Debian Security Advisory

DLA-3267-1 libxstream-java -- LTS security update

Date Reported:
11 Jan 2023
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 1027754.
In Mitre's CVE dictionary: CVE-2022-41966.
More information:

XStream serializes Java objects to XML and back again. Versions prior to may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation of the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This update handles the stack overflow and raises an InputManipulationException instead.

For Debian 10 buster, this problem has been fixed in version

We recommend that you upgrade your libxstream-java packages.

For the detailed security status of libxstream-java please refer to its security tracker page at:

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: