ELA-771-1 libxstream-java security update

denial of service

Version1.4.11.1-1+deb8u6 (jessie), (stretch)
Related CVEs CVE-2022-41966

XStream serializes Java objects to XML and back again. Versions prior to this update may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation of the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This update handles the stack overflow and raises an InputManipulationException instead.

For Debian 8 jessie, these problems have been fixed in version

For Debian 9 stretch, these problems have been fixed in version

We recommend that you upgrade your libxstream-java packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.