<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<h3>
Markus Koschany pushed to branch stretch
at <a href="https://salsa.debian.org/java-team/libxstream-java">Debian Java Maintainers / libxstream-java</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/java-team/libxstream-java/-/commit/e1a339d2d79042d1f33028d53a422d8d9d031059">e1a339d2</a></strong>
<div>
<span>by Emmanuel Bourg</span>
<i>at 2017-06-20T10:19:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">New upstream version 1.4.10</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/java-team/libxstream-java/-/commit/3e39d696da29e234129db8bdcab034aa806a7a63">3e39d696</a></strong>
<div>
<span>by Markus Koschany</span>
<i>at 2018-11-10T22:39:01+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">New upstream version 1.4.11</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/java-team/libxstream-java/-/commit/a6a98eb49725b56d0b0c1b28654ecb9ee2fcad06">a6a98eb4</a></strong>
<div>
<span>by Markus Koschany</span>
<i>at 2018-11-11T00:04:28+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">New upstream version 1.4.11.1</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/java-team/libxstream-java/-/commit/2cc98c1c18a8428b525bab23a6cd4d0eebfb6d9a">2cc98c1c</a></strong>
<div>
<span>by Markus Koschany</span>
<i>at 2020-12-31T20:27:39+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Import Debian changes 1.4.11.1-1+deb9u1
libxstream-java (1.4.11.1-1+deb9u1) stretch-security; urgency=high
..
* Team upload.
* Fix CVE-2020-26258:
XStream is vulnerable to a Server-Side Forgery Request which can be
activated when unmarshalling. The vulnerability may allow a remote attacker
to request data from internal resources that are not publicly available
only by manipulating the processed input stream.
* Fix CVE-2020-26259:
Xstream is vulnerable to an Arbitrary File Deletion on the local host when
unmarshalling. The vulnerability may allow a remote attacker to delete
arbitrary known files on the host as long as the executing process has
sufficient rights only by manipulating the processed input stream.
..
libxstream-java (1.4.11.1-1+deb10u1) buster-security; urgency=high
..
* Team upload.
* Fix CVE-2020-26217:
It was found that XStream is vulnerable to Remote Code Execution. The
vulnerability may allow a remote attacker to run arbitrary shell commands
only by manipulating the processed input stream. Users who rely on
blocklists are affected (the default in Debian). We strongly recommend to
use the whitelist approach of XStream's Security Framework because there
are likely more class combinations the blacklist approach may not address.
..
libxstream-java (1.4.11.1-1) unstable; urgency=medium
..
* Team upload.
* New upstream version 1.4.11.1.
..
libxstream-java (1.4.11-1) unstable; urgency=medium
..
* Team upload.
* New upstream version 1.4.11.
* Switch to compat level 11.
* Declare compliance with Debian Policy 4.2.1.
* Build-depend on libjaxb-api-java to fix FTBFS with Java 11.
(Closes: #912377)
* Add a new maven rule for xpp3 to fix a FTBFS.
* Remove Damien Raude-Morvan from Uploaders. (Closes: #889445)
..
libxstream-java (1.4.10-1) unstable; urgency=medium
..
