Debian Bug report logs -
#985843
libxstream-java: CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#985843; Package src:libxstream-java.
(Wed, 24 Mar 2021 18:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Wed, 24 Mar 2021 18:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libxstream-java
Version: 1.4.15-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for libxstream-java.
CVE-2021-21341[0]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is vulnerability which may
| allow a remote attacker to allocate 100% CPU time on the target system
| depending on CPU type or parallel execution of such a payload
| resulting in a denial of service only by manipulating the processed
| input stream. No user is affected who followed the recommendation to
| setup XStream's security framework with a whitelist limited to the
| minimal required types. If you rely on XStream's default blacklist of
| the Security Framework, you will have to use at least version 1.4.16.
CVE-2021-21342[1]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability where the
| processed stream at unmarshalling time contains type information to
| recreate the formerly written objects. XStream creates therefore new
| instances based on these type information. An attacker can manipulate
| the processed input stream and replace or inject objects, that result
| in a server-side forgery request. No user is affected, who followed
| the recommendation to setup XStream's security framework with a
| whitelist limited to the minimal required types. If you rely on
| XStream's default blacklist of the Security Framework, you will have
| to use at least version 1.4.16.
CVE-2021-21343[2]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability where the
| processed stream at unmarshalling time contains type information to
| recreate the formerly written objects. XStream creates therefore new
| instances based on these type information. An attacker can manipulate
| the processed input stream and replace or inject objects, that result
| in the deletion of a file on the local host. No user is affected, who
| followed the recommendation to setup XStream's security framework with
| a whitelist limited to the minimal required types. If you rely on
| XStream's default blacklist of the Security Framework, you will have
| to use at least version 1.4.16.
CVE-2021-21344[3]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to load and execute arbitrary code from a
| remote host only by manipulating the processed input stream. No user
| is affected, who followed the recommendation to setup XStream's
| security framework with a whitelist limited to the minimal required
| types. If you rely on XStream's default blacklist of the Security
| Framework, you will have to use at least version 1.4.16.
CVE-2021-21345[4]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker who has sufficient rights to execute commands
| of the host only by manipulating the processed input stream. No user
| is affected, who followed the recommendation to setup XStream's
| security framework with a whitelist limited to the minimal required
| types. If you rely on XStream's default blacklist of the Security
| Framework, you will have to use at least version 1.4.16.
CVE-2021-21346[5]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to load and execute arbitrary code from a
| remote host only by manipulating the processed input stream. No user
| is affected, who followed the recommendation to setup XStream's
| security framework with a whitelist limited to the minimal required
| types. If you rely on XStream's default blacklist of the Security
| Framework, you will have to use at least version 1.4.16.
CVE-2021-21347[6]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to load and execute arbitrary code from a
| remote host only by manipulating the processed input stream. No user
| is affected, who followed the recommendation to setup XStream's
| security framework with a whitelist limited to the minimal required
| types. If you rely on XStream's default blacklist of the Security
| Framework, you will have to use at least version 1.4.16.
CVE-2021-21348[7]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to occupy a thread that consumes maximum CPU
| time and will never return. No user is affected, who followed the
| recommendation to setup XStream's security framework with a whitelist
| limited to the minimal required types. If you rely on XStream's
| default blacklist of the Security Framework, you will have to use at
| least version 1.4.16.
CVE-2021-21349[8]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to request data from internal resources that
| are not publicly available only by manipulating the processed input
| stream. No user is affected, who followed the recommendation to setup
| XStream's security framework with a whitelist limited to the minimal
| required types. If you rely on XStream's default blacklist of the
| Security Framework, you will have to use at least version 1.4.16.
CVE-2021-21350[9]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to execute arbitrary code only by manipulating
| the processed input stream. No user is affected, who followed the
| recommendation to setup XStream's security framework with a whitelist
| limited to the minimal required types. If you rely on XStream's
| default blacklist of the Security Framework, you will have to use at
| least version 1.4.16.
CVE-2021-21351[10]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability may allow a
| remote attacker to load and execute arbitrary code from a remote host
| only by manipulating the processed input stream. No user is affected,
| who followed the recommendation to setup XStream's security framework
| with a whitelist limited to the minimal required types. If you rely on
| XStream's default blacklist of the Security Framework, you will have
| to use at least version 1.4.16.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21341
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21341
[1] https://security-tracker.debian.org/tracker/CVE-2021-21342
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21342
[2] https://security-tracker.debian.org/tracker/CVE-2021-21343
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21343
[3] https://security-tracker.debian.org/tracker/CVE-2021-21344
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21344
[4] https://security-tracker.debian.org/tracker/CVE-2021-21345
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21345
[5] https://security-tracker.debian.org/tracker/CVE-2021-21346
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21346
[6] https://security-tracker.debian.org/tracker/CVE-2021-21347
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21347
[7] https://security-tracker.debian.org/tracker/CVE-2021-21348
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21348
[8] https://security-tracker.debian.org/tracker/CVE-2021-21349
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21349
[9] https://security-tracker.debian.org/tracker/CVE-2021-21350
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21350
[10] https://security-tracker.debian.org/tracker/CVE-2021-21351
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21351
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Mar 25 12:07:20 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon