[ https://issues.apache.org/jira/browse/MPH-174?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17371730#comment-17371730 ]
Hudson commented on MPH-174: ---------------------------- Build succeeded in Jenkins: Maven » Maven TLP » maven-help-plugin » master #38 See https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-help-plugin/job/master/38/ > Upgrade XStream to 1.4.17 > ------------------------- > > Key: MPH-174 > URL: https://issues.apache.org/jira/browse/MPH-174 > Project: Maven Help Plugin > Issue Type: Dependency upgrade > Reporter: Sylwester Lachiewicz > Assignee: Sylwester Lachiewicz > Priority: Major > Fix For: 3.3.0 > > > h1. 1.4.17 > Released May 13, 2021. > This maintenance release addresses the security vulnerability > [CVE-2021-29505|http://x-stream.github.io/CVE-2021-29505.html], when > unmarshalling with XStream instances using an uninitialized security > framework. > h2. Stream compatibility > * The following types are now blacklisted by default and the deserialization > of XML containing one of the two types will fail. You will have to enable > these types by explicit configuration, if you need them: > ** any type in the java.rmi.* and sun.rmi.* package hierarchies > ** the individual type com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl > h1. 1.4.16 > Released March 13, 2021. > This maintenance release switches XStream's default parser and addresses > following security vulnerabilities, when unmarshalling with an XStream > instances using an uninitialized security framework. > * [CVE-2021-21341|http://x-stream.github.io/CVE-2021-21341.html] > * [CVE-2021-21342|http://x-stream.github.io/CVE-2021-21342.html] > * [CVE-2021-21343|http://x-stream.github.io/CVE-2021-21343.html] > * [CVE-2021-21344|http://x-stream.github.io/CVE-2021-21344.html] > * [CVE-2021-21345|http://x-stream.github.io/CVE-2021-21345.html] > * [CVE-2021-21346|http://x-stream.github.io/CVE-2021-21346.html] > * [CVE-2021-21347|http://x-stream.github.io/CVE-2021-21347.html] > * [CVE-2021-21348|http://x-stream.github.io/CVE-2021-21348.html] > * [CVE-2021-21349|http://x-stream.github.io/CVE-2021-21349.html] > * [CVE-2021-21350|http://x-stream.github.io/CVE-2021-21350.html] > * [CVE-2021-21351|http://x-stream.github.io/CVE-2021-21351.html] > h2. Major changes > * Switch from Xpp3 as default parser to MXParser, a fork of Xpp3. > h2. Minor changes > * [#238|https://github.com/x-stream/xstream/issues/238]: Fix possibility to > process references on enum types at deserialization. > * [#237|https://github.com/x-stream/xstream/issues/237]: Fix optimization in > XmlFriendlyNameCoder. > h2. Stream compatibility > * The following types are now blacklisted by default and the deserialization > of XML containing one of the two types will fail. You will have to enable > these types by explicit configuration, if you need them: > ** the type hierarchies for java.io.InputStream, java.nio.channels.Channel, > javax.activation.DataSource and javax.sql.rowsel.BaseRowSet > ** the individual types com.sun.corba.se.impl.activation.ServerTableEntry, > com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator, > sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and > sun.swing.SwingLazyValue > ** the individual types com.sun.corba.se.impl.activation.ServerTableEntry, > com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator, > sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and > sun.swing.SwingLazyValue > ** the internal type Accessor$GetterSetterReflection of JAXB, the internal > types MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of > JAX-WS > ** all inner classes of javafx.collections.ObservableList > ** an internal ClassLoader used in a private copy of BCEL within the Java > runtime > h2. Dependencies > The default parser of XStream has changed from the Xpp3Parser in artifact > xpp3:xpp3_min to MXParser, a fork of Xpp3 in the artifact > io.github.x-stream:mxparser. The Xpp3 is unmaintained for a long time, bugs > have been fixed reported more than a decade ago, improvements by other forks > have been incorporated and some endless loops have been fixed, that could > have been utilized as DoS attack. > XStream has therefore new default dependencies. If you have used XStream with > the default driver (i.e. Xpp3), you can still exchange the XStream library > for a drop-in replacement, but you will also have to remove the Xpp3 and add > the MXParser library instead. > For build time you will have to add the Xpp3 library to your dependencies, if > you made explicitly use of the Xpp3 driver. If you did explicitly use a > different driver than Xpp3 and had therefore excluded the Xpp3 dependency, > you might have to exclude now the new MXParser dependency instead to minimize > your dependency list. -- This message was sent by Atlassian Jira (v8.3.4#803005)