Debian 10261 Published by

A libxstream-java security update has been released for Debian GNU/Linux 10 to address a vulnerable to the execution of arbitrary shell commands by manipulating the processed input stream.



DSA 4811-1: libxstream-java security update



- -------------------------------------------------------------------------
Debian Security Advisory DSA-4811-1 security@debian.org
  https://www.debian.org/security/ Moritz Muehlenhoff
December 15, 2020   https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libxstream-java
CVE ID : CVE-2020-26217

It was discovered that the default blacklist of XStream, a Java library
to serialise objects to XML and back again, was vulnerable to the
execution of arbitrary shell commands by manipulating the processed
input stream.

For additional defense-in-depth it is recommended to switch to the
whitelist approach of XStream's security framework. For additional
information please refer to
  https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2

For the stable distribution (buster), this problem has been fixed in
version 1.4.11.1-1+deb10u1.

We recommend that you upgrade your libxstream-java packages.

For the detailed security status of libxstream-java please refer to
its security tracker page at:
  https://security-tracker.debian.org/tracker/libxstream-java

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://www.debian.org/security/