Bug#998054: libxstream-java: vulnerable to CVE-2021-391{{39..41},{44..54}}

Alex Thiessen Fri, 29 Oct 2021 01:00:21 -0700

Package: libxstream-java
Version: 1.4.15-3
Severity: important
X-Debbugs-Cc: alex.thiessen.de+deb...@gmail.com


Dear Maintainer,

   * What led up to the situation?
     Package installed, the machine scanned by the IT department and
     found vulnerable to a set of CVEs. According to
     https://x-stream.github.io/security.html, it's:

     - CVE-2021-39139   XStream is vulnerable to an Arbitrary Code Execution 
attack.
     - CVE-2021-39140   XStream can cause a Denial of Service.
     - CVE-2021-39141   XStream is vulnerable to an Arbitrary Code Execution 
attack.
     - CVE-2021-39144   XStream is vulnerable to a Remote Command Execution 
attack.
     - CVE-2021-39145   XStream is vulnerable to an Arbitrary Code Execution 
attack.
     - CVE-2021-39146   XStream is vulnerable to an Arbitrary Code Execution 
attack.
     - CVE-2021-39147   XStream is vulnerable to an Arbitrary Code Execution 
attack.
     - CVE-2021-39148   XStream is vulnerable to an Arbitrary Code Execution 
attack.
     - CVE-2021-39149   XStream is vulnerable to an Arbitrary Code Execution 
attack.
     - CVE-2021-39150   A Server-Side Forgery Request can be activated 
unmarshalling with XStream to access data streams from an arbitrary URL 
referencing a resource in an intranet or the local host.
     - CVE-2021-39151   XStream is vulnerable to an Arbitrary Code Execution 
attack.
     - CVE-2021-39152   A Server-Side Forgery Request can be activated 
unmarshalling with XStream to access data streams from an arbitrary URL 
referencing a resource in an intranet or the local host.
     - CVE-2021-39153   XStream is vulnerable to an Arbitrary Code Execution 
attack.
     - CVE-2021-39154   XStream is vulnerable to an Arbitrary Code Execution 
attack.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?
     Checked Debian website for security fixes of the package. Checked
     the changelog to see if the CVEs were fixed by a patch.

   * What was the outcome of this action?
     No newer version with CVEs fixed available for Debian stable to
     insntall out of the box.

   * What outcome did you expect instead?
     A package with the CVEs fixed.


-- System Information:
Debian Release: 11.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-9-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages libxstream-java depends on:
ii  libxpp3-java  1.1.4c-3

libxstream-java recommends no packages.

Versions of packages libxstream-java suggests:
pn  libcglib-nodep-java  <none>
pn  libdom4j-java        <none>
pn  libjdom1-java        <none>
pn  libjdom2-java        <none>
pn  libjettison-java     <none>
pn  libjoda-time-java    <none>
pn  libkxml2-java        <none>
pn  libwoodstox-java     <none>
pn  libxom-java          <none>

-- no debconf information

Bug#998054: libxstream-java: vulnerable to CVE-2021-391{{39..41},{44..54}}

Reply via email to