[Git][java-team/libxstream-java][jessie] 7 commits: Initial upstream branch.
Markus Koschany (@apo)
gitlab at salsa.debian.org
Thu Jan 26 22:34:41 GMT 2023
Markus Koschany pushed to branch jessie at Debian Java Maintainers / libxstream-java
Commits:
0fe9b951 by Emmanuel Bourg at 2015-04-29T17:51:52+02:00
Initial upstream branch.
- - - - -
98bc0c12 by Emmanuel Bourg at 2015-04-29T18:03:05+02:00
Imported Upstream version 1.4.8
- - - - -
950f48b6 by Emmanuel Bourg at 2016-03-29T11:26:25+02:00
Imported Upstream version 1.4.9
- - - - -
e1a339d2 by Emmanuel Bourg at 2017-06-20T10:19:55+02:00
New upstream version 1.4.10
- - - - -
3e39d696 by Markus Koschany at 2018-11-10T22:39:01+01:00
New upstream version 1.4.11
- - - - -
a6a98eb4 by Markus Koschany at 2018-11-11T00:04:28+01:00
New upstream version 1.4.11.1
- - - - -
eb8197f6 by Markus Koschany at 2023-01-26T23:34:32+01:00
Import Debian changes 1.4.11.1-1+deb8u6
libxstream-java (1.4.11.1-1+deb8u6) jessie-security; urgency=high
..
* Non-maintainer upload by the ELTS team.
* Fix CVE-2022-41966:
XStream serializes Java objects to XML and back again. Versions prior to
1.4.11.1-1+deb8u6 may allow a remote attacker to terminate the application
with a stack overflow error, resulting in a denial of service only via
manipulation of the processed input stream. The attack uses the hash code
implementation for collections and maps to force recursive hash calculation
causing a stack overflow. This issue is patched in version
1.4.11.1-1+deb8u6 which handles the stack overflow and raises an
InputManipulationException instead.
* Enforce OpenJDK 7 to build libxstream-java.
..
libxstream-java (1.4.11.1-1+deb8u5) jessie-security; urgency=high
..
* Non-maintainer upload by the ELTS team.
* CVE-2021-43859: Prevent a potential remote denial of service (DoS) attack
that could have consumed 100% of the CPU resources. Xstream now monitors
and accumulates the time it takes to add elements to collections and throws
an exception if a set threshold is exceeded.
..
libxstream-java (1.4.11.1-1+deb8u4) jessie-security; urgency=high
..
* Non-maintainer upload by the ELTS team.
* Enable the security whitelist by default to prevent RCE vulnerabilities.
XStream no longer uses a blacklist because it cannot be secured for general
purpose.
..
libxstream-java (1.4.11.1-1+deb8u3) jessie-security; urgency=high
..
* Non-maintainer upload by the ELTS Security Team.
* CVE-2021-29505: a remote attacker may get sufficient rights to execute
commands of the host only by manipulating the processed input stream.
..
libxstream-java (1.4.11.1-1+deb8u2) jessie-security; urgency=high
..
* Non-maintainer upload by the ELTS team.
* Fix CVE-2021-21341 to CVE-2021-21351:
In XStream there is a vulnerability which may allow a remote attacker to
load and execute arbitrary code from a remote host only by manipulating the
processed input stream.
..
The type hierarchies for java.io.InputStream, java.nio.channels.Channel,
javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now
blacklisted as well as the individual types
com.sun.corba.se.impl.activation.ServerTableEntry,
com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and
sun.swing.SwingLazyValue. Additionally the internal type
Accessor$GetterSetterReflection of JAXB, the internal types
MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of
JAX-WS, all inner classes of javafx.collections.ObservableList and an
internal ClassLoader used in a private BCEL copy are now part of the
default blacklist and the deserialization of XML containing one of the two
types will fail. You will have to enable these types by explicit
configuration, if you need them.
..
libxstream-java (1.4.11.1-1+deb8u1) jessie-security; urgency=high
..
* Team upload.
