Your message dated Sat, 03 Apr 2021 21:40:29 +0200 with message-id <011ad68c3eb1800bbe5ed05c22a83d332f066ae5.ca...@debian.org> and subject line Re: libxstream-java: CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351 has caused the Debian Bug report #985843, regarding libxstream-java: CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985843: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libxstream-java Version: 1.4.15-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for libxstream-java. CVE-2021-21341[0]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is vulnerability which may | allow a remote attacker to allocate 100% CPU time on the target system | depending on CPU type or parallel execution of such a payload | resulting in a denial of service only by manipulating the processed | input stream. No user is affected who followed the recommendation to | setup XStream's security framework with a whitelist limited to the | minimal required types. If you rely on XStream's default blacklist of | the Security Framework, you will have to use at least version 1.4.16. CVE-2021-21342[1]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability where the | processed stream at unmarshalling time contains type information to | recreate the formerly written objects. XStream creates therefore new | instances based on these type information. An attacker can manipulate | the processed input stream and replace or inject objects, that result | in a server-side forgery request. No user is affected, who followed | the recommendation to setup XStream's security framework with a | whitelist limited to the minimal required types. If you rely on | XStream's default blacklist of the Security Framework, you will have | to use at least version 1.4.16. CVE-2021-21343[2]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability where the | processed stream at unmarshalling time contains type information to | recreate the formerly written objects. XStream creates therefore new | instances based on these type information. An attacker can manipulate | the processed input stream and replace or inject objects, that result | in the deletion of a file on the local host. No user is affected, who | followed the recommendation to setup XStream's security framework with | a whitelist limited to the minimal required types. If you rely on | XStream's default blacklist of the Security Framework, you will have | to use at least version 1.4.16. CVE-2021-21344[3]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability which may | allow a remote attacker to load and execute arbitrary code from a | remote host only by manipulating the processed input stream. No user | is affected, who followed the recommendation to setup XStream's | security framework with a whitelist limited to the minimal required | types. If you rely on XStream's default blacklist of the Security | Framework, you will have to use at least version 1.4.16. CVE-2021-21345[4]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability which may | allow a remote attacker who has sufficient rights to execute commands | of the host only by manipulating the processed input stream. No user | is affected, who followed the recommendation to setup XStream's | security framework with a whitelist limited to the minimal required | types. If you rely on XStream's default blacklist of the Security | Framework, you will have to use at least version 1.4.16. CVE-2021-21346[5]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability which may | allow a remote attacker to load and execute arbitrary code from a | remote host only by manipulating the processed input stream. No user | is affected, who followed the recommendation to setup XStream's | security framework with a whitelist limited to the minimal required | types. If you rely on XStream's default blacklist of the Security | Framework, you will have to use at least version 1.4.16. CVE-2021-21347[6]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability which may | allow a remote attacker to load and execute arbitrary code from a | remote host only by manipulating the processed input stream. No user | is affected, who followed the recommendation to setup XStream's | security framework with a whitelist limited to the minimal required | types. If you rely on XStream's default blacklist of the Security | Framework, you will have to use at least version 1.4.16. CVE-2021-21348[7]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability which may | allow a remote attacker to occupy a thread that consumes maximum CPU | time and will never return. No user is affected, who followed the | recommendation to setup XStream's security framework with a whitelist | limited to the minimal required types. If you rely on XStream's | default blacklist of the Security Framework, you will have to use at | least version 1.4.16. CVE-2021-21349[8]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability which may | allow a remote attacker to request data from internal resources that | are not publicly available only by manipulating the processed input | stream. No user is affected, who followed the recommendation to setup | XStream's security framework with a whitelist limited to the minimal | required types. If you rely on XStream's default blacklist of the | Security Framework, you will have to use at least version 1.4.16. CVE-2021-21350[9]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability which may | allow a remote attacker to execute arbitrary code only by manipulating | the processed input stream. No user is affected, who followed the | recommendation to setup XStream's security framework with a whitelist | limited to the minimal required types. If you rely on XStream's | default blacklist of the Security Framework, you will have to use at | least version 1.4.16. CVE-2021-21351[10]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability may allow a | remote attacker to load and execute arbitrary code from a remote host | only by manipulating the processed input stream. No user is affected, | who followed the recommendation to setup XStream's security framework | with a whitelist limited to the minimal required types. If you rely on | XStream's default blacklist of the Security Framework, you will have | to use at least version 1.4.16. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-21341 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21341 [1] https://security-tracker.debian.org/tracker/CVE-2021-21342 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21342 [2] https://security-tracker.debian.org/tracker/CVE-2021-21343 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21343 [3] https://security-tracker.debian.org/tracker/CVE-2021-21344 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21344 [4] https://security-tracker.debian.org/tracker/CVE-2021-21345 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21345 [5] https://security-tracker.debian.org/tracker/CVE-2021-21346 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21346 [6] https://security-tracker.debian.org/tracker/CVE-2021-21347 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21347 [7] https://security-tracker.debian.org/tracker/CVE-2021-21348 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21348 [8] https://security-tracker.debian.org/tracker/CVE-2021-21349 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21349 [9] https://security-tracker.debian.org/tracker/CVE-2021-21350 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21350 [10] https://security-tracker.debian.org/tracker/CVE-2021-21351 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21351 Regards, Salvatore
--- End Message ---
--- Begin Message ---Control: severity -1 serious Version: 1.4.15-2 These issues are fixed in 1.4.15-2. I suggest we get this into Debian 11. The fix is minimal and just extends the default blacklist of Xstream. Markussignature.asc
Description: This is a digitally signed message part
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.