UbuntuUpdates.org

Package "libxstream-java"

Name: libxstream-java

Description:

Java library to serialize objects to XML and back again

Latest version: 1.4.18-2ubuntu0.1
Release: jammy (22.04)
Level: security
Repository: universe
Homepage: https://x-stream.github.io

Links


Download "libxstream-java"


Other versions of "libxstream-java" in Jammy

Repository Area Version
base universe 1.4.18-2
updates universe 1.4.18-2ubuntu0.1

Changelog

Version: 1.4.18-2ubuntu0.1 2023-03-13 13:06:54 UTC

  libxstream-java (1.4.18-2ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2022-41966.patch: XStream serializes Java objects to
      XML and back again. Prior versions may allow a remote attacker to
      terminate the application with a stack overflow error, resulting in a
      denial of service only via manipulation of the processed input stream.
      The attack uses the hash code implementation for collections and maps
      to force recursive hash calculation causing a stack overflow. This
      issue is patched in this version which handles the stack overflow and
      raises an InputManipulationException instead. A potential workaround
      for users who only use HashMap or HashSet and whose XML refers these
      only as default map or set, is to change the default implementation of
      java.util.Map and java.util per the code example in the referenced
      advisory. However, this implies that your application does not care
      about the implementation of the map and all elements are comparable.
      (Closes: #1027754)
    - CVE-2022-41966

 -- Amir Naseredini <email address hidden> Tue, 07 Mar 2023 11:39:13 +0000

1027754 libxstream-java: CVE-2022-41966
CVE-2022-41966 XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack



About   -   Send Feedback to @ubuntu_updates