Changelog for
xstream-javadoc-1.4.17-3.11.2.noarch.rpm :
* Mon May 31 2021 fstrbaAATTsuse.com- Upgrade to 1.4.17
* Security fix:
* bsc#1186651, CVE-2021-29505: potential code execution when unmarshalling with XStream instances using an uninitialized security framework
* Thu Apr 15 2021 fstrbaAATTsuse.com- Upgrade to 1.4.16
* Security fixes: + bsc#1184796, CVE-2021-21351: remote attacker to load and execute arbitrary code + bsc#1184797, CVE-2021-21349: SSRF can lead to a remote attacker to request data from internal resources + bsc#1184380, CVE-2021-21350: arbitrary code execution + bsc#1184374, CVE-2021-21348: remote attacker could cause denial of service by consuming maximum CPU time + bsc#1184378, CVE-2021-21347: remote attacker to load and execute arbitrary code from a remote host + bsc#1184375, CVE-2021-21344: remote attacker could load and execute arbitrary code from a remote host + bsc#1184379, CVE-2021-21342: server-side forgery + bsc#1184377, CVE-2021-21341: remote attacker could cause a denial of service by allocating 100% CPU time + bsc#1184373, CVE-2021-21346: remote attacker could load and execute arbitrary code + bsc#1184372, CVE-2021-21345: remote attacker with sufficient rights could execute commands + bsc#1184376, CVE-2021-21343: replace or inject objects, that result in the deletion of files on the local host- Add patch:
* Revert-MXParser-changes.patch + revert changes that would force us to add new dependency
* Tue Mar 09 2021 jrennerAATTsuse.com- Upgrade to 1.4.15
* fixes bsc#1180146, CVE-2020-26258 and bsc#1180145, CVE-2020-26259- Upgrade to 1.4.14
* fixes bsc#1180994, CVE-2020-26217- Update xstream to 1.4.15~susemanager Removed:
* xstream_1_4_10-jdk11.patch
* xstream_1_4_10-buildsh-sle12.patch
* build.sh
* Tue Mar 05 2019 fkobzikAATTsuse.com- Update xstream to 1.4.10 Added:
* xstream_1_4_10-jdk11.patch
* xstream_1_4_10-buildsh-sle12.patch
* xstream-XSTREAM_1_4_10.tar.gz Removed:
* 0001-Prevent-deserialization-of-void.patch
* xstream-XSTREAM_1_4_9.tar.gz
* xstream-XSTREAM_1_4_9-jdk11.patch- Major changes:- New XStream artifact with -java7 appended as version suffix for a library explicitly without the Java 8 stuff (lambda expression support, converters for java.time.
* package).- Fix PrimitiveTypePermission to reject type void to prevent CVE-2017-7957 with an initialized security framework.- Improve performance by minimizing call stack of mapper chain.- XSTR-774: Add converters for types of java.time, java.time.chrono, and java.time.temporal packages (converters for LocalDate, LocalDateTime, LocalTime, OffsetDateTime, and ZonedDateTime by Matej Cimbora).- JavaBeanConverter does not respect ignored unknown elements.- Add XStream.setupDefaultSecurity to initialize security framework with defaults of XStream 1.5.x.- Emit error warning if security framework has not been initialized and the XStream instance is vulnerable to known exploits.
* Tue Feb 05 2019 michele.bolognaAATTsuse.com- Feat: modify patch to be compatible with JDK 11 building Added:
* xstream-XSTREAM_1_4_9-jdk11.patch Removed:
* xstream-XSTREAM_1_4_9-jdk9.patch
* Tue Dec 11 2018 moioAATTsuse.com- fixes for SLE 15 compatibility
* Fri Dec 01 2017 mcAATTsuse.com- fix possible Denial of Service when unmarshalling void. (CVE-2017-7957, bsc#1070731) Added:
* 0001-Prevent-deserialization-of-void.patch
* Tue Nov 07 2017 jgonzalezAATTsuse.com- Fix build for JDK9- Disable javadoc generation (broken for SLE15 and Tumbleweed)- Add:
* xstream-XSTREAM_1_4_9-jdk9.patch- Changed:
* build.sh
* Tue Apr 05 2016 moioAATTsuse.com- Require building on Java 8, otherwise the LambdaMapper class is skipped (issue 30)
* Tue Mar 29 2016 moioAATTsuse.com- Upgrade to version 1.4.9, which fixes CVE-2016-3674 (bsc#972950)
* Tue Nov 10 2015 moioAATTsuse.com- Initial version