Debian Security Advisory

DSA-4811-1 libxstream-java -- security update

Date Reported:
15 Dec 2020
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2020-26217.
More information:

It was discovered that the default blacklist of XStream, a Java library to serialise objects to XML and back again, was vulnerable to the execution of arbitrary shell commands by manipulating the processed input stream.

For additional defense-in-depth it is recommended to switch to the whitelist approach of XStream's security framework. For additional information please refer to

For the stable distribution (buster), this problem has been fixed in version

We recommend that you upgrade your libxstream-java packages.

For the detailed security status of libxstream-java please refer to its security tracker page at: