-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 Jan 2023 14:23:28 CET
Source: libxstream-java
Architecture: source
Version: 1.4.15-3+deb11u2
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
b274f169228ba7487b5b3d8df6c8aa46682989cb 2555 libxstream-java_1.4.15-3+deb11u2.dsc
cc4b296584d741f00c0587fe56689fd7113271da 13324 libxstream-java_1.4.15-3+deb11u2.debian.tar.xz
f3fb64457668b35c91738deb509e24a26a177b18 16945 libxstream-java_1.4.15-3+deb11u2_amd64.buildinfo
Checksums-Sha256:
0ccb15fa8d14ee141119a43a8a9de821c9e2495e258ce820f0b9939863feb624 2555 libxstream-java_1.4.15-3+deb11u2.dsc
b49e81296f977c41d4f0098879c0fd21087de1f0d08c3eb137b1746e18919192 13324 libxstream-java_1.4.15-3+deb11u2.debian.tar.xz
d5d7be1d63bc738c6ba7651403d4cb912aa09ce254b0b9f0a38b60ff57b7468f 16945 libxstream-java_1.4.15-3+deb11u2_amd64.buildinfo
Closes: 1027754
Changes:
libxstream-java (1.4.15-3+deb11u2) bullseye-security; urgency=high
.
* Team upload.
* Fix CVE-2022-41966:
XStream serializes Java objects to XML and back again. Versions prior to
1.4.15-3+deb11u2 may allow a remote attacker to terminate the application
with a stack overflow error, resulting in a denial of service only via
manipulation of the processed input stream. The attack uses the hash code
implementation for collections and maps to force recursive hash calculation
causing a stack overflow. This issue is patched in version 1.4.15-3+deb11u2
which handles the stack overflow and raises an InputManipulationException
instead. A potential workaround for users who only use HashMap or HashSet
and whose XML refers these only as default map or set, is to change the
default implementation of java.util.Map and java.util per the code example
in the referenced advisory. However, this implies that your application
does not care about the implementation of the map and all elements are
comparable. (Closes: #1027754)
Files:
0becd63a0f3fb7e3b288e21fe50b0cab 2555 java optional libxstream-java_1.4.15-3+deb11u2.dsc
308bb0d5b0b81a60003249cc56954dbe 13324 java optional libxstream-java_1.4.15-3+deb11u2.debian.tar.xz
59efd90e3a59d6734b2b517fbde69f26 16945 java optional libxstream-java_1.4.15-3+deb11u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmO+uFhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk5PoP/0iW0M/L8C4dy/KOb5GjVgIkV1/IS6QvjMxy Uazjtr7Mhu++izgN31kXOuTgBjPbA7k0hNGmbkrlKlBr3qHp+HR5YNaUMCd3EbrR L52dhIZ/BJo3V+Mq/x7+epYq9uodFOF1QBzVrL87SHSpaWG4ofyG19SRAQDQNARO AAN/tOSLb3+up8BmrA+nN+wBudOE+6rYsLAL3tmZ1fWMQR6ZuM0P7mMYzSmQ+VQi foKYjcdsRHWqopQYQAoVlPfo1v99bsYPFDe5aayRX2U/MCsaCmvM6FHAc5hrKcWW 0xPPw5LOHaZ74o5HeUP+3H5kPTppUvGzg3FDsC5whrf7grRLrAM74QQIqVmHBIIR AZV0CV16fJiDQtqL9NIwBGMoeRhIo+ywudXJQHfK0SIyjpcIdiME97AbycYEwHv+ yya/2XYer+JVV79PFlKOH0z8KW9W5ELKLb03L9WJYJlViw2nPv0XsmP7o6V7s3xN yTCICdSwbM49iVc/Iw+cHQJMPFstpa8oWEMS/Wqzxkmsmiy4JegmHdw/HhIKySH2 +EEEMRFn5G9FWyAXuu6ki+WNHTWG1khH+z2uLPK60Um2ebR5brQB/7L51IsPkQik v/pm2EkVAB9LG/6BGYJIds9De/9maP44YiDknw9K2DiGZg3efWI1lv0zYhzEQCuh
e1NuWciA
=81uD
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)