kemitix opened a new pull request #1038: [WIP] [Security] Bump xstream from 1.4.8 to 1.4.11.1 URL: https://github.com/apache/brooklyn-server/pull/1038 Bumps [xstream](https://github.com/x-stream/xstream) from 1.4.8 to 1.4.11.1. **This update includes security fixes.** <details> <summary>Vulnerabilities fixed</summary> *Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/764af3f0-05d8-4a8d-9421-1d51ed8f2fae).* > **[CVE-2017-7957] Improper Input Validation** > XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call. > > Affected versions: <= 1.4.9 *Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/325b0ce9-1324-4bb8-820d-032aaaf1a8ef).* > **[CVE-2016-3674] Information Exposure** > Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document. > > Affected versions: <= 1.4.8 </details> <details> <summary>Commits</summary> - See full diff in [compare view](https://github.com/x-stream/xstream/commits) </details>
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services