[jira] [Commented] (MPH-174) Upgrade XStream to 1.4.17

Hudson (Jira) Tue, 29 Jun 2021 15:49:11 -0700


    [ 
https://issues.apache.org/jira/browse/MPH-174?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17371730#comment-17371730
 ]


Hudson commented on MPH-174:
----------------------------

Build succeeded in Jenkins: Maven » Maven TLP » maven-help-plugin » master #38

See 
https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-help-plugin/job/master/38/

> Upgrade XStream to 1.4.17
> -------------------------
>
>                 Key: MPH-174
>                 URL: https://issues.apache.org/jira/browse/MPH-174
>             Project: Maven Help Plugin
>          Issue Type: Dependency upgrade
>            Reporter: Sylwester Lachiewicz
>            Assignee: Sylwester Lachiewicz
>            Priority: Major
>             Fix For: 3.3.0
>
>
> h1. 1.4.17
> Released May 13, 2021.
> This maintenance release addresses the security vulnerability 
> [CVE-2021-29505|http://x-stream.github.io/CVE-2021-29505.html], when 
> unmarshalling with XStream instances using an uninitialized security 
> framework.
> h2. Stream compatibility
>  * The following types are now blacklisted by default and the deserialization 
> of XML containing one of the two types will fail. You will have to enable 
> these types by explicit configuration, if you need them:
>  ** any type in the java.rmi.* and sun.rmi.* package hierarchies
>  ** the individual type com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl
> h1. 1.4.16
> Released March 13, 2021.
> This maintenance release switches XStream's default parser and addresses 
> following security vulnerabilities, when unmarshalling with an XStream 
> instances using an uninitialized security framework.
>  * [CVE-2021-21341|http://x-stream.github.io/CVE-2021-21341.html]
>  * [CVE-2021-21342|http://x-stream.github.io/CVE-2021-21342.html]
>  * [CVE-2021-21343|http://x-stream.github.io/CVE-2021-21343.html]
>  * [CVE-2021-21344|http://x-stream.github.io/CVE-2021-21344.html]
>  * [CVE-2021-21345|http://x-stream.github.io/CVE-2021-21345.html]
>  * [CVE-2021-21346|http://x-stream.github.io/CVE-2021-21346.html]
>  * [CVE-2021-21347|http://x-stream.github.io/CVE-2021-21347.html]
>  * [CVE-2021-21348|http://x-stream.github.io/CVE-2021-21348.html]
>  * [CVE-2021-21349|http://x-stream.github.io/CVE-2021-21349.html]
>  * [CVE-2021-21350|http://x-stream.github.io/CVE-2021-21350.html]
>  * [CVE-2021-21351|http://x-stream.github.io/CVE-2021-21351.html]
> h2. Major changes
>  * Switch from Xpp3 as default parser to MXParser, a fork of Xpp3.
> h2. Minor changes
>  * [#238|https://github.com/x-stream/xstream/issues/238]: Fix possibility to 
> process references on enum types at deserialization.
>  * [#237|https://github.com/x-stream/xstream/issues/237]: Fix optimization in 
> XmlFriendlyNameCoder.
> h2. Stream compatibility
>  * The following types are now blacklisted by default and the deserialization 
> of XML containing one of the two types will fail. You will have to enable 
> these types by explicit configuration, if you need them:
>  ** the type hierarchies for java.io.InputStream, java.nio.channels.Channel, 
> javax.activation.DataSource and javax.sql.rowsel.BaseRowSet
>  ** the individual types com.sun.corba.se.impl.activation.ServerTableEntry, 
> com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
>  sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and 
> sun.swing.SwingLazyValue
>  ** the individual types com.sun.corba.se.impl.activation.ServerTableEntry, 
> com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
>  sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and 
> sun.swing.SwingLazyValue
>  ** the internal type Accessor$GetterSetterReflection of JAXB, the internal 
> types MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of 
> JAX-WS
>  ** all inner classes of javafx.collections.ObservableList
>  ** an internal ClassLoader used in a private copy of BCEL within the Java 
> runtime
> h2. Dependencies
> The default parser of XStream has changed from the Xpp3Parser in artifact 
> xpp3:xpp3_min to MXParser, a fork of Xpp3 in the artifact 
> io.github.x-stream:mxparser. The Xpp3 is unmaintained for a long time, bugs 
> have been fixed reported more than a decade ago, improvements by other forks 
> have been incorporated and some endless loops have been fixed, that could 
> have been utilized as DoS attack.
> XStream has therefore new default dependencies. If you have used XStream with 
> the default driver (i.e. Xpp3), you can still exchange the XStream library 
> for a drop-in replacement, but you will also have to remove the Xpp3 and add 
> the MXParser library instead.
> For build time you will have to add the Xpp3 library to your dependencies, if 
> you made explicitly use of the Xpp3 driver. If you did explicitly use a 
> different driver than Xpp3 and had therefore excluded the Xpp3 dependency, 
> you might have to exclude now the new MXParser dependency instead to minimize 
> your dependency list.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (MPH-174) Upgrade XStream to 1.4.17

Reply via email to