libxstream-java blacklist EOL?
libxstream-java allows deserializing objects from XML. It can use a list of
allowed types or a list of blocked ones. If using the latter, that list may be
incomplete, causing security issues if an attacker deserializes unsecure objects.
That blocklist has repeatedly found to be incomplete, and that is without
considering 3rd party libraries. buster hasn't been updated for the last
findings, and more are being found . Upstream is finally switching the
default method to an allow list  (it has been recommended for a long time,
but the default wasn't changed due to compatibility reasons). I think it is time
we declare the block list unsupported, asking users to switch to the allow list.