libxstream-java_1.4.20-1_source.changes ACCEPTED into unstable
Debian FTP Masters
ftpmaster at ftp-master.debian.org
Wed Jan 11 13:14:54 GMT 2023
Thank you for your contribution to Debian.
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 11 Jan 2023 13:15:53 +0100
Source: libxstream-java
Architecture: source
Version: 1.4.20-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Changed-By: Markus Koschany <apo at debian.org>
Closes: 1027754
Changes:
libxstream-java (1.4.20-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 1.4.20.
- Fix CVE-2022-41966: (Closes: #1027754)
XStream serializes Java objects to XML and back again. Versions prior to
1.4.20 may allow a remote attacker to terminate the application with a
stack overflow error, resulting in a denial of service only via
manipulation the processed input stream. The attack uses the hash code
implementation for collections and maps to force recursive hash
calculation causing a stack overflow. This issue is patched in version
1.4.20 which handles the stack overflow and raises an
InputManipulationException instead. A potential workaround for users who
only use HashMap or HashSet and whose XML refers these only as default
map or set, is to change the default implementation of java.util.Map and
java.util per the code example in the referenced advisory. However, this
implies that your application does not care about the implementation of
the map and all elements are comparable.
* Declare compliance with Debian Policy 4.6.2.
Checksums-Sha1:
53cb36d0cdaf6b32bd961f11b77b5df88e67798b 2523 libxstream-java_1.4.20-1.dsc
6fe52860ba907e0b2e1cd5978bbe492797a1dad5 478604 libxstream-java_1.4.20.orig.tar.xz
614d6db4a09bfeb3c2e46f978031fab0fcb0f30b 18368 libxstream-java_1.4.20-1.debian.tar.xz
460e8f3ca72e72dfcba587d6334ff844bdeb6882 17751 libxstream-java_1.4.20-1_amd64.buildinfo
Checksums-Sha256:
45fe7d2faf7eb088c808130beb923dc1770a2c32a0a65d5676c89aeedff3d7f4 2523 libxstream-java_1.4.20-1.dsc
79985cf8b48d63947f2958f76a4e0825320004ac5984347b47c4aec384ca3bd3 478604 libxstream-java_1.4.20.orig.tar.xz
2e23738e32b6db5dbb2511781d6a4ee26163ec810185b9f24d8fb4d88122758f 18368 libxstream-java_1.4.20-1.debian.tar.xz
d134c92a3b515ae3e3d77c771886089c7cc65bd36c6375149ac98b0fffdbc0c7 17751 libxstream-java_1.4.20-1_amd64.buildinfo
Files:
1386b0ada60a9af9fc4f885f0e422247 2523 java optional libxstream-java_1.4.20-1.dsc
ee2f67ebf748cc711cf9c4707ff00773 478604 java optional libxstream-java_1.4.20.orig.tar.xz
5a292d406ccfaa4f052f78da7a865686 18368 java optional libxstream-java_1.4.20-1.debian.tar.xz
c7225a1e1fd921b412a5a0c6c14b14f4 17751 java optional libxstream-java_1.4.20-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmO+sQxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkAq8P/iiHrMUe+/WJhvk4MytLJrRlEoeW+kh/QYjb
8a1PK7e+FNnFgzMzsPjGQMfbHpgLgxM8GRTZCg5Vv0HQlDmvxCTNFfecuSHPPlhW
MX8oiaFhYvQSYY0EO70ToUq1B4K+WX+e6LlVgNwDmG49kxhzPCVAlP0TxrRFoFkS
d2vVWApwb5pUUnveJwC8cQ2++bjbezjMx7PWvbZ8kse7vbyvZbcUtUeTz6VGKbS6
UP7bUVlXXI6khHZCxxvdMsOJiDu5ZMUHfz5F0JP0m6t7Pqoh5gvyG6Pjlnlt8Kvm
SFeZWjpF727WkPZXT1KL9siHhKMdhvh8hiiYBZc79nw3qGQ6k9Z0BmH8TWHilkP1
NnO++yop0ZFBJGvsGb7X20+rvl6RRBBjeAKpW9NoYDx5AGYBL6DC+aBNPXVi+Er5
/TV7kgSWNo+xmmOYHTLDjEGzLsDZ8e4UHIc6g4aXv0A6yj/e/r5nL4KZ+EnEl75D
xJITFnkb+lNW2VbfU6FMxn2HqpVHmy6CjEoOPUNFjayQkAuLrkFwa8U0TYK2feia
Hk7VUY+6/ZBJQClMKnVD1IWtl2WZjqhOGQSuq/gz6xmv7GNS24ZD261k6/KR3n7j
d5O2AiYtvtnH+AC5ipb0cnFxeQFE+kymaNtEirdLstjcut56Uny8eKc/XeSmVVbY
/oIuPBQL
=pE3D
-----END PGP SIGNATURE-----
More information about the pkg-java-maintainers
mailing list