Bug#998054: libxstream-java: vulnerable to CVE-2021-391{{39..41}, {44..54}}

Alex Thiessen alex.thiessen.de+debian at gmail.com
Fri Oct 29 08:49:02 BST 2021 

Package: libxstream-java
Version: 1.4.15-3
Severity: important
X-Debbugs-Cc: alex.thiessen.de+debian at gmail.com

Dear Maintainer,

   * What led up to the situation?
     Package installed, the machine scanned by the IT department and
     found vulnerable to a set of CVEs. According to
     https://x-stream.github.io/security.html, it's:

     - CVE-2021-39139	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39140	XStream can cause a Denial of Service.
     - CVE-2021-39141	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39144	XStream is vulnerable to a Remote Command Execution attack.
     - CVE-2021-39145	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39146	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39147	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39148	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39149	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39150	A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.
     - CVE-2021-39151	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39152	A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.
     - CVE-2021-39153	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39154	XStream is vulnerable to an Arbitrary Code Execution attack.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?
     Checked Debian website for security fixes of the package. Checked
     the changelog to see if the CVEs were fixed by a patch.

   * What was the outcome of this action?
     No newer version with CVEs fixed available for Debian stable to
     insntall out of the box.

   * What outcome did you expect instead?
     A package with the CVEs fixed.


-- System Information:
Debian Release: 11.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-9-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages libxstream-java depends on:
ii  libxpp3-java  1.1.4c-3

libxstream-java recommends no packages.

Versions of packages libxstream-java suggests:
pn  libcglib-nodep-java  <none>
pn  libdom4j-java        <none>
pn  libjdom1-java        <none>
pn  libjdom2-java        <none>
pn  libjettison-java     <none>
pn  libjoda-time-java    <none>
pn  libkxml2-java        <none>
pn  libwoodstox-java     <none>
pn  libxom-java          <none>

-- no debconf information

More information about the pkg-java-maintainers mailing list