libxstream-java blacklist EOL?

To: Debian Security Team <team@security.debian.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: libxstream-java blacklist EOL?
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Wed, 2 Jun 2021 12:26:36 +0200
Message-id: <[🔎] 36828f4d-5dc6-8d7c-ba8a-f19085360c8f@debian.org>

Hi,

libxstream-java allows deserializing objects from XML. It can use a list ofallowed types or a list of blocked ones. If using the latter, that list may beincomplete, causing security issues if an attacker deserializes unsecure objects.

That blocklist has repeatedly found to be incomplete, and that is withoutconsidering 3rd party libraries. buster hasn't been updated for the lastfindings, and more are being found [1]. Upstream is finally switching thedefault method to an allow list [2] (it has been recommended for a long time,but the default wasn't changed due to compatibility reasons). I think it is timewe declare the block list unsupported, asking users to switch to the allow list.


Thoughts?

Cheers,
Emilio

[1] https://security-tracker.debian.org/tracker/source-package/libxstream-java

[2]https://github.com/x-stream/xstream/commit/652d72f38b33938c54fd3b2ef626cb7dce38001c

Reply to:

Follow-Ups:
- Re: libxstream-java blacklist EOL?
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Debian LTS and ELTS - May 2021
Next by Date: Re: libxstream-java blacklist EOL?
Previous by thread: Debian LTS and ELTS - May 2021
Next by thread: Re: libxstream-java blacklist EOL?
Index(es):
- Date
- Thread