Security Information / 2023 / Security Information -- DSA-5315-1 libxstream-java

Debian Security Advisory

DSA-5315-1 libxstream-java -- security update

Date Reported:

11 Jan 2023

Affected Packages:

libxstream-java

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 1027754.
In Mitre's CVE dictionary: CVE-2022-41966.

More information:

XStream serializes Java objects to XML and back again. Versions prior to 1.4.15-3+deb11u2 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation of the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This update handles the stack overflow and raises an InputManipulationException instead.

For the stable distribution (bullseye), this problem has been fixed in version 1.4.15-3+deb11u2.

We recommend that you upgrade your libxstream-java packages.

For the detailed security status of libxstream-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxstream-java