The Debian Extended LTS (ELTS) has released an important security update for the libxstream-java package, which is used for serializing Java objects to XML and vice versa. This update, identified as ELA-1402-1, is applicable to Debian GNU/Linux versions 8 (Jessie) and 10 (Buster).
- Versions Updated:
- Jessie: 1.4.11.1-1+deb8u7
- Buster: 1.4.11.1-1+deb10u5
- Related CVE: CVE-2024-47072
Key Details:
- Package: libxstream-java- Versions Updated:
- Jessie: 1.4.11.1-1+deb8u7
- Buster: 1.4.11.1-1+deb10u5
- Related CVE: CVE-2024-47072
Vulnerability Description:
The identified vulnerability in XStream could allow remote attackers to exploit the application by causing a stack overflow error. This would lead to a denial of service when the XStream library is set to use the BinaryStreamDriver and the input stream is manipulated. The latest patch addresses this issue by including a mechanism to detect such manipulations in the binary input stream, thereby preventing the overflow and raising an `InputManipulationException` to alert developers of potential threats.Extended Information:
It is crucial for users and system administrators running Debian Jessie or Buster to promptly update the libxstream-java package to mitigate the risk associated with this vulnerability. Regularly applying security updates, especially for libraries that handle data serialization, is essential for maintaining the integrity and availability of applications. Users are encouraged to monitor the Debian Security Announcements for any further updates and to review their systems for any other vulnerable packages that may require attentionLibxstream-java update for Debian ELTS
Updated libxstream-java packages are now available for Debian GNU/Linux 8 (Jessie) and 10 (Buster) Extended LTS:
ELA-1402-1 libxstream-java security update
