[Git][java-team/libxstream-java][stretch] 4 commits: New upstream version 1.4.10

Thu Dec 31 19:27:49 GMT 2020

Markus Koschany pushed to branch stretch at Debian Java Maintainers / libxstream-java

Commits:
e1a339d2 by Emmanuel Bourg at 2017-06-20T10:19:55+02:00
New upstream version 1.4.10
- - - - -
3e39d696 by Markus Koschany at 2018-11-10T22:39:01+01:00
New upstream version 1.4.11
- - - - -
a6a98eb4 by Markus Koschany at 2018-11-11T00:04:28+01:00
New upstream version 1.4.11.1
- - - - -
2cc98c1c by Markus Koschany at 2020-12-31T20:27:39+01:00
Import Debian changes 1.4.11.1-1+deb9u1

libxstream-java (1.4.11.1-1+deb9u1) stretch-security; urgency=high
..
  * Team upload.
  * Fix CVE-2020-26258:
    XStream is vulnerable to a Server-Side Forgery Request which can be
    activated when unmarshalling. The vulnerability may allow a remote attacker
    to request data from internal resources that are not publicly available
    only by manipulating the processed input stream.
  * Fix CVE-2020-26259:
    Xstream is vulnerable to an Arbitrary File Deletion on the local host when
    unmarshalling. The vulnerability may allow a remote attacker to delete
    arbitrary known files on the host as long as the executing process has
    sufficient rights only by manipulating the processed input stream.
..
libxstream-java (1.4.11.1-1+deb10u1) buster-security; urgency=high
..
  * Team upload.
  * Fix CVE-2020-26217:
    It was found that XStream is vulnerable to Remote Code Execution. The
    vulnerability may allow a remote attacker to run arbitrary shell commands
    only by manipulating the processed input stream. Users who rely on
    blocklists are affected (the default in Debian). We strongly recommend to
    use the whitelist approach of XStream's Security Framework because there
    are likely more class combinations the blacklist approach may not address.
..
libxstream-java (1.4.11.1-1) unstable; urgency=medium
..
  * Team upload.
  * New upstream version 1.4.11.1.
..
libxstream-java (1.4.11-1) unstable; urgency=medium
..
  * Team upload.
  * New upstream version 1.4.11.
  * Switch to compat level 11.
  * Declare compliance with Debian Policy 4.2.1.
  * Build-depend on libjaxb-api-java to fix FTBFS with Java 11.
    (Closes: #912377)
  * Add a new maven rule for xpp3 to fix a FTBFS.
  * Remove Damien Raude-Morvan from Uploaders. (Closes: #889445)
..
libxstream-java (1.4.10-1) unstable; urgency=medium
..
  * New upstream release
    - Removed CVE-2017-7957.patch (fixed upstream)
  * Standards-Version updated to 3.9.8
  * Switch to debhelper level 10

- - - - -

24 changed files:

- + .travis.settings.xml
- .travis.yml
- BUILD.txt
- README.md
- README.txt
- debian/changelog
- debian/control
- debian/copyright
- debian/maven.ignoreRules
- debian/maven.rules
- − debian/patches/CVE-2017-7957.patch
- debian/patches/CVE-2020-26217.patch
- + debian/patches/CVE-2020-26258.patch
- + debian/patches/CVE-2020-26259.patch
- debian/patches/series
- debian/rules
- pom.xml
- xstream-benchmark/pom.xml
- xstream-distribution/pom.xml
- + xstream-distribution/src/content/CVE-2013-7285.html
- + xstream-distribution/src/content/CVE-2016-3674.html
- + xstream-distribution/src/content/CVE-2017-7957.html
- xstream-distribution/src/content/annotations-tutorial.html
- xstream-distribution/src/content/benchmarks.html

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/cbe271de603f9ff63b09f0485bcbbcb62f5a37d8...2cc98c1c18a8428b525bab23a6cd4d0eebfb6d9a

-- 
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/cbe271de603f9ff63b09f0485bcbbcb62f5a37d8...2cc98c1c18a8428b525bab23a6cd4d0eebfb6d9a
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20201231/4748f30b/attachment.html>