[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-40151 and CVE-2022-40152

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e9c98e73 by Salvatore Bonaccorso at 2023-01-02T20:54:12+01:00
Update information for CVE-2022-40151 and CVE-2022-40152

Clarified status, CVE-2022-40151 is for x-stream, while CVE-2022-40152
is related to Woodstox.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -26946,11 +26946,15 @@ CVE-2022-40154
 CVE-2022-40153
 	REJECTED
 CVE-2022-40152 (Those using Woodstox to parse XML data may be vulnerable to Denial of  ...)
-	- libxstream-java <undetermined>
+	- libwoodstox-java <unfixed>
 	NOTE: https://github.com/x-stream/xstream/issues/304
 CVE-2022-40151 (Those using Xstream to seralize XML data may be vulnerable to Denial o ...)
-	- libxstream-java <undetermined>
+	- libxstream-java <unfixed> (unimportant)
 	NOTE: https://github.com/x-stream/xstream/issues/304
+	NOTE: https://github.com/x-stream/xstream/issues/314
+	NOTE: https://x-stream.github.io/CVE-2022-40151.html
+	NOTE: Only solution for the issue is to catch the StackOverflowError in the client code
+	NOTE: calling XStream.
 CVE-2022-40150 (Those using Jettison to parse untrusted XML or JSON data may be vulner ...)
 	{DLA-3259-1}
 	- libjettison-java 1.5.3-1 (bug #1022553)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9c98e738b38c77c5b8f3d61b46c9116b88e4db3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9c98e738b38c77c5b8f3d61b46c9116b88e4db3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230102/79611b0c/attachment.htm>