Package: libxstream-java / 1.4.7-2+deb8u2

Metadata

Package Version Patches format
libxstream-java 1.4.7-2+deb8u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
CVE 2016 3674.patch | (download)

xstream/src/java/com/thoughtworks/xstream/io/xml/BEAStaxDriver.java | 4 3 + 1 - 0 !
xstream/src/java/com/thoughtworks/xstream/io/xml/Dom4JDriver.java | 30 22 + 8 - 0 !
xstream/src/java/com/thoughtworks/xstream/io/xml/DomDriver.java | 26 24 + 2 - 0 !
xstream/src/java/com/thoughtworks/xstream/io/xml/JDom2Driver.java | 20 16 + 4 - 0 !
xstream/src/java/com/thoughtworks/xstream/io/xml/JDomDriver.java | 20 16 + 4 - 0 !
xstream/src/java/com/thoughtworks/xstream/io/xml/SjsxpDriver.java | 4 3 + 1 - 0 !
xstream/src/java/com/thoughtworks/xstream/io/xml/StandardStaxDriver.java | 4 3 + 1 - 0 !
xstream/src/java/com/thoughtworks/xstream/io/xml/StaxDriver.java | 4 3 + 1 - 0 !
xstream/src/java/com/thoughtworks/xstream/io/xml/WstxDriver.java | 4 3 + 1 - 0 !
xstream/src/java/com/thoughtworks/xstream/io/xml/XomDriver.java | 8 4 + 4 - 0 !
10 files changed, 97 insertions(+), 27 deletions(-)

 cve-2016-3674: xml external entity injection vulnerability
CVE 2017 7957.patch | (download)

xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java | 3 3 + 0 - 0 !
xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java | 5 3 + 2 - 0 !
xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java | 21 21 + 0 - 0 !
3 files changed, 27 insertions(+), 2 deletions(-)

 fixes cve-2017-7957: when a certain denytypes workaround is not
 used, XStream mishandles attempts to create an instance of the primitive type
 'void' during unmarshalling, leading to a remote application crash, as
 demonstrated by an xstream.fromXML("<void/>") call.