| Package | libxstream-java |
|---|---|
| Version | 1.4.11.1-1+deb8u6 (jessie), 1.4.11.1-1+deb9u6 (stretch) |
| Related CVEs | CVE-2022-41966 |
XStream serializes Java objects to XML and back again. Versions prior to this update may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation of the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This update handles the stack overflow and raises an InputManipulationException instead.
For Debian 8 jessie, these problems have been fixed in version 1.4.11.1-1+deb8u6.
For Debian 9 stretch, these problems have been fixed in version 1.4.11.1-1+deb9u6.
We recommend that you upgrade your libxstream-java packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.