Your message dated Wed, 11 Jan 2023 13:14:54 +0000
with message-id <[email protected]>
and subject line Bug#1027754: fixed in libxstream-java 1.4.20-1
has caused the Debian Bug report #1027754,
regarding libxstream-java: CVE-2022-41966
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1027754: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027754
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxstream-java
Version: 1.4.19-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libxstream-java.
CVE-2022-41966[0]:
| XStream serializes Java objects to XML and back again. Versions prior
| to 1.4.20 may allow a remote attacker to terminate the application
| with a stack overflow error, resulting in a denial of service only via
| manipulation the processed input stream. The attack uses the hash code
| implementation for collections and maps to force recursive hash
| calculation causing a stack overflow. This issue is patched in version
| 1.4.20 which handles the stack overflow and raises an
| InputManipulationException instead. A potential workaround for users
| who only use HashMap or HashSet and whose XML refers these only as
| default map or set, is to change the default implementation of
| java.util.Map and java.util per the code example in the referenced
| advisory. However, this implies that your application does not care
| about the implementation of the map and all elements are comparable.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-41966
https://www.cve.org/CVERecord?id=CVE-2022-41966
[1] https://x-stream.github.io/CVE-2022-41966.html
[2] https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv
[3]
https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxstream-java
Source-Version: 1.4.20-1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libxstream-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated libxstream-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 11 Jan 2023 13:15:53 +0100
Source: libxstream-java
Architecture: source
Version: 1.4.20-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1027754
Changes:
libxstream-java (1.4.20-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 1.4.20.
- Fix CVE-2022-41966: (Closes: #1027754)
XStream serializes Java objects to XML and back again. Versions prior to
1.4.20 may allow a remote attacker to terminate the application with a
stack overflow error, resulting in a denial of service only via
manipulation the processed input stream. The attack uses the hash code
implementation for collections and maps to force recursive hash
calculation causing a stack overflow. This issue is patched in version
1.4.20 which handles the stack overflow and raises an
InputManipulationException instead. A potential workaround for users who
only use HashMap or HashSet and whose XML refers these only as default
map or set, is to change the default implementation of java.util.Map and
java.util per the code example in the referenced advisory. However, this
implies that your application does not care about the implementation of
the map and all elements are comparable.
* Declare compliance with Debian Policy 4.6.2.
Checksums-Sha1:
53cb36d0cdaf6b32bd961f11b77b5df88e67798b 2523 libxstream-java_1.4.20-1.dsc
6fe52860ba907e0b2e1cd5978bbe492797a1dad5 478604
libxstream-java_1.4.20.orig.tar.xz
614d6db4a09bfeb3c2e46f978031fab0fcb0f30b 18368
libxstream-java_1.4.20-1.debian.tar.xz
460e8f3ca72e72dfcba587d6334ff844bdeb6882 17751
libxstream-java_1.4.20-1_amd64.buildinfo
Checksums-Sha256:
45fe7d2faf7eb088c808130beb923dc1770a2c32a0a65d5676c89aeedff3d7f4 2523
libxstream-java_1.4.20-1.dsc
79985cf8b48d63947f2958f76a4e0825320004ac5984347b47c4aec384ca3bd3 478604
libxstream-java_1.4.20.orig.tar.xz
2e23738e32b6db5dbb2511781d6a4ee26163ec810185b9f24d8fb4d88122758f 18368
libxstream-java_1.4.20-1.debian.tar.xz
d134c92a3b515ae3e3d77c771886089c7cc65bd36c6375149ac98b0fffdbc0c7 17751
libxstream-java_1.4.20-1_amd64.buildinfo
Files:
1386b0ada60a9af9fc4f885f0e422247 2523 java optional
libxstream-java_1.4.20-1.dsc
ee2f67ebf748cc711cf9c4707ff00773 478604 java optional
libxstream-java_1.4.20.orig.tar.xz
5a292d406ccfaa4f052f78da7a865686 18368 java optional
libxstream-java_1.4.20-1.debian.tar.xz
c7225a1e1fd921b412a5a0c6c14b14f4 17751 java optional
libxstream-java_1.4.20-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmO+sQxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkAq8P/iiHrMUe+/WJhvk4MytLJrRlEoeW+kh/QYjb
8a1PK7e+FNnFgzMzsPjGQMfbHpgLgxM8GRTZCg5Vv0HQlDmvxCTNFfecuSHPPlhW
MX8oiaFhYvQSYY0EO70ToUq1B4K+WX+e6LlVgNwDmG49kxhzPCVAlP0TxrRFoFkS
d2vVWApwb5pUUnveJwC8cQ2++bjbezjMx7PWvbZ8kse7vbyvZbcUtUeTz6VGKbS6
UP7bUVlXXI6khHZCxxvdMsOJiDu5ZMUHfz5F0JP0m6t7Pqoh5gvyG6Pjlnlt8Kvm
SFeZWjpF727WkPZXT1KL9siHhKMdhvh8hiiYBZc79nw3qGQ6k9Z0BmH8TWHilkP1
NnO++yop0ZFBJGvsGb7X20+rvl6RRBBjeAKpW9NoYDx5AGYBL6DC+aBNPXVi+Er5
/TV7kgSWNo+xmmOYHTLDjEGzLsDZ8e4UHIc6g4aXv0A6yj/e/r5nL4KZ+EnEl75D
xJITFnkb+lNW2VbfU6FMxn2HqpVHmy6CjEoOPUNFjayQkAuLrkFwa8U0TYK2feia
Hk7VUY+6/ZBJQClMKnVD1IWtl2WZjqhOGQSuq/gz6xmv7GNS24ZD261k6/KR3n7j
d5O2AiYtvtnH+AC5ipb0cnFxeQFE+kymaNtEirdLstjcut56Uny8eKc/XeSmVVbY
/oIuPBQL
=pE3D
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
