A libxstream-java security update has been released for Debian GNU/Linux 9 Extended LTS to address an issue where a remote attacker can terminate the application with a stack overflow error, resulting in a denial of service only via manipulation of the processed input stream.
ELA-771-1 libxstream-java security update
Package : libxstream-java
ELA-771-1 libxstream-java security update
Version : 1.4.11.1-1+deb8u6 (jessie), 1.4.11.1-1+deb9u6 (stretch)
Related CVEs :
CVE-2022-41966
XStream serializes Java objects to XML and back again. Versions prior to this update may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation of the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This update handles the stack overflow and raises an InputManipulationException instead.
