File: changelog

package info (click to toggle)
libxstream-java 1.4.20-1%2Bdeb12u1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 6,744 kB
  • sloc: java: 52,420; xml: 2,994; sh: 34; makefile: 2
file content (353 lines) | stat: -rw-r--r-- 12,614 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
 
libxstream-java (1.4.20-1+deb12u1) bookworm; urgency=medium

  * Team upload
  * Fix CVE-2024-47072: XStream is vulnerable to a
    Denial of Service attack due to stack overflow
    from a manipulated binary input stream.
    (Closes: #1087274)

 -- Bastien Roucariès <rouca@debian.org>  Sun, 22 Dec 2024 10:12:11 +0000

libxstream-java (1.4.20-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 1.4.20.
    - Fix CVE-2022-41966: (Closes: #1027754)
      XStream serializes Java objects to XML and back again. Versions prior to
      1.4.20 may allow a remote attacker to terminate the application with a
      stack overflow error, resulting in a denial of service only via
      manipulation the processed input stream. The attack uses the hash code
      implementation for collections and maps to force recursive hash
      calculation causing a stack overflow. This issue is patched in version
      1.4.20 which handles the stack overflow and raises an
      InputManipulationException instead. A potential workaround for users who
      only use HashMap or HashSet and whose XML refers these only as default
      map or set, is to change the default implementation of java.util.Map and
      java.util per the code example in the referenced advisory. However, this
      implies that your application does not care about the implementation of
      the map and all elements are comparable.
  * Declare compliance with Debian Policy 4.6.2.

 -- Markus Koschany <apo@debian.org>  Wed, 11 Jan 2023 13:15:53 +0100

libxstream-java (1.4.19-1) unstable; urgency=medium

  * New upstream release
    - Fixes CVE-2021-43859: Denial of Service when unmarshalling highly
      recursive collections or maps
  * Standards-Version updated to 4.6.1

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 25 May 2022 09:11:51 +0200

libxstream-java (1.4.18-2) unstable; urgency=medium

  * Team upload.
  * Depend on libxpp3-java.
    Sice mxparser has not been packaged yet we still need to depend on
    libxpp3-java in order to not break any reverse-dependencies.

 -- Markus Koschany <apo@debian.org>  Mon, 27 Sep 2021 23:24:18 +0200

libxstream-java (1.4.18-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 1.4.18.
  * Declare compliance with Debian Policy 4.6.0.
  * Drop support for mxparser for now.

 -- Markus Koschany <apo@debian.org>  Fri, 27 Aug 2021 16:20:01 +0200

libxstream-java (1.4.15-4) unstable; urgency=medium

  * Team upload.

  * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
    Repository-Browse.
  * Update pattern for GitHub archive URLs from /<org>/<repo>/tags
    page/<org>/<repo>/archive/<tag> -> /<org>/<repo>/archive/refs/tags/<tag>.
  * debian/control
    - Add Rules-Requires-Root: no
  * Add debian/salsa-ci.yml

 -- Hideki Yamane <henrich@debian.org>  Thu, 01 Jul 2021 20:40:12 +0900

libxstream-java (1.4.15-3) unstable; urgency=medium

  * Team upload.
  * debian/patches
    - Add 0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch to
      deal with CVE-2021-29505 (Closes: 98949)

      For more detail, see
      https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc

 -- Hideki Yamane <henrich@debian.org>  Thu, 17 Jun 2021 21:45:48 +0900

libxstream-java (1.4.15-2) unstable; urgency=high

  * Team upload.
  * Fix CVE-2021-21341 to CVE-2021-21351:
    In XStream there is a vulnerability which may allow a remote attacker to
    load and execute arbitrary code from a remote host only by manipulating the
    processed input stream.

    The type hierarchies for java.io.InputStream, java.nio.channels.Channel,
    javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now
    blacklisted as well as the individual types
    com.sun.corba.se.impl.activation.ServerTableEntry,
    com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
    sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and
    sun.swing.SwingLazyValue. Additionally the internal type
    Accessor$GetterSetterReflection of JAXB, the internal types
    MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of
    JAX-WS, all inner classes of javafx.collections.ObservableList and an
    internal ClassLoader used in a private BCEL copy are now part of the
    default blacklist and the deserialization of XML containing one of the two
    types will fail. You will have to enable these types by explicit
    configuration, if you need them.

