Hi, Am Donnerstag, dem 23.09.2021 um 19:40 +0200 schrieb Anton Gladky: > Hi Markus, > > I have applied your patch and the pipelines are passed [1]. So, at least > nothing breaks from the "build side of view". thanks to all who have contributed to this thread. I have just uploaded a new security update of libxstream-java that enables the whitelist by default. I added jsap, jajuk, jodconverter, jmeter and tiles- autotag to the whitelist to allow de-serialization whenever classes from these packages are involved. Thus we don't need to patch these packages. For bookworm and unstable I intend to patch the affected packages though or package new upstream releases to address the problem. I have already fixed jsap and filed an upstream bug report for jajuk. I have ignored the following packages because they are either not affected (no de-serialization), don't have any reverse-dependencies, don't use the xstream code directly or use the whitelist already. groovy easyconf jodreports natbraille libspring-oxm-java libspring-instrument-java activemq uima-as maven-war-plugin powermock I will contact the security team and propose the same fix for Buster and Bullseye soon. Regards, Markus
Attachment:
signature.asc
Description: This is a digitally signed message part