Debian Security Advisory
DLA-3267-1 libxstream-java -- LTS security update
- Date Reported:
- 11 Jan 2023
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 1027754.
In Mitre's CVE dictionary: CVE-2022-41966.
- More information:
XStream serializes Java objects to XML and back again. Versions prior to 18.104.22.168-1+deb10u4 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation of the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This update handles the stack overflow and raises an InputManipulationException instead.
For Debian 10 buster, this problem has been fixed in version 22.214.171.124-1+deb10u4.
We recommend that you upgrade your libxstream-java packages.
For the detailed security status of libxstream-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxstream-java
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS