[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

libxstream-java blacklist EOL?


libxstream-java allows deserializing objects from XML. It can use a list of allowed types or a list of blocked ones. If using the latter, that list may be incomplete, causing security issues if an attacker deserializes unsecure objects.

That blocklist has repeatedly found to be incomplete, and that is without considering 3rd party libraries. buster hasn't been updated for the last findings, and more are being found [1]. Upstream is finally switching the default method to an allow list [2] (it has been recommended for a long time, but the default wasn't changed due to compatibility reasons). I think it is time we declare the block list unsupported, asking users to switch to the allow list.



[1] https://security-tracker.debian.org/tracker/source-package/libxstream-java
[2] https://github.com/x-stream/xstream/commit/652d72f38b33938c54fd3b2ef626cb7dce38001c

Reply to: