Accepted libxstream-java 1.4.11.1-1+deb9u1 (source) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 31 Dec 2020 14:15:35 +0100
Source: libxstream-java
Binary: libxstream-java
Architecture: source
Version: 1.4.11.1-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libxstream-java - Java library to serialize objects to XML and back again
Changes:
libxstream-java (1.4.11.1-1+deb9u1) stretch-security; urgency=high
.
* Team upload.
* Fix CVE-2020-26258:
XStream is vulnerable to a Server-Side Forgery Request which can be
activated when unmarshalling. The vulnerability may allow a remote attacker
to request data from internal resources that are not publicly available
only by manipulating the processed input stream.
* Fix CVE-2020-26259:
Xstream is vulnerable to an Arbitrary File Deletion on the local host when
unmarshalling. The vulnerability may allow a remote attacker to delete
arbitrary known files on the host as long as the executing process has
sufficient rights only by manipulating the processed input stream.
Checksums-Sha1:
f2cf9d180227ee615935f72d532a5edcf0f60674 2586 libxstream-java_1.4.11.1-1+deb9u1.dsc
b2f9350073429e4d517da3876bda5098e870f309 11152 libxstream-java_1.4.11.1-1+deb9u1.debian.tar.xz
6eb7373e20cbf1abf62d2089e7a102cf3f55e29d 16505 libxstream-java_1.4.11.1-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
f58d879aeb62c3cbebc69ddc4f554e7602e9fdd4c5a32e28c159dc3e7ed6bef6 2586 libxstream-java_1.4.11.1-1+deb9u1.dsc
a0fac3ddd5346345a6a3814c61c00620c93af8173d02347264be3992c84bb7f0 11152 libxstream-java_1.4.11.1-1+deb9u1.debian.tar.xz
3f5f2b1003f323b482d7897d0673d7b6838220c0d626fe37da9413c4220af0ba 16505 libxstream-java_1.4.11.1-1+deb9u1_amd64.buildinfo
Files:
7e725b67fe0808f89cd6f539920e96ea 2586 java optional libxstream-java_1.4.11.1-1+deb9u1.dsc
afeefed248560ac8aca2e4db45267d82 11152 java optional libxstream-java_1.4.11.1-1+deb9u1.debian.tar.xz
c170f8b79015a8192318d68eebe57708 16505 java optional libxstream-java_1.4.11.1-1+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl/t4FFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkSwQP/iwLh6YYAAYC3PpyaFsT9xdXiTN8rdk/YWZC
RgBE4DGENOCVsC7Kw++RiM9rrQKWKBG/FPjhOcNUIoNEb48VMGcFeWgrYhxhfm6h
kxiI0rB/99qJMlaq/a2/e/CwLvcaUu6jE3LwgfEchSYGfTh8hmJoHfP924iJtjxn
tI862yjcwPpf+p2YU0i4o6V1rhnge8jd6aSD09fu6mmy84PyxoLOTXFCIUmwMxjp
NREpdlntUJKiwUlFUZbqMaTvZjvDf/AN8paaXGCkEkSqlHkrPdaDEsTKctR3kS1p
LgkmgHeXBxboHyxRCap7K64CQFmIGHt7wOZLyfeVJczTY/yZVKrOhHztmxS3t3zC
kcmguTC/Wi+AYWOWLAsTBc/dnX/MP0l70LTC9TiKJk6gZh4ow6HibuYIRyPYrmi2
9u7JoNgxd9O98daKSwuHF6fUGY/CUnw6Ib6e/49KPo2zdLaz9OPCCBT7zUx8hom3
rs6fjC1pBb0leSRaXvX+DR3IkR/avi3LaB0L1bVG10cU11PD7+ujUSVAtL45izZh
zosUCLHeseLPxNVnoz/bcaKz/9+6nNtX8XupqkKGV4L++BO+pRReP/A0uP5MggMt
1X5hiLEBPweRXJ3jJR2D9PS8x4fV+ZO95biWz3HtcsmYS2Ns0drt2stQ7bOtKmSa
nDoCNXsM
=5u42
-----END PGP SIGNATURE-----
Reply to: