Apr 2021 19:17:05 +0200
Source: libxstream-java
Binary: libxstream-java
Architecture: source
Version: 1.4.11.1-1+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libxstream-java - Java library to serialize objects to XML and back again
Changes:
libxstream-java (1.4.11.1-1+deb9u2) stretch-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2021-21341 to CVE-2021-21351:
In XStream there is a vulnerability which may allow a remote attacker to
load and execute arbitrary code from a remote host only by manipulating the
processed input stream.
.
The type hierarchies for java.io.InputStream, java.nio.channels.Channel,
javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now
blacklisted as well as the individual types
com.sun.corba.se.impl.activation.ServerTableEntry,
com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and
sun.swing.SwingLazyValue. Additionally the internal type
Accessor$GetterSetterReflection of JAXB, the internal types
MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of
JAX-WS, all inner classes of javafx.collections.ObservableList and an
internal ClassLoader used in a private BCEL copy are now part of the
default blacklist and the deserialization of XML containing one of the two
types will fail. You will have to enable these types by explicit
configuration, if you need them.
Checksums-Sha1:
4f40f7c65aadfb411e6031b688b41b331021e5af 2586 libxstream-java_1.4.11.1-1+deb9u2.dsc
4708b69aa92f67b34abfec9b2a74c4eb243a43a3 12416 libxstream-java_1.4.11.1-1+deb9u2.debian.tar.xz
3239d111a6eb83a4c7ade6fff74b7b1b367d908a 16561 libxstream-java_1.4.11.1-1+deb9u2_amd64.buildinfo
Checksums-Sha256:
284116d98a421c429f2bb948191e0c4884e720cf4007084ee7f04603eda2bdad 2586 libxstream-java_1.4.11.1-1+deb9u2.dsc
fa7eff07154c7a46f1fed8db0c9e1560d863f64a701138eb65eb21c79d9cfd5e 12416 libxstream-java_1.4.11.1-1+deb9u2.debian.tar.xz
cb40f713d8ae303d22b6be895a2f7240dba6f7acffe38529cb447707cb13c364 16561 libxstream-java_1.4.11.1-1+deb9u2_amd64.buildinfo
Files:
c384d5899e3a1a465bf0aba5e7690fe1 2586 java optional libxstream-java_1.4.11.1-1+deb9u2.dsc
0a6275c721f29c7b373fc5cb605e93a7 12416 java optional libxstream-java_1.4.11.1-1+deb9u2.debian.tar.xz
e7297960a7fc71f8a3311ac67c18156d 16561 java optional libxstream-java_1.4.11.1-1+deb9u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmBou/tfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkW8AQAJO5ynoGr5gjoskLSG4QflIXuuuYsFTXIhXv
cJo09DduuJLdxKHzG1haDrc5XDE13c1WJyG7k3q3GRW5Ud6ZjG3wscMre45PI+/W
kULtTAwozTGrCPeggH6V8L2d3LxA7LiFkRu7asAiTyn/14+d4t4+/fC5NR6d/d9W
2vX8gq7ATMhpme7SkYS0zIBySUrWBsy2td5fyoPjPXPY45EafGJ4Ui0wlz+X3LcO
jrf8NOdcqcNTllF3yEXs4DSTXPu1Mt5/WV3dmiowB6qX25o8Zwu2l2l5n/i6s1px
+/p9s2PKTBfay1tIqvz7fZSUsdi8F2yha7AzLKIdzLYLqlpTS3UZi0Vu9lfdawWK
WdMTLmd6QUxl6Ih0mOBikFCMkYhbPzFyF1hBBEgc/WbwUgHAwNDB+DTD2irS/wkK
asCL++Xk3qtQdnahu4osobA98aoYAYZ2uD/UIyUVRWvCvFUttznaJHUgAnO/4Z3L
wle9LrwW/FldoQXjxpKVGTvvFRRKwNDJYMPEVKPup6bro9xMet6HGjuYXTJ92X1n
WbvUqOnbSsQZhLzV26QafAO/Wap/WFzz89shI8HR6NhghUAI945g3i2cVxZmUxD+
z6MqzbhfVC2aWBvgWBCZ0rp/ng+yFzCCogUOhgjejwQZ4zkgv2cOH4O5OS8zdgIu
+FYpORbR
=VI3P
-----END PGP SIGNATURE-----