DSA-5315-1 libxstream-java -- libxstream-javaID: oval:org.secpod.oval:def:88454 | Date: (C)2023-03-28 (M)2023-07-03 |
Class: PATCH | Family: unix |
XStream serializes Java objects to XML and back again. Versions prior to 1.4.15-3+deb11u2 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation of the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This update handles the stack overflow and raises an InputManipulationException instead.