libxstream-java 1.4.20-1 source package in Ubuntu

Changelog

libxstream-java (1.4.20-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 1.4.20.
    - Fix CVE-2022-41966: (Closes: #1027754)
      XStream serializes Java objects to XML and back again. Versions prior to
      1.4.20 may allow a remote attacker to terminate the application with a
      stack overflow error, resulting in a denial of service only via
      manipulation the processed input stream. The attack uses the hash code
      implementation for collections and maps to force recursive hash
      calculation causing a stack overflow. This issue is patched in version
      1.4.20 which handles the stack overflow and raises an
      InputManipulationException instead. A potential workaround for users who
      only use HashMap or HashSet and whose XML refers these only as default
      map or set, is to change the default implementation of java.util.Map and
      java.util per the code example in the referenced advisory. However, this
      implies that your application does not care about the implementation of
      the map and all elements are comparable.
  * Declare compliance with Debian Policy 4.6.2.

 -- Markus Koschany <email address hidden>  Wed, 11 Jan 2023 13:15:53 +0100

Upload details

Uploaded by:
Debian Java Maintainers
Uploaded to:
Sid
Original maintainer:
Debian Java Maintainers
Architectures:
all
Section:
java
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section
Mantic release universe libs
Lunar release universe libs

Builds

Lunar: [FULLYBUILT] amd64

Downloads

File Size SHA-256 Checksum
libxstream-java_1.4.20-1.dsc 2.5 KiB 45fe7d2faf7eb088c808130beb923dc1770a2c32a0a65d5676c89aeedff3d7f4
libxstream-java_1.4.20.orig.tar.xz 467.4 KiB 79985cf8b48d63947f2958f76a4e0825320004ac5984347b47c4aec384ca3bd3
libxstream-java_1.4.20-1.debian.tar.xz 17.9 KiB 2e23738e32b6db5dbb2511781d6a4ee26163ec810185b9f24d8fb4d88122758f

Available diffs

No changes file available.

Binary packages built by this source

libxstream-java: Java library to serialize objects to XML and back again

 The features of the XStream library are:
 .
  - Ease of use. A high level facade is supplied that simplifies common
    use cases.
  - No mappings required. Most objects can be serialized without need
    for specifying mappings.
  - Performance. Speed and low memory footprint are a crucial part of
    the design, making it suitable for large object graphs or systems
    with high message throughput.
  - Clean XML. No information is duplicated that can be obtained via
    reflection. This results in XML that is easier to read for humans
    and more compact than native Java serialization.
  - Requires no modifications to objects. Serializes internal fields,
    including private and final. Supports non-public and inner classes.
    Classes are not required to have default constructor.
  - Full object graph support. Duplicate references encountered in the
    object-model will be maintained. Supports circular references.
  - Integrates with other XML APIs. By implementing an interface,
    XStream can serialize directly to/from any tree structure (not just
    XML).
  - Customizable conversion strategies. Strategies can be registered
    allowing customization of how particular types are represented as
    XML.
  - Error messages. When an exception occurs due to malformed XML,
    detailed diagnostics are provided to help isolate and fix the
    problem.
  - Alternative output format. The modular design allows other output
    formats. XStream ships currently with JSON support and morphing.