Source: libxstream-java Version: 1.4.14-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.4.11.1-1+deb10u1 Control: found -1 1.4.11.1-1
Hi, The following vulnerability was published for libxstream-java. CVE-2020-26258[0]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.15, a Server-Side Forgery Request | vulnerability can be activated when unmarshalling. The vulnerability | may allow a remote attacker to request data from internal resources | that are not publicly available only by manipulating the processed | input stream. If you rely on XStream's default blacklist of the | Security Framework, you will have to use at least version 1.4.15. The | reported vulnerability does not exist if running Java 15 or higher. No | user is affected who followed the recommendation to setup XStream's | Security Framework with a whitelist! Anyone relying on XStream's | default blacklist can immediately switch to a whilelist for the | allowed types to avoid the vulnerability. Users of XStream 1.4.14 or | below who still want to use XStream default blacklist can use a | workaround described in more detailed in the referenced advisories. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-26258 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258 [1] https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28 [2] https://x-stream.github.io/CVE-2020-26258.html Regards, Salvatore