A libxstream-java security update has been released for Debian GNUL/Linux 8 Extended LTS to address an issue where a remote attacker can execute commands of the host only by manipulating the processed input stream.

ELA-455-1 libxstream-java security update

Package libxstream-java
Version 1.4.11.1-1+deb8u3
Related CVEs CVE-2021-29505

A vulnerability in XStream, a Java library to serialize objects to and from XML, may allow a remote attacker to execute commands of the host only by manipulating the processed input stream.

Note: the XStream project recommends to setup its security framework with a whitelist limited to the minimal required types, rather than relying on the black list (which got updated to address this vulnerability). The project is also phasing out maintainance of the black list, see https://x-stream.github.io/security.html .

For Debian 8 jessie, these problems have been fixed in version 1.4.11.1-1+deb8u3.

We recommend that you upgrade your libxstream-java packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-455-1 libxstream-java security update