Source: libxstream-java Version: 1.4.14-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.4.11.1-1+deb10u1 Control: found -1 1.4.11.1-1
Hi, The following vulnerability was published for libxstream-java. CVE-2020-26259[0]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.15, is vulnerable to an Arbitrary File | Deletion on the local host when unmarshalling. The vulnerability may | allow a remote attacker to delete arbitrary know files on the host as | log as the executing process has sufficient rights only by | manipulating the processed input stream. If you rely on XStream's | default blacklist of the Security Framework, you will have to use at | least version 1.4.15. The reported vulnerability does not exist | running Java 15 or higher. No user is affected, who followed the | recommendation to setup XStream's Security Framework with a whitelist! | Anyone relying on XStream's default blacklist can immediately switch | to a whilelist for the allowed types to avoid the vulnerability. Users | of XStream 1.4.14 or below who still want to use XStream default | blacklist can use a workaround described in more detailed in the | referenced advisories. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-26259 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26259 [1] https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh [2] https://x-stream.github.io/CVE-2020-26259.html Regards, Salvatore