libxstream-java_1.4.15-2_source.changes ACCEPTED into unstable
Debian FTP Masters
ftpmaster at ftp-master.debian.org
Sat Apr 3 20:33:31 BST 2021
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 03 Apr 2021 19:17:05 +0200
Source: libxstream-java
Architecture: source
Version: 1.4.15-2
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Changed-By: Markus Koschany <apo at debian.org>
Changes:
libxstream-java (1.4.15-2) unstable; urgency=high
.
* Team upload.
* Fix CVE-2021-21341 to CVE-2021-21351:
In XStream there is a vulnerability which may allow a remote attacker to
load and execute arbitrary code from a remote host only by manipulating the
processed input stream.
.
The type hierarchies for java.io.InputStream, java.nio.channels.Channel,
javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now
blacklisted as well as the individual types
com.sun.corba.se.impl.activation.ServerTableEntry,
com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and
sun.swing.SwingLazyValue. Additionally the internal type
Accessor$GetterSetterReflection of JAXB, the internal types
MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of
JAX-WS, all inner classes of javafx.collections.ObservableList and an
internal ClassLoader used in a private BCEL copy are now part of the
default blacklist and the deserialization of XML containing one of the two
types will fail. You will have to enable these types by explicit
configuration, if you need them.
Checksums-Sha1:
4106403e5f284cb63258de75e931fd8318c0583e 2520 libxstream-java_1.4.15-2.dsc
10277135cc9f618cbd20f63cbf690db731be8c68 9356 libxstream-java_1.4.15-2.debian.tar.xz
fa521b2e7ac9571929bfa7c4e408ce1811b4bb24 16173 libxstream-java_1.4.15-2_amd64.buildinfo
Checksums-Sha256:
f7c80c5cac9c5d3e75ac3d954af015b4453e49dd0972a9fc78b6bd20dc28bf07 2520 libxstream-java_1.4.15-2.dsc
7153677cd945bb416bbd1ef69107fb7d65894e0724826180d2d2af7768e7eb24 9356 libxstream-java_1.4.15-2.debian.tar.xz
f024198b051527f839f2815b729813a62900371ed55ca8bc98a1c52176b726a9 16173 libxstream-java_1.4.15-2_amd64.buildinfo
Files:
f7744fd239d65a29bf7e15dbc24963d2 2520 java optional libxstream-java_1.4.15-2.dsc
aaad219056ca093fb1ee99b9fa272e8f 9356 java optional libxstream-java_1.4.15-2.debian.tar.xz
f99732e82e8573054eb189e11b8400a1 16173 java optional libxstream-java_1.4.15-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmBowGFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkhP0P/3vq+4wmo0s3IYc5fQOsqVu0FXDwBYXDN3W/
ZZpHnPeAzetvA3WiiQZv5y9a+DlJ/Ga2VRaTqEnJtMg1X3zrQ/6GOtYO3IpBuLKI
2B5eOCXUYTVyiJS/3EW4Aeciu+PFH0J/aEUVGlVzfxkVhne/dSiQY/EDJhkyU7AT
o9rVsj/KIWcK/5mveIR6ZSVvfGRLMO1GkF1sqGWNCah8w3VFmMZrAD3cayv3YNeu
71Ykvp1xFwdEXKc2R8cE8TdgI62/yJW7bomeoEwllmj1UsVELPBqBThGj4Y1969T
407A99Y75TU924hhUsYpzAZjKJmzW5KArtBMq0uHgi6BXvoqMaMdOj+J6cKE4TJD
Z1VYhuhyHNPN+1LBWlA+CFUa3rnD/yw5k2To+UWZfg8+OQXxgrcb4aiTiZtA7+eA
LCbPGAuGAcWNQSOPU0qWzm2miMjQ4Y18cD1ot8M1VsLi0WX7goYPQRknFpInE3v7
jP5fWtTOTCxhg1RLkvJFrxCve95KCxUmI/GYM9nwq2j/rsCYS7DxMrHn1T8WL1k3
IkGqzywihdJTTj0FVL0lRzeB/jbNtwUSRfs/TxD4WE1XQsc3J7ShB3PKzo92KFQ1
4JHpJyBxmd4uhmetxVBHCC2zjEhM30jsKq5x3hlNj1IlOjC5JrORsKDinpwfm56y
SRwOd938
=dl2W
-----END PGP SIGNATURE-----
Thank you for your contribution to Debian.
More information about the pkg-java-maintainers
mailing list