Debian Security Advisory
DLA-2507-1 libxstream-java -- LTS security update
- Date Reported:
- 31 Dec 2020
- Affected Packages:
- libxstream-java
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 977625, Bug 977624.
In Mitre's CVE dictionary: CVE-2020-26258, CVE-2020-26259. - More information:
-
Several security vulnerabilities were discovered in XStream, a Java library to serialize objects to XML and back again.
- CVE-2020-26258
XStream is vulnerable to a Server-Side Forgery Request which can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream.
- CVE-2020-26259
Xstream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary known files on the host as long as the executing process has sufficient rights only by manipulating the processed input stream.
For Debian 9 stretch, these problems have been fixed in version 1.4.11.1-1+deb9u1.
We recommend that you upgrade your libxstream-java packages.
For the detailed security status of libxstream-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxstream-java
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
- CVE-2020-26258