 -- Markus Koschany <apo@debian.org>  Sat, 03 Apr 2021 19:17:05 +0200

libxstream-java (1.4.15-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 1.4.15. (Closes: #977624, #977625)
    - Fix CVE-2020-26258: A Server-Side Forgery Request can be activated
      unmarshalling with XStream to access data streams from an arbitrary URL
      referencing a resource in an intranet or the local host.
    - Fix CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion
      on the local host when unmarshalling as long as the executing process has
      sufficient rights.
    Thanks to Salvatore Bonaccorso for the report.
  * Ignore dependency on libjaxws-java.

 -- Markus Koschany <apo@debian.org>  Fri, 18 Dec 2020 01:51:35 +0100

libxstream-java (1.4.14-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 1.4.14.
    - Fix CVE-2020-26217: may allow a remote attacker to run arbitrary shell
      commands only by manipulating the processed input stream.
  * Switch to debhelper-compat = 13.
  * Declare compliance with Debian Policy 4.5.1.
  * Ignore org.apache.maven.plugins:maven-antrun-plugin:jar.

 -- Markus Koschany <apo@debian.org>  Thu, 19 Nov 2020 20:46:52 +0100

libxstream-java (1.4.11.1-2) unstable; urgency=medium

  * Removed the dependency on libstax-java
  * Standards-Version updated to 4.5.0
  * Use salsa.debian.org Vcs-* URLs

 -- Emmanuel Bourg <ebourg@apache.org>  Sun, 05 Apr 2020 23:08:19 +0200

libxstream-java (1.4.11.1-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 1.4.11.1.

 -- Markus Koschany <apo@debian.org>  Sun, 11 Nov 2018 00:04:59 +0100

libxstream-java (1.4.11-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 1.4.11.
  * Switch to compat level 11.
  * Declare compliance with Debian Policy 4.2.1.
  * Build-depend on libjaxb-api-java to fix FTBFS with Java 11.
    (Closes: #912377)
  * Add a new maven rule for xpp3 to fix a FTBFS.
  * Remove Damien Raude-Morvan from Uploaders. (Closes: #889445)

 -- Markus Koschany <apo@debian.org>  Sat, 10 Nov 2018 22:56:01 +0100

libxstream-java (1.4.10-1) unstable; urgency=medium

  * New upstream release
    - Removed CVE-2017-7957.patch (fixed upstream)
  * Standards-Version updated to 3.9.8
  * Switch to debhelper level 10

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 20 Jun 2017 10:22:33 +0200

libxstream-java (1.4.9-2) unstable; urgency=medium

  * Fixed CVE-2017-7957: Attempts to create an instance of the primitive
    type 'void' during unmarshalling lead to a remote application crash.
    (Closes: #861521)

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 02 May 2017 16:52:35 +0200

libxstream-java (1.4.9-1) unstable; urgency=medium

  * New upstream release
    - Fixes CVE-2016-3674: XML External Entity vulnerability (Closes: #819455)
    - Ignore the new xstream-jmh module
    - Updated the Maven rules
  * No longer build the xstream-benchmark module (never used in Debian)
  * Build with maven-debian-helper
  * Depend on libcglib-nodep-java instead of libcglib3-java
  * Standards-Version updated to 3.9.7 (no changes)
  * Use secure Vcs-* fields
  * Updated the old references to codehaus.org

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 29 Mar 2016 12:05:49 +0200

libxstream-java (1.4.8-1) unstable; urgency=medium

  * New upstream release
  * Added a patch to compile with Java 7
  * Moved the package to Git

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 29 Apr 2015 17:53:25 +0200

libxstream-java (1.4.7-2) unstable; urgency=medium

  * Depend on libcglib3-java instead of libcglib-java
  * Standards-Version updated to 3.9.6 (no changes)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 29 Sep 2014 19:53:09 +0200

libxstream-java (1.4.7-1) unstable; urgency=low

  * New upstream release
    - Fixes CVE-2013-7285 (Closes: #734821)
    - Added a dependency on libjdom2-java
  * Standards-Version updated to 3.9.5 (no changes)
  * Use XZ compression for the upstream tarball
  * Build depend on debhelper >= 9
  * debian/copyright: Updated to the Copyright Format 1.0

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 12 Mar 2014 14:06:33 +0100

libxstream-java (1.4.4-1) unstable; urgency=low

  * New upstream release
  * Update Standards-Version: 3.9.4 (no changes)
  * Use canonical URLs for the Vcs-* fields
  * debian/rules: Improved the clean target to allow rebuilds

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 02 Jul 2013 22:38:00 +0200

libxstream-java (1.4.2-1) unstable; urgency=low

  [ tony mancill ]
  * Remove Michael Koch from Uploaders (Closes: #654106)
  * Update Standards-Version: 3.9.3.

