Your message dated Sat, 03 Apr 2021 21:40:29 +0200
with message-id <011ad68c3eb1800bbe5ed05c22a83d332f066ae5.ca...@debian.org>
and subject line Re: libxstream-java: CVE-2021-21341 CVE-2021-21342
CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347
CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351
has caused the Debian Bug report #985843,
regarding libxstream-java: CVE-2021-21341 CVE-2021-21342 CVE-2021-21343
CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348
CVE-2021-21349 CVE-2021-21350 CVE-2021-21351
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
985843: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libxstream-java
Version: 1.4.15-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerabilities were published for libxstream-java.
CVE-2021-21341[0]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is vulnerability which may
| allow a remote attacker to allocate 100% CPU time on the target system
| depending on CPU type or parallel execution of such a payload
| resulting in a denial of service only by manipulating the processed
| input stream. No user is affected who followed the recommendation to
| setup XStream's security framework with a whitelist limited to the
| minimal required types. If you rely on XStream's default blacklist of
| the Security Framework, you will have to use at least version 1.4.16.
CVE-2021-21342[1]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability where the
| processed stream at unmarshalling time contains type information to
| recreate the formerly written objects. XStream creates therefore new
| instances based on these type information. An attacker can manipulate
| the processed input stream and replace or inject objects, that result
| in a server-side forgery request. No user is affected, who followed
| the recommendation to setup XStream's security framework with a
| whitelist limited to the minimal required types. If you rely on
| XStream's default blacklist of the Security Framework, you will have
| to use at least version 1.4.16.
CVE-2021-21343[2]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability where the
| processed stream at unmarshalling time contains type information to
| recreate the formerly written objects. XStream creates therefore new
| instances based on these type information. An attacker can manipulate
| the processed input stream and replace or inject objects, that result
| in the deletion of a file on the local host. No user is affected, who
| followed the recommendation to setup XStream's security framework with
| a whitelist limited to the minimal required types. If you rely on
| XStream's default blacklist of the Security Framework, you will have
| to use at least version 1.4.16.
CVE-2021-21344[3]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to load and execute arbitrary code from a
| remote host only by manipulating the processed input stream. No user
| is affected, who followed the recommendation to setup XStream's
| security framework with a whitelist limited to the minimal required
| types. If you rely on XStream's default blacklist of the Security
| Framework, you will have to use at least version 1.4.16.
CVE-2021-21345[4]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker who has sufficient rights to execute commands
| of the host only by manipulating the processed input stream. No user
| is affected, who followed the recommendation to setup XStream's
| security framework with a whitelist limited to the minimal required
| types. If you rely on XStream's default blacklist of the Security
| Framework, you will have to use at least version 1.4.16.
CVE-2021-21346[5]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to load and execute arbitrary code from a
| remote host only by manipulating the processed input stream. No user
| is affected, who followed the recommendation to setup XStream's
| security framework with a whitelist limited to the minimal required
| types. If you rely on XStream's default blacklist of the Security
| Framework, you will have to use at least version 1.4.16.
CVE-2021-21347[6]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to load and execute arbitrary code from a
| remote host only by manipulating the processed input stream. No user
| is affected, who followed the recommendation to setup XStream's
| security framework with a whitelist limited to the minimal required
| types. If you rely on XStream's default blacklist of the Security
| Framework, you will have to use at least version 1.4.16.
CVE-2021-21348[7]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to occupy a thread that consumes maximum CPU
| time and will never return. No user is affected, who followed the
| recommendation to setup XStream's security framework with a whitelist
| limited to the minimal required types. If you rely on XStream's
| default blacklist of the Security Framework, you will have to use at
| least version 1.4.16.
CVE-2021-21349[8]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to request data from internal resources that
| are not publicly available only by manipulating the processed input
| stream. No user is affected, who followed the recommendation to setup
| XStream's security framework with a whitelist limited to the minimal
| required types. If you rely on XStream's default blacklist of the
| Security Framework, you will have to use at least version 1.4.16.
CVE-2021-21350[9]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to execute arbitrary code only by manipulating
| the processed input stream. No user is affected, who followed the
| recommendation to setup XStream's security framework with a whitelist
| limited to the minimal required types. If you rely on XStream's
| default blacklist of the Security Framework, you will have to use at
| least version 1.4.16.
CVE-2021-21351[10]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability may allow a
| remote attacker to load and execute arbitrary code from a remote host
| only by manipulating the processed input stream. No user is affected,
| who followed the recommendation to setup XStream's security framework
| with a whitelist limited to the minimal required types. If you rely on
| XStream's default blacklist of the Security Framework, you will have
| to use at least version 1.4.16.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21341
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21341
[1] https://security-tracker.debian.org/tracker/CVE-2021-21342
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21342
[2] https://security-tracker.debian.org/tracker/CVE-2021-21343
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21343
[3] https://security-tracker.debian.org/tracker/CVE-2021-21344
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21344
[4] https://security-tracker.debian.org/tracker/CVE-2021-21345
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21345
[5] https://security-tracker.debian.org/tracker/CVE-2021-21346
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21346
[6] https://security-tracker.debian.org/tracker/CVE-2021-21347
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21347
[7] https://security-tracker.debian.org/tracker/CVE-2021-21348
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21348
[8] https://security-tracker.debian.org/tracker/CVE-2021-21349
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21349
[9] https://security-tracker.debian.org/tracker/CVE-2021-21350
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21350
[10] https://security-tracker.debian.org/tracker/CVE-2021-21351
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21351
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Control: severity -1 serious
Version: 1.4.15-2
These issues are fixed in 1.4.15-2. I suggest we get this into Debian 11. The
fix is minimal and just extends the default blacklist of Xstream.
Markus
signature.asc
Description: This is a digitally signed message part
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-j...@lists.debian.org for discussions and questions.
