Back to libxstream-java PTS page

Accepted libxstream-java 1.4.15-3+deb11u2 (source) into proposed-updates



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 Jan 2023 14:23:28 CET
Source: libxstream-java
Architecture: source
Version: 1.4.15-3+deb11u2
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 b274f169228ba7487b5b3d8df6c8aa46682989cb 2555 libxstream-java_1.4.15-3+deb11u2.dsc
 cc4b296584d741f00c0587fe56689fd7113271da 13324 libxstream-java_1.4.15-3+deb11u2.debian.tar.xz
 f3fb64457668b35c91738deb509e24a26a177b18 16945 libxstream-java_1.4.15-3+deb11u2_amd64.buildinfo
Checksums-Sha256:
 0ccb15fa8d14ee141119a43a8a9de821c9e2495e258ce820f0b9939863feb624 2555 libxstream-java_1.4.15-3+deb11u2.dsc
 b49e81296f977c41d4f0098879c0fd21087de1f0d08c3eb137b1746e18919192 13324 libxstream-java_1.4.15-3+deb11u2.debian.tar.xz
 d5d7be1d63bc738c6ba7651403d4cb912aa09ce254b0b9f0a38b60ff57b7468f 16945 libxstream-java_1.4.15-3+deb11u2_amd64.buildinfo
Closes: 1027754
Changes:
 libxstream-java (1.4.15-3+deb11u2) bullseye-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2022-41966:
     XStream serializes Java objects to XML and back again. Versions prior to
     1.4.15-3+deb11u2 may allow a remote attacker to terminate the application
     with a stack overflow error, resulting in a denial of service only via
     manipulation of the processed input stream. The attack uses the hash code
     implementation for collections and maps to force recursive hash calculation
     causing a stack overflow. This issue is patched in version 1.4.15-3+deb11u2
     which handles the stack overflow and raises an InputManipulationException
     instead. A potential workaround for users who only use HashMap or HashSet
     and whose XML refers these only as default map or set, is to change the
     default implementation of java.util.Map and java.util per the code example
     in the referenced advisory. However, this implies that your application
     does not care about the implementation of the map and all elements are
     comparable. (Closes: #1027754)
Files:
 0becd63a0f3fb7e3b288e21fe50b0cab 2555 java optional libxstream-java_1.4.15-3+deb11u2.dsc
 308bb0d5b0b81a60003249cc56954dbe 13324 java optional libxstream-java_1.4.15-3+deb11u2.debian.tar.xz
 59efd90e3a59d6734b2b517fbde69f26 16945 java optional libxstream-java_1.4.15-3+deb11u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmO+uFhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk5PoP/0iW0M/L8C4dy/KOb5GjVgIkV1/IS6QvjMxy
Uazjtr7Mhu++izgN31kXOuTgBjPbA7k0hNGmbkrlKlBr3qHp+HR5YNaUMCd3EbrR
L52dhIZ/BJo3V+Mq/x7+epYq9uodFOF1QBzVrL87SHSpaWG4ofyG19SRAQDQNARO
AAN/tOSLb3+up8BmrA+nN+wBudOE+6rYsLAL3tmZ1fWMQR6ZuM0P7mMYzSmQ+VQi
foKYjcdsRHWqopQYQAoVlPfo1v99bsYPFDe5aayRX2U/MCsaCmvM6FHAc5hrKcWW
0xPPw5LOHaZ74o5HeUP+3H5kPTppUvGzg3FDsC5whrf7grRLrAM74QQIqVmHBIIR
AZV0CV16fJiDQtqL9NIwBGMoeRhIo+ywudXJQHfK0SIyjpcIdiME97AbycYEwHv+
yya/2XYer+JVV79PFlKOH0z8KW9W5ELKLb03L9WJYJlViw2nPv0XsmP7o6V7s3xN
yTCICdSwbM49iVc/Iw+cHQJMPFstpa8oWEMS/Wqzxkmsmiy4JegmHdw/HhIKySH2
+EEEMRFn5G9FWyAXuu6ki+WNHTWG1khH+z2uLPK60Um2ebR5brQB/7L51IsPkQik
v/pm2EkVAB9LG/6BGYJIds9De/9maP44YiDknw9K2DiGZg3efWI1lv0zYhzEQCuh
e1NuWciA
=81uD
-----END PGP SIGNATURE-----