Merge updates from debian/buster-security
requested to merge proposed-updates/ritesh/buster-security.apertis/v2020-security into apertis/v2020-security
libxstream-java (1.4.11.1-1+deb10u2) buster-security; urgency=high
- Team upload.
- Fix CVE-2020-26258: XStream is vulnerable to a Server-Side Forgery Request which can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream.
- Fix CVE-2020-26259: Xstream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary known files on the host as long as the executing process has sufficient rights only by manipulating the processed input stream.
libxstream-java (1.4.11.1-1+deb10u1) buster-security; urgency=high
- Team upload.
- Fix CVE-2020-26217: It was found that XStream is vulnerable to Remote Code Execution. The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Users who rely on blocklists are affected (the default in Debian). We strongly recommend to use the whitelist approach of XStream's Security Framework because there are likely more class combinations the blacklist approach may not address.