libxstream-java: vulnerable to CVE-2021-391{{39..41},{44..54}}

Debian Bug report logs - #998054
libxstream-java: vulnerable to CVE-2021-391{{39..41},{44..54}}

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alex Thiessen <alex.thiessen.de+debian@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libxstream-java: vulnerable to CVE-2021-391{{39..41},{44..54}}

Date: Fri, 29 Oct 2021 07:49:02 +0000

Package: libxstream-java
Version: 1.4.15-3
Severity: important
X-Debbugs-Cc: alex.thiessen.de+debian@gmail.com

Dear Maintainer,

   * What led up to the situation?
     Package installed, the machine scanned by the IT department and
     found vulnerable to a set of CVEs. According to
     https://x-stream.github.io/security.html, it's:

     - CVE-2021-39139	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39140	XStream can cause a Denial of Service.
     - CVE-2021-39141	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39144	XStream is vulnerable to a Remote Command Execution attack.
     - CVE-2021-39145	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39146	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39147	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39148	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39149	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39150	A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.
     - CVE-2021-39151	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39152	A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.
     - CVE-2021-39153	XStream is vulnerable to an Arbitrary Code Execution attack.
     - CVE-2021-39154	XStream is vulnerable to an Arbitrary Code Execution attack.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?
     Checked Debian website for security fixes of the package. Checked
     the changelog to see if the CVEs were fixed by a patch.

   * What was the outcome of this action?
     No newer version with CVEs fixed available for Debian stable to
     insntall out of the box.

   * What outcome did you expect instead?
     A package with the CVEs fixed.


-- System Information:
Debian Release: 11.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-9-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages libxstream-java depends on:
ii  libxpp3-java  1.1.4c-3

libxstream-java recommends no packages.

Versions of packages libxstream-java suggests:
pn  libcglib-nodep-java  <none>
pn  libdom4j-java        <none>
pn  libjdom1-java        <none>
pn  libjdom2-java        <none>
pn  libjettison-java     <none>
pn  libjoda-time-java    <none>
pn  libkxml2-java        <none>
pn  libwoodstox-java     <none>
pn  libxom-java          <none>

-- no debconf information

Message #14 received at 998054-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: control@bugs.debian.org

Cc: 998054-submitter@bugs.debian.org

Subject: closing 998054

Date: Fri, 29 Oct 2021 22:00:32 +0200

close 998054 1.4.18-1
thanks

Track the fixed version containing the fix already in unstable.

Send a report that this bug log contains spam.