[Secure-testing-team] Bug#734821: libxstream-java: CVE-2013-7285: remote code execution via deserialization in XStream
Salvatore Bonaccorso
carnil at debian.org
Fri Jan 10 02:51:22 UTC 2014
Package: libxstream-java
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for libxstream-java.
CVE-2013-7285[0]:
remote code execution via deserialization in XStream
See also [1] for the original report. [3] contains an initial patch
which was commited.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285
http://security-tracker.debian.org/tracker/CVE-2013-7285
[1] http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
[2] http://markmail.org/message/kfqoqdfj5fnup5co?q=list:org.codehaus.xstream.dev&page=3
[3] https://fisheye.codehaus.org/changelog/xstream?cs=2210
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list