Hi fellow LTS contributors
I have helped Thorsten (this weeks front-deskl) to triage the java packages.
The problem in the libxstream-java is that there are a lot of ways arbitrary code can be executed. The upstream fix is to make the recommended way to use the library the default. The recommendation is to use a white-list instead of a blacklist. The default has changed now in the latest fixed version. As I see it this is a non-backwards compatible change and may break packages if they rely on xml that is not in the default whitelist. Therefore I suggest ignoring these CVEs.
Thorsten had the following opinion on my suggestion to ignore these CVEs.
"I don't like this blacklist/whitelist stuff and I even more dislike when defaults change. But I also dislike ignoring CVEs with a real
issue. So, I don't have a good solution for it and ignoring might be appropriate ..."
I see the following alternatives:
1) Ignore the issues. The motivation is that if the recommended practices are followed by application developers the software is not exploitable.
2) Develop out own fixes in a similar way to how earlier CVEs have been fixed. I guess upstream got tired of making a lot of special fixes... I suggest not since this would diverge from how upstream have handled it.
3) Backport the backwards incompatible change. I recommend not to do this since it is likely to break software.
I'm writing this email to inform that I plan to mark the CVEs as ignored, but I want you to have the possibility to comment on this.
Cheers
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
---------------------------------------------------------------