  [ Damien Raude-Morvan ]
  * New upstream release (Closes: #655908)
    - Add Build-Depends on libstax-java, libwoodstox-java, libstax2-api-java
      and libkxml2-java (and Suggests).
  * Use maven-ant-helper for build:
    - Add Build-Depends on maven-ant-helper.
    - New debian/build.xml.
    - Drop patch on MANIFEST.MF update and use jh_manifest.
    - Add Build-Depends on javahelper.
  * Add myself as Uploader.

 -- Damien Raude-Morvan <drazzib@debian.org>  Mon, 28 May 2012 23:14:16 +0200

libxstream-java (1.3.1-7) unstable; urgency=low

  * Switch to source format 3.0.
  * Update Standards-Version: 3.9.1.

 -- Torsten Werner <twerner@debian.org>  Thu, 18 Aug 2011 15:01:00 +0200

libxstream-java (1.3.1-6) unstable; urgency=low

  [ Onkar Shinde ]
  * debian/control
    - Add quilt build dependency.
  * debian/rules
    - Include patchsys-quilt.mk rule.
  * debian/patches/01_fix_classpath.diff
    - Add appropriate jar files in classpath using manifest attribute.
      (LP: #457660)
  * debian/patches/series
    - Create new and include the new patch added.
  * debian/README.source
    - Add to comply with policy.

  [ Michael Koch ]
  * Added myself to Uploaders.

 -- Michael Koch <konqueror@gmx.de>  Wed, 04 Nov 2009 21:10:05 +0100

libxstream-java (1.3.1-5) unstable; urgency=low

  * Switch to default-jdk
  * Build-Depends: replace cglib2.1 with cglib (Closes: #550613)
  * Bump Standards-Version to 3.8.3
  * Bump dh compat to 7

 -- Varun Hiremath <varun@debian.org>  Thu, 15 Oct 2009 14:35:55 -0400

libxstream-java (1.3.1-4) unstable; urgency=low

  * Add missing dependencies to Depends and Suggests

 -- Ludovic Claude <ludovic.claude@laposte.net>  Fri, 14 Aug 2009 23:30:34 +0100

libxstream-java (1.3.1-3) unstable; urgency=low

  * Upload to unstable.

 -- Torsten Werner <twerner@debian.org>  Sun, 09 Aug 2009 12:57:52 +0200

libxstream-java (1.3.1-2) experimental; urgency=low

  * Change section to java
  * Bump up Standards-Version to 3.8.2
  * Add ${misc:Depends} to Depends to clear Lintian warnings
  * Remove Depends on Java runtimes as it is a library
  * Add the Maven POM to the package
  * Add a Build-Depends-Indep dependency on maven-repo-helper

 -- Ludovic Claude <ludovic.claude@laposte.net>  Tue, 28 Jul 2009 20:51:09 +0100

libxstream-java (1.3.1-1) unstable; urgency=low

  * New upstream release
  * Minor cleanups

 -- Torsten Werner <twerner@debian.org>  Thu, 01 Jan 2009 01:20:34 +0100

libxstream-java (1.3-4) unstable; urgency=low

  * Fix java bytecode / java runtime version mismatch by setting -source
    and -target to 1.5 (Closes: #503789)

 -- Varun Hiremath <varun@debian.org>  Sat, 01 Nov 2008 11:41:26 -0400

libxstream-java (1.3-3) unstable; urgency=low

  * Really move package to main.

 -- Torsten Werner <twerner@debian.org>  Mon, 11 Aug 2008 18:13:41 +0200

libxstream-java (1.3-2) unstable; urgency=low

  * Build package with OpenJDK now.
  * Move package to main.
  * Bump Standards-Version: 3.8.0 (no changes needed).

 -- Torsten Werner <twerner@debian.org>  Mon, 11 Aug 2008 17:50:31 +0200

libxstream-java (1.3-1) unstable; urgency=low

  * New upstream release
  * Add myself to Uploaders
  * Bump Standards-Version to 3.7.3
  * Remove patches/encoding.diff - not required

 -- Varun Hiremath <varun@debian.org>  Thu, 28 Feb 2008 15:30:34 +0530

libxstream-java (1.2.2-1) unstable; urgency=low

  * initial version (Closes: #453149)

 -- Torsten Werner <twerner@debian.org>  Sat, 24 Nov 2007 00:01:40 +0100