* Fix CVE-2020-26258:
XStream is vulnerable to a Server-Side Forgery Request which can be
activated when unmarshalling. The vulnerability may allow a remote attacker
to request data from internal resources that are not publicly available
only by manipulating the processed input stream.
* Fix CVE-2020-26259:
Xstream is vulnerable to an Arbitrary File Deletion on the local host when
unmarshalling. The vulnerability may allow a remote attacker to delete
arbitrary known files on the host as long as the executing process has
sufficient rights only by manipulating the processed input stream.
..
libxstream-java (1.4.11.1-1+deb10u1) buster-security; urgency=high
..
* Team upload.
* Fix CVE-2020-26217:
It was found that XStream is vulnerable to Remote Code Execution. The
vulnerability may allow a remote attacker to run arbitrary shell commands
only by manipulating the processed input stream. Users who rely on
blocklists are affected (the default in Debian). We strongly recommend to
use the whitelist approach of XStream's Security Framework because there
are likely more class combinations the blacklist approach may not address.
..
libxstream-java (1.4.11.1-1) unstable; urgency=medium
..
* Team upload.
* New upstream version 1.4.11.1.
..
libxstream-java (1.4.11-1) unstable; urgency=medium
..
* Team upload.
* New upstream version 1.4.11.
* Switch to compat level 11.
* Declare compliance with Debian Policy 4.2.1.
* Build-depend on libjaxb-api-java to fix FTBFS with Java 11.
(Closes: #912377)
* Add a new maven rule for xpp3 to fix a FTBFS.
* Remove Damien Raude-Morvan from Uploaders. (Closes: #889445)
..
libxstream-java (1.4.10-1) unstable; urgency=medium
..
* New upstream release
- Removed CVE-2017-7957.patch (fixed upstream)
* Standards-Version updated to 3.9.8
* Switch to debhelper level 10
..
libxstream-java (1.4.9-2) unstable; urgency=medium
..
* Fixed CVE-2017-7957: Attempts to create an instance of the primitive
type 'void' during unmarshalling lead to a remote application crash.
(Closes: #861521)
..
libxstream-java (1.4.9-1) unstable; urgency=medium
..
* New upstream release
- Fixes CVE-2016-3674: XML External Entity vulnerability (Closes: #819455)
- Ignore the new xstream-jmh module
- Updated the Maven rules
* No longer build the xstream-benchmark module (never used in Debian)
* Build with maven-debian-helper
* Depend on libcglib-nodep-java instead of libcglib3-java
* Standards-Version updated to 3.9.7 (no changes)
* Use secure Vcs-* fields
* Updated the old references to codehaus.org
..
libxstream-java (1.4.8-1) unstable; urgency=medium
..
* New upstream release
* Added a patch to compile with Java 7
* Moved the package to Git
- - - - -
30 changed files:
- + .gitattributes
- + .gitignore
- + .travis.settings.xml
- + .travis.yml
- + BUILD.txt
- + LICENSE.txt
- + README.md
- + README.txt
- − debian/build.properties
- − debian/build.xml
- debian/changelog
- debian/control
- debian/copyright
- debian/libxstream-java.poms
- debian/manifest
- debian/maven.ignoreRules
- + debian/maven.properties
- debian/maven.rules
- − debian/orig-tar.sh
- + debian/patches/01-java7-compatibility.patch
- − debian/patches/CVE-2016-3674.patch
- − debian/patches/CVE-2017-7957.patch
- + debian/patches/CVE-2021-43859.patch
- + debian/patches/CVE-2022-41966.patch
- + debian/patches/SecurityVulnerabilityTest.patch
- + debian/patches/debian-specific-whitelist-extension.patch
- + debian/patches/enable-security-whitelist-by-default.patch
- + debian/patches/profile.patch
- debian/patches/series
- debian/rules
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/081611e4bd0893194362e6e5ba667ebaddb61e85...eb8197f69e64af8e9a83118b2758a77bd5240d26
--
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/081611e4bd0893194362e6e5ba667ebaddb61e85...eb8197f69e64af8e9a83118b2758a77bd5240d26
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230126/8e2edf7b/attachment.htm>
More information about the pkg-java-commits
mailing list