Bug#977624: marked as done (libxstream-java: CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling )

[Debian Bug Tracking System]

Your message dated Fri, 18 Dec 2020 21:49:45 +0000
with message-id <e1kqndb-0009rv...@fasolo.debian.org>
and subject line Bug#977624: fixed in libxstream-java 1.4.15-1
has caused the Debian Bug report #977624,
regarding libxstream-java: CVE-2020-26259: XStream is vulnerable to an 
Arbitrary File Deletion on the local host when unmarshalling 
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
977624: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977624
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libxstream-java
Version: 1.4.14-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 1.4.11.1-1+deb10u1
Control: found -1 1.4.11.1-1

Hi,

The following vulnerability was published for libxstream-java.

CVE-2020-26259[0]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.15, is vulnerable to an Arbitrary File
| Deletion on the local host when unmarshalling. The vulnerability may
| allow a remote attacker to delete arbitrary know files on the host as
| log as the executing process has sufficient rights only by
| manipulating the processed input stream. If you rely on XStream's
| default blacklist of the Security Framework, you will have to use at
| least version 1.4.15. The reported vulnerability does not exist
| running Java 15 or higher. No user is affected, who followed the
| recommendation to setup XStream's Security Framework with a whitelist!
| Anyone relying on XStream's default blacklist can immediately switch
| to a whilelist for the allowed types to avoid the vulnerability. Users
| of XStream 1.4.14 or below who still want to use XStream default
| blacklist can use a workaround described in more detailed in the
| referenced advisories.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-26259
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26259
[1] https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh
[2] https://x-stream.github.io/CVE-2020-26259.html

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: libxstream-java
Source-Version: 1.4.15-1
Done: Markus Koschany <a...@debian.org>

We believe that the bug you reported is fixed in the latest version of
libxstream-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 977...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated libxstream-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 18 Dec 2020 01:51:35 +0100
Source: libxstream-java
Architecture: source
Version: 1.4.15-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Closes: 977624 977625
Changes:
 libxstream-java (1.4.15-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream version 1.4.15. (Closes: #977624, #977625)
     - Fix CVE-2020-26258: A Server-Side Forgery Request can be activated
       unmarshalling with XStream to access data streams from an arbitrary URL
       referencing a resource in an intranet or the local host.
     - Fix CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion
       on the local host when unmarshalling as long as the executing process has
       sufficient rights.
     Thanks to Salvatore Bonaccorso for the report.
   * Ignore dependency on libjaxws-java.
Checksums-Sha1:
 f85ea105e4bcd51ffd14da6c42c6f358dd427d7b 2520 libxstream-java_1.4.15-1.dsc
 8267825391de4a4557308186cecfadc22d21c4d5 452396 
libxstream-java_1.4.15.orig.tar.xz
 c8758124cd0277c2746864ea29e33f24b4d0e7fa 7196 
libxstream-java_1.4.15-1.debian.tar.xz
 39bcbe4128cacf760f4388f317d65bcfdd505922 16193 
libxstream-java_1.4.15-1_amd64.buildinfo
Checksums-Sha256:
 2ac841345aaa72e0c6f029e274911893b8214054fe009804c914d1365650b1a8 2520 
libxstream-java_1.4.15-1.dsc
 f905ff9b5d3b7c25914b263903a295d682b476e33d36af7e04a0bee304ad2040 452396 
libxstream-java_1.4.15.orig.tar.xz
 ccbedf59fe6f99a359c69eb22b31ef18a3a5603315417be1c2e49a0d305e313e 7196 
libxstream-java_1.4.15-1.debian.tar.xz
 fe9e738c2e16b87551e19fad79a225541dc834d66d2e24bba31cb388fe303a3e 16193 
libxstream-java_1.4.15-1_amd64.buildinfo
Files:
 96afc8238b4c2021a9ff5f860b54127c 2520 java optional 
libxstream-java_1.4.15-1.dsc
 323ce40bd51667f31247316f07e14b16 452396 java optional 
libxstream-java_1.4.15.orig.tar.xz
 83097a41beffa169ee44f27ce1a25e1e 7196 java optional 
libxstream-java_1.4.15-1.debian.tar.xz
 dacc286a3ecc4056060b6c5fe00b938b 16193 java optional 
libxstream-java_1.4.15-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl/dIG1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkevcP/08FrXg2jEVM+sedWnRFa0gE4+iHA4jYGLak
QtK084jP/TwtlB4Y4ABgC3GgvoBEx6lJEdpXwZxFMhzlYeOLgSIAwORMVNjyntPF
2EGHhP5DeEYo0pO824yvf3NPpO74PFiuCFUnrTO0wYWVnnvX2xGzsxX4C4L84gf+
ryx8jjQvDn6DYETlmZMY9+Q+JwoqIVOJOwdq641Nxijks/wtzH6V6lxQw6OcR4w6
s+ye1GW+x49tPWy1rXOi1mTuU/BHblq3eOyQwcv/V0wS59AiPUb30mw1CgeAYukp
IekHil2xnbAoHVi4D4/6UF/wjtsZDr99PrfXYVfSonYnbNVpKHw2zWN1rfBYH7ZM
z2KEp/cFtPhvs0al/L1RjBBRZL9kDVdLnDe8G/Tzd9QEFj74wswECz43MeDMaUuM
YVgCpgG1CbUn/JFTrJQQYnrYpqeYYRUG8GRwHhHRi0PEKDXTtRR47DPo3E2X7rAZ
XRqLYyODFJi+Oflj2xIUlu3hiQbzGul6dF2135OrbpDFIOPCmM7mOTL6v/HM1aaj
rDGWzXM0VldOY4czBUp/vgovymtJoyIK0UR4xIUi+82VNfjNMFORP8Uh+P5K4PKf
wLh1mV5okOMbdTFWgJlekv5djc/Wbgn7zdjA/amnI4+oKX0Oo3OZzzHHsa9Xlr5e
dT/B2GhH
=lezv
-----END PGP SIGNATURE-----

--- End Message ---