* New upstream release
- Removed CVE-2017-7957.patch (fixed upstream)
* Standards-Version updated to 3.9.8
* Switch to debhelper level 10
</pre>
</li>
</ul>
<h4>24 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#24e784ce6589bc97994395038371d07a9afaf7c9">
<span class="new-file">
+
.travis.settings.xml
</span>
</a>
</li>
<li class="file-stats">
<a href="#dea01dd89a3b602828e630677fde5d77c06441c8">
.travis.yml
</a>
</li>
<li class="file-stats">
<a href="#2c5c5ed7d77485b627b5ba2e90b2f87baf64be55">
BUILD.txt
</a>
</li>
<li class="file-stats">
<a href="#8ec9a00bfd09b3190ac6b22251dbb1aa95a0579d">
README.md
</a>
</li>
<li class="file-stats">
<a href="#fda3484edf8db0684440157ce0b110d784d42704">
README.txt
</a>
</li>
<li class="file-stats">
<a href="#9c96da0e9f91d7d8937b69b524702c106258f0d1">
debian/changelog
</a>
</li>
<li class="file-stats">
<a href="#58ef006ab62b83b4bec5d81fe5b32c3b4c2d1cc2">
debian/control
</a>
</li>
<li class="file-stats">
<a href="#adb7f75f79e3bb85eb62912a2904c5d24af878fb">
debian/copyright
</a>
</li>
<li class="file-stats">
<a href="#26121dc92cd4cd9822d2e9e2b619b799bf9a51f4">
debian/maven.ignoreRules
</a>
</li>
<li class="file-stats">
<a href="#58530b38acb0fa3a65612c676abaea46c4a3f2f3">
debian/maven.rules
</a>
</li>
<li class="file-stats">
<a href="#19f744cf73be4c8f6bcf5a691b7d183531202e91">
<span class="deleted-file">
−
debian/patches/CVE-2017-7957.patch
</span>
</a>
</li>
<li class="file-stats">
<a href="#8f5cd187213dee3fe5c6351f14b2d975fd53d4e2">
debian/patches/CVE-2020-26217.patch
</a>
</li>
<li class="file-stats">
<a href="#a9ffd3bfddcb6e63c0f5f5106eec5314167ec3c6">
<span class="new-file">
+
debian/patches/CVE-2020-26258.patch
</span>
</a>
</li>
<li class="file-stats">
<a href="#dea221109f67e3502290f8177bf4126d1c0e1cc8">
<span class="new-file">
+
debian/patches/CVE-2020-26259.patch
</span>
</a>
</li>
<li class="file-stats">
<a href="#bc34014ab4b9a49dd7a27bdd8d352912607c3a96">
debian/patches/series
</a>
</li>
<li class="file-stats">
<a href="#8756c63497c8dc39f7773438edf53b220c773f67">
debian/rules
</a>
</li>
<li class="file-stats">
<a href="#442292b8a7efeabbe4cc176709b833b1792140ec">
pom.xml
</a>
</li>
<li class="file-stats">
<a href="#706385494e1793bf06b3baf924bf663c7354ac0a">
xstream-benchmark/pom.xml
</a>
</li>
<li class="file-stats">
<a href="#f6bcb3b93eaf50908bce8da5f77f1ef67499a63f">
xstream-distribution/pom.xml
</a>
</li>
<li class="file-stats">
<a href="#17643526e1dfe3e26ccf57927e527ad4f92bba17">
<span class="new-file">
+
xstream-distribution/src/content/CVE-2013-7285.html
</span>
</a>
</li>
<li class="file-stats">
<a href="#d679d27b29ecc47630e349e0fc6ab5cd774dffd1">
<span class="new-file">
+
xstream-distribution/src/content/CVE-2016-3674.html
</span>
</a>
</li>
<li class="file-stats">
<a href="#9ee5d7a088495538d7385ef54fc6e12d9d4a81f4">
<span class="new-file">
+
xstream-distribution/src/content/CVE-2017-7957.html
</span>
</a>
</li>
<li class="file-stats">
<a href="#6bc3f5f8483d6c53541062589bcde99aa70d6ffa">
xstream-distribution/src/content/annotations-tutorial.html
</a>
</li>
<li class="file-stats">
<a href="#21e5417de7111181774ad9013fc9ebe4521a0c07">
xstream-distribution/src/content/benchmarks.html
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #666;">
—
<br>
<a href="https://salsa.debian.org/java-team/libxstream-java/-/compare/cbe271de603f9ff63b09f0485bcbbcb62f5a37d8...2cc98c1c18a8428b525bab23a6cd4d0eebfb6d9a">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.
</p>
</div>
</body>
</html>