1.4.17

Released May 13, 2021.

This maintenance release addresses the security vulnerability CVE-2021-29505, when unmarshalling with XStream instances using an uninitialized security framework.

Stream compatibility

The following types are now blacklisted by default and the deserialization of XML containing one of the two types will fail. You will have to enable these types by explicit configuration, if you need them:

- any type in the java.rmi.* and sun.rmi.* package hierarchies
- the individual type com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl

1.4.16

Released March 13, 2021.

This maintenance release switches XStream's default parser and addresses following security vulnerabilities, when unmarshalling with an XStream instances using an uninitialized security framework.

Major changes

Switch from Xpp3 as default parser to MXParser, a fork of Xpp3.

Minor changes

#238: Fix possibility to process references on enum types at deserialization.
#237: Fix optimization in XmlFriendlyNameCoder.

Stream compatibility

The following types are now blacklisted by default and the deserialization of XML containing one of the two types will fail. You will have to enable these types by explicit configuration, if you need them:

- the type hierarchies for java.io.InputStream, java.nio.channels.Channel, javax.activation.DataSource and javax.sql.rowsel.BaseRowSet
- the individual types com.sun.corba.se.impl.activation.ServerTableEntry, com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator, sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and sun.swing.SwingLazyValue
- the individual types com.sun.corba.se.impl.activation.ServerTableEntry, com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator, sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and sun.swing.SwingLazyValue
- the internal type Accessor$GetterSetterReflection of JAXB, the internal types MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of JAX-WS
- all inner classes of javafx.collections.ObservableList
- an internal ClassLoader used in a private copy of BCEL within the Java runtime

Dependencies

The default parser of XStream has changed from the Xpp3Parser in artifact xpp3:xpp3_min to MXParser, a fork of Xpp3 in the artifact io.github.x-stream:mxparser. The Xpp3 is unmaintained for a long time, bugs have been fixed reported more than a decade ago, improvements by other forks have been incorporated and some endless loops have been fixed, that could have been utilized as DoS attack.

XStream has therefore new default dependencies. If you have used XStream with the default driver (i.e. Xpp3), you can still exchange the XStream library for a drop-in replacement, but you will also have to remove the Xpp3 and add the MXParser library instead.

For build time you will have to add the Xpp3 library to your dependencies, if you made explicitly use of the Xpp3 driver. If you did explicitly use a different driver than Xpp3 and had therefore excluded the Xpp3 dependency, you might have to exclude now the new MXParser dependency instead to minimize your dependency list.

Attachments

Issue Links

fixes

MPH-173 An API incompatibility was encountered while executing org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate: java.lang.ExceptionInInitializerError: null

Closed

is duplicated by

MPH-178 help:evaluate throws serious warnings

Closed

relates to

MPH-180 Upgrade XStream from 1.4.17 to 1.14.18

Resolved

Activity

People

Assignee:: Sylwester Lachiewicz

Reporter:: Sylwester Lachiewicz

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 29/Jun/21 21:26

Updated:: 25/Sep/21 18:47

Resolved:: 29/Jun/21 22:40