Advisories » MGASA-2016-0164

Updated xstream packages fix CVE-2016-3674

Publication date: 05 May 2016
Modification date: 05 May 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-3674

Description

Updated xstream packages fix security vulnerability:

XStream (x-stream.github.io) is a Java library to marshal Java objects into XML
and back. For this purpose it supports a lot of different XML parsers. Some of
those can also process external entities which was enabled by default. An
attacker could therefore provide manipulated XML as input to access data on the
file system (CVE-2016-3674).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=18277
• https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674

SRPMS

5/core

• xstream-1.4.9-1.mga5
• javapackages-tools-4.1.0-15.1.mga5