Source: libxstream-java Version: 1.4.15-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for libxstream-java. CVE-2021-29505[0]: | ### Impact The vulnerability may allow a remote attacker has | sufficient rights to execute commands of the host only by manipulating | the processed input stream. No user is affected, who followed the | recommendation to setup XStream's security framework with a whitelist | limited to the minimal required types. ### Patches If you rely on | XStream's default blacklist of the Security Framework, you will have | to use at least version 1.4.17. ### Workarounds See | [workarounds](https://x-stream.github.io/security.html#workaround) for | the different versions covering all CVEs. ### References See full | information about the nature of the vulnerability and the steps to | reproduce it in XStream's documentation for | [CVE-2021-xxxxx](https://x-stream.github.io/CVE-2021-xxxxx.html). ### | Credits V3geB1rd, white hat hacker from Tencent Security Response | Center found and reported the issue to XStream and provided the | required information to reproduce it. ### For more information If you | have any questions or comments about this advisory: * Open an issue in | [XStream](https://github.com/x-stream/xstream/issues) * Email us at | [XStream Google Group](https://groups.google.com/group/xstream-user) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-29505 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29505 [1] https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc Please adjust the affected versions in the BTS as needed. Regards, Salvatore