[Git][java-team/libxstream-java][buster] 2 commits: Remove +deb10u3 changelog entry because it was never released.

Markus Koschany (@apo) gitlab at salsa.debian.org
Mon Nov 8 11:39:24 GMT 2021



Markus Koschany pushed to branch buster at Debian Java Maintainers / libxstream-java


Commits:
23f0eeeb by Markus Koschany at 2021-11-08T12:31:23+01:00
Remove +deb10u3 changelog entry because it was never released.

- - - - -
2415f7f7 by Markus Koschany at 2021-11-08T12:35:06+01:00
Remove 0004-Fix-CVE-2021-29505-for-buster.patch in favor of the security

whitelist

- - - - -


2 changed files:

- debian/changelog
- − debian/patches/0004-Fix-CVE-2021-29505-for-buster.patch


Changes:

=====================================
debian/changelog
=====================================
@@ -1,23 +1,11 @@
-libxstream-java (1.4.11.1-1+deb10u4) buster-security; urgency=high
+libxstream-java (1.4.11.1-1+deb10u3) buster-security; urgency=high
 
   * Team upload.
   * Enable the security whitelist by default to prevent RCE vulnerabilities.
     XStream no longer uses a blacklist because it cannot be secured for general
     purpose.
 
- -- Markus Koschany <apo at debian.org>  Sat, 02 Oct 2021 12:56:33 +0200
-
-libxstream-java (1.4.11.1-1+deb10u3) buster-security; urgency=high
-
-  * Team upload.
-  * Fix CVE-2021-29505:
-    - The vulnerability may allow a remote attacker has sufficient rights
-      to execute commands of the host only by manipulating the processed
-      input stream. No user is affected, who followed the recommendation
-      to setup XStream's security framework with a whitelist limited to
-      the minimal required types.
-
- -- Hideki Yamane <henrich at debian.org>  Thu, 17 Jun 2021 22:02:16 +0900
+ -- Markus Koschany <apo at debian.org>  Mon, 08 Nov 2021 12:31:13 +0100
 
 libxstream-java (1.4.11.1-1+deb10u2) buster-security; urgency=high
 


=====================================
debian/patches/0004-Fix-CVE-2021-29505-for-buster.patch deleted
=====================================
@@ -1,36 +0,0 @@
-From: Hideki Yamane <henrich at debian.org>
-Date: Thu, 18 Jun 2021 23:27:25 +0900
-Subject: Fix CVE-2021-29505 from upstream commit (Closes:#989491)
-
-Taken patch from upstream commit
-https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227
-and modified it to be applied buster branch (1.4.11.1)
-
----
- xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-Index: libxstream-java/xstream/src/java/com/thoughtworks/xstream/XStream.java
-===================================================================
---- libxstream-java.orig/xstream/src/java/com/thoughtworks/xstream/XStream.java
-+++ libxstream-java/xstream/src/java/com/thoughtworks/xstream/XStream.java
-@@ -354,8 +354,10 @@ public class XStream {
- 
-     private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
-     private static final Pattern IGNORE_ALL = Pattern.compile(".*");
-+    private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*");
-     private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
-     private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
-+    private static final Pattern JAVA_RMI = Pattern.compile("(?:java|sun)\\.rmi\\..*");
-     private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
- 
-     /**
-@@ -710,7 +712,7 @@ public class XStream {
-             java.beans.EventHandler.class,
-             java.lang.ProcessBuilder.class,
-             java.lang.Void.class, void.class });
--        denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
-+        denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM, LAZY_ENUMERATORS,JAVA_RMI});
-         allowTypeHierarchy(Exception.class);
-         securityInitialized = false;
-     }



View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/0ad2edb53991b0f8d50308597f64ec9bd48e96b4...2415f7f7a4c52202c9b162e8fee83d73b06141d6

-- 
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/0ad2edb53991b0f8d50308597f64ec9bd48e96b4...2415f7f7a4c52202c9b162e8fee83d73b06141d6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20211108/616b849d/attachment.htm>


More information about the pkg-java-commits mailing list