Uploaded image for project: 'Maven Help Plugin'
  1. Maven Help Plugin
  2. MPH-174

Upgrade XStream to 1.4.17

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Dependency upgrade
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 3.3.0
    • None
    • None

    Description

      1.4.17

      Released May 13, 2021.

      This maintenance release addresses the security vulnerability CVE-2021-29505, when unmarshalling with XStream instances using an uninitialized security framework.

      Stream compatibility

      • The following types are now blacklisted by default and the deserialization of XML containing one of the two types will fail. You will have to enable these types by explicit configuration, if you need them:
        • any type in the java.rmi.* and sun.rmi.* package hierarchies
        • the individual type com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl

      1.4.16

      Released March 13, 2021.

      This maintenance release switches XStream's default parser and addresses following security vulnerabilities, when unmarshalling with an XStream instances using an uninitialized security framework.

      Major changes

      • Switch from Xpp3 as default parser to MXParser, a fork of Xpp3.

      Minor changes

      • #238: Fix possibility to process references on enum types at deserialization.
      • #237: Fix optimization in XmlFriendlyNameCoder.

      Stream compatibility

      • The following types are now blacklisted by default and the deserialization of XML containing one of the two types will fail. You will have to enable these types by explicit configuration, if you need them:
        • the type hierarchies for java.io.InputStream, java.nio.channels.Channel, javax.activation.DataSource and javax.sql.rowsel.BaseRowSet
        • the individual types com.sun.corba.se.impl.activation.ServerTableEntry, com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator, sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and sun.swing.SwingLazyValue
        • the individual types com.sun.corba.se.impl.activation.ServerTableEntry, com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator, sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and sun.swing.SwingLazyValue
        • the internal type Accessor$GetterSetterReflection of JAXB, the internal types MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of JAX-WS
        • all inner classes of javafx.collections.ObservableList
        • an internal ClassLoader used in a private copy of BCEL within the Java runtime

      Dependencies

      The default parser of XStream has changed from the Xpp3Parser in artifact xpp3:xpp3_min to MXParser, a fork of Xpp3 in the artifact io.github.x-stream:mxparser. The Xpp3 is unmaintained for a long time, bugs have been fixed reported more than a decade ago, improvements by other forks have been incorporated and some endless loops have been fixed, that could have been utilized as DoS attack.

      XStream has therefore new default dependencies. If you have used XStream with the default driver (i.e. Xpp3), you can still exchange the XStream library for a drop-in replacement, but you will also have to remove the Xpp3 and add the MXParser library instead.

      For build time you will have to add the Xpp3 library to your dependencies, if you made explicitly use of the Xpp3 driver. If you did explicitly use a different driver than Xpp3 and had therefore excluded the Xpp3 dependency, you might have to exclude now the new MXParser dependency instead to minimize your dependency list.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            slachiewicz Sylwester Lachiewicz
            slachiewicz Sylwester Lachiewicz
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment