Accepted libxstream-java 1.4.11.1-1+deb10u4 (source) into oldstable
- To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
- Subject: Accepted libxstream-java 1.4.11.1-1+deb10u4 (source) into oldstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Wed, 11 Jan 2023 20:00:18 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: libxstream-java_1.4.11.1-1+deb10u4_source.changes
- Debian-source: libxstream-java
- Debian-suite: oldstable
- Debian-version: 1.4.11.1-1+deb10u4
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=gbL5SyZCTbqtDuyuK+eKBWL1WPYjv/1IqoRFJWOI2jM=; b=fcGRw0pl88K48nb7OiJ8YCbTqE f0oY98UM+EZngT3kIQz9NEXDhr8LdWvZC1H8p7YmbDJGJqJvXbaUmhLXzZnhykdekt1J4aha2NnO9 buFhQf89/Ugg3HshUJcn3VLqUFecMgJi3ZrTP5xkI3jAtrtWD/OQb7rQyjUt6Il3s0JuMT9x2k6i+ OXTGt1/umIz/KU+jvnT+tJC9VGsSiX2w6NIarJ87CdLWKLe4Tb2hyzWnd8xFJY3oytg9cNTkhtn3Q dCaol0YmXPIm9uVxO9j9Up/0aQcxYevTtJ2SuDlSXzEYr5RVyjvwojXs5+jJ9ABiudkU/a4M30+6P 1FRoeyPQ==;
- Mail-followup-to: debian-lts@lists.debian.org
- Message-id: <E1pFhGk-004mSC-9r@seger.debian.org>
- Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 11 Jan 2023 20:40:40 CET
Source: libxstream-java
Architecture: source
Version: 1.4.11.1-1+deb10u4
Distribution: buster-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
11bd30a15f5a2e3a4e4764f32b4ee591cfa5410e 2591 libxstream-java_1.4.11.1-1+deb10u4.dsc
9ca0224d6e7fa377a346da4589771aafb0518b6a 11632 libxstream-java_1.4.11.1-1+deb10u4.debian.tar.xz
db38ec9398e8cecba7333879f50777ba5d209feb 16679 libxstream-java_1.4.11.1-1+deb10u4_amd64.buildinfo
Checksums-Sha256:
187737eec0643de53cd7f55e2c6016eeda29a77f26e882df77936d25f90ce81b 2591 libxstream-java_1.4.11.1-1+deb10u4.dsc
4b0cc4f40074da724391ee1b16f4cf9c8cd7d3aa771964c207c45c44d126a601 11632 libxstream-java_1.4.11.1-1+deb10u4.debian.tar.xz
474199b330b4e1e5e6312c6b4a8ca1fcf9916c58b4ff4805b7c9e43729b7ea4b 16679 libxstream-java_1.4.11.1-1+deb10u4_amd64.buildinfo
Closes: 1027754
Changes:
libxstream-java (1.4.11.1-1+deb10u4) buster-security; urgency=high
.
* Team upload.
* Fix CVE-2022-41966:
XStream serializes Java objects to XML and back again. Versions prior to
1.4.11.1-1+deb10u4 may allow a remote attacker to terminate the application
with a stack overflow error, resulting in a denial of service only via
manipulation of the processed input stream. The attack uses the hash code
implementation for collections and maps to force recursive hash calculation
causing a stack overflow. This issue is patched in version
1.4.11.1-1+deb10u4 which handles the stack overflow and raises an
InputManipulationException instead. A potential workaround for users who
only use HashMap or HashSet and whose XML refers these only as default map
or set, is to change the default implementation of java.util.Map and
java.util per the code example in the referenced advisory. However, this
implies that your application does not care about the implementation of the
map and all elements are
comparable. (Closes: #1027754)
Files:
e178c1709014c28fd6aea7bbf2992bfc 2591 java optional libxstream-java_1.4.11.1-1+deb10u4.dsc
2502881f1a1aecbd8e7d8b6d2f942ff0 11632 java optional libxstream-java_1.4.11.1-1+deb10u4.debian.tar.xz
ecea8576653d1d6126b4ffbb4351f85e 16679 java optional libxstream-java_1.4.11.1-1+deb10u4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmO/EL1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkfCcP/A5YV6Z0pvO7JQlkM56ASIOoQgTZVo83r4OK
FSNTH1ceQ7FDtBuL4A1mPYfr4QyK0uQl2QSOqpzzs9u/8C/MuYoYv16xZTCcvNWv
0y1l1i8oCoaJ4ftVE0yBUVUgTEmmXQKnxcnMzNQzW2458zp+/OFRTaGHwy7knCtP
qoARxTBzVVHug2/aal54cP/J7+vOtMtcJO00BigADxYOoKFvBCe4LvbqhuICwCzc
fifUn7NxdnhfBaXqp7ZQu+uWfQ/dOG+Lg67HlWKxr9J5QJpXVa8zKO1SpdTLKETH
sl1apv89HbeLwPGu+qNPZRqRF25UT4PwbYus1kaU2gI8+jfTkt0V6N75ALG/ZypO
s1yCqTJIqehs6+r4k9VR6Y6Y0mSGFP4DQutZQ6tFTiZVnoz4sJUrZ4ZqjsrTxofC
jHd9kL5bHpPobD8QcoRsXROQLSQwzKDlE4mSl9+ZUwAQRDM5/VlVLXF9aDBgGUJL
himfFwcmTAlkbMucrJtbX+27wT+qOR+yYCDtqjhb425qCKtuQ+AeBuHZ+RKDX/Tt
gk4k8T+C7W+2F2uTyKDZiDgyJAh3vUXg8lnyDh6DrCT5NJEGTYWIwxR2SwlrvxnZ
pc6iP4+o3w/DsbXGyUFRs0cY/fj7Sx7aAEYuEKYvLB2G2CHfuON3Ohyki2xjU+BU
gR/IauJo
=eOMR
-----END PGP SIGNATURE-----