File xstream.changes of Package xstream.19151
-------------------------------------------------------------------
Thu Apr 15 14:31:31 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Upgrade to 1.4.16
* Security fixes:
+ bsc#1184796, CVE-2021-21351: remote attacker to load and
execute arbitrary code
+ bsc#1184797, CVE-2021-21349: SSRF can lead to a remote
attacker to request data from internal resources
+ bsc#1184380, CVE-2021-21350: arbitrary code execution
+ bsc#1184374, CVE-2021-21348: remote attacker could cause
denial of service by consuming maximum CPU time
+ bsc#1184378, CVE-2021-21347: remote attacker to load and
execute arbitrary code from a remote host
+ bsc#1184375, CVE-2021-21344: remote attacker could load and
execute arbitrary code from a remote host
+ bsc#1184379, CVE-2021-21342: server-side forgery
+ bsc#1184377, CVE-2021-21341: remote attacker could cause a
denial of service by allocating 100% CPU time
+ bsc#1184373, CVE-2021-21346: remote attacker could load and
execute arbitrary code
+ bsc#1184372, CVE-2021-21345: remote attacker with sufficient
rights could execute commands
+ bsc#1184376, CVE-2021-21343: replace or inject objects, that
result in the deletion of files on the local host
- Add patch:
* Revert-MXParser-changes.patch
+ revert changes that would force us to add new dependency
-------------------------------------------------------------------
Mon Jan 18 10:14:56 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Upgrade to 1.4.15
* fixes bsc#1180146, CVE-2020-26258 and bsc#1180145,
CVE-2020-26259
-------------------------------------------------------------------
Mon Jan 18 09:58:41 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Upgrade to 1.4.14
* fixes bsc#1180994, CVE-2020-26217
- Remove patches:
* 0001-Prevent-deserialization-of-void.patch
* xstream-1.4.9-javadoc.patch
+ integrated in upstream sources
-------------------------------------------------------------------
Tue Jun 4 08:18:44 UTC 2019 - Fridrich Strba <fstrba@suse.com>
- Initial packaging of xstream 1.4.9
