Debian Security Advisory
DLA-2507-1 libxstream-java -- LTS security update
- Date Reported:
- 31 Dec 2020
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 977625, Bug 977624.
In Mitre's CVE dictionary: CVE-2020-26258, CVE-2020-26259.
- More information:
Several security vulnerabilities were discovered in XStream, a Java library to serialize objects to XML and back again.
XStream is vulnerable to a Server-Side Forgery Request which can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream.
Xstream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary known files on the host as long as the executing process has sufficient rights only by manipulating the processed input stream.
For Debian 9 stretch, these problems have been fixed in version 18.104.22.168-1+deb9u1.
We recommend that you upgrade your libxstream-java packages.
For the detailed security status of libxstream-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxstream-java
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS