Advisories » MGASA-2014-0100

Updated xstream packages fix CVE-2013-7285

Publication date: 25 Feb 2014
Modification date: 25 Feb 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2013-7285

Description

Updated xstream packages fix security vulnerability:

It was found that XStream would deserialize arbitrary user-supplied XML
content, representing objects of any type. A remote attacker able to pass XML
to XStream could use this flaw to perform a variety of attacks, including
remote code execution in the context of the server running the XStream
application (CVE-2013-7285).
                

References

• http://xstream.codehaus.org/security.html
• https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128807.html
• https://bugs.mageia.org/show_bug.cgi?id=12874
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285

SRPMS

4/core

• kxml-2.3.0-5.1.mga4
• xstream-1.4.7-1.mga4

3/core

• xstream-1.3.1-6.1.mga3