libxstream-java (1.4.11.1-1ubuntu0.3) focal-security; urgency=medium

  * Merge from Debian.
  * SECURITY UPDATE: RCE, DoS, and Obtain Sensitive Information.
    - debian/patches/CVE-2021-39154-[1-3].patch: Enable the security
      whitelist by default to prevent RCE vulnerabilities. XStream no longer
      uses a blacklist because it cannot be secured for general purpose.
    - CVE-2021-39139
    - CVE-2021-39140
    - CVE-2021-39141
    - CVE-2021-39144
    - CVE-2021-39145
    - CVE-2021-39146
    - CVE-2021-39147
    - CVE-2021-39148
    - CVE-2021-39149
    - CVE-2021-39150
    - CVE-2021-39151
    - CVE-2021-39152
    - CVE-2021-39153
    - CVE-2021-39154
  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2022-41966.patch: XStream serializes Java objects to
      XML and back again. Prior versions may allow a remote attacker to
      terminate the application with a stack overflow error, resulting in a
      denial of service only via manipulation of the processed input stream.
      The attack uses the hash code implementation for collections and maps
      to force recursive hash calculation causing a stack overflow. This
      issue is patched in this version which handles the stack overflow and
      raises an InputManipulationException instead. A potential workaround
      for users who only use HashMap or HashSet and whose XML refers these
      only as default map or set, is to change the default implementation of
      java.util.Map and java.util per the code example in the referenced
      advisory. However, this implies that your application does not care
      about the implementation of the map and all elements are comparable. 
      (Closes: #1027754) 
    - CVE-2022-41966

 -- Amir Naseredini <amir.naseredini@canonical.com>  Tue, 07 Mar 2023 09:33:10 +0000

libxstream-java (1.4.11.1-1ubuntu0.2) focal-security; urgency=medium

  * Merge from Debian.
  * SECURITY UPDATE: Arbitrary code execution.
    - debian/patches/CVE-2021-21341-to-CVE-2021-21351.patch: The type
    hierarchies for java.io.InputStream, java.nio.channels.Channel,
    javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now
    blacklisted as well as the individual types
    com.sun.corba.se.impl.activation.ServerTableEntry,
    com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
    sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and
    sun.swing.SwingLazyValue. Additionally the internal type
    Accessor$GetterSetterReflection of JAXB, the internal types
    MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of
    JAX-WS, all inner classes of javafx.collections.ObservableList and an
    internal ClassLoader used in a private BCEL copy are now part of the
    default blacklist and the deserialization of XML containing one of the two
    types will fail. You will have to enable these types by explicit
    configuration, if you need them.
    - CVE-2021-21341
    - CVE-2021-21342
    - CVE-2021-21343
    - CVE-2021-21344
    - CVE-2021-21345
    - CVE-2021-21346
    - CVE-2021-21347
    - CVE-2021-21348
    - CVE-2021-21349
    - CVE-2021-21350
    - CVE-2021-21351

 -- Eduardo Barretto <eduardo.barretto@canonical.com>  Wed, 28 Apr 2021 15:01:42 +0200

libxstream-java (1.4.11.1-1ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: Command Injection Vulnerability
    - debian/patches/CVE-2020-26217.patch: New predefined blacklist avoids
      vulnerability due to improper setup and update security vulnerability
      test to test default.
    - debian/patches/CVE-2020-26259.patch: Fix arbitrary File Deletion on the
      local host.
    - CVE-2020-26217
    - CVE-2020-26259
  * SECURITY UPDATE: Server-Side Request Forgery Vulnerability
    - debian/patches/CVE-2020-26258.patch: Fix access data streams from an
      arbitrary URL.
    - CVE-2020-26258
  * Add a new maven rule to fix FTBFS.
    - debian/maven.ignoreRules: Add com.sun.xml.ws jaxws-rt.

 -- Paulo Flabiano Smorigo <pfsmorigo@canonical.com>  Wed, 27 Jan 2021 12:57:43 +0000

libxstream-java (1.4.11.1-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 1.4.11.1.

 -- Markus Koschany <apo@debian.org>  Sun, 11 Nov 2018 00:04:59 +0100

libxstream-java (1.4.11-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 1.4.11.
  * Switch to compat level 11.
  * Declare compliance with Debian Policy 4.2.1.
  * Build-depend on libjaxb-api-java to fix FTBFS with Java 11.
    (Closes: #912377)
  * Add a new maven rule for xpp3 to fix a FTBFS.
  * Remove Damien Raude-Morvan from Uploaders. (Closes: #889445)

 -- Markus Koschany <apo@debian.org>  Sat, 10 Nov 2018 22:56:01 +0100

libxstream-java (1.4.10-1) unstable; urgency=medium

  * New upstream release
    - Removed CVE-2017-7957.patch (fixed upstream)
  * Standards-Version updated to 3.9.8
  * Switch to debhelper level 10

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 20 Jun 2017 10:22:33 +0200

libxstream-java (1.4.9-2) unstable; urgency=medium

  * Fixed CVE-2017-7957: Attempts to create an instance of the primitive
    type 'void' during unmarshalling lead to a remote application crash.
    (Closes: #861521)

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 02 May 2017 16:52:35 +0200

libxstream-java (1.4.9-1) unstable; urgency=medium

  * New upstream release
    - Fixes CVE-2016-3674: XML External Entity vulnerability (Closes: #819455)
    - Ignore the new xstream-jmh module
    - Updated the Maven rules
  * No longer build the xstream-benchmark module (never used in Debian)
  * Build with maven-debian-helper
  * Depend on libcglib-nodep-java instead of libcglib3-java
  * Standards-Version updated to 3.9.7 (no changes)
  * Use secure Vcs-* fields
  * Updated the old references to codehaus.org

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 29 Mar 2016 12:05:49 +0200

libxstream-java (1.4.8-1) unstable; urgency=medium

  * New upstream release
  * Added a patch to compile with Java 7
  * Moved the package to Git

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 29 Apr 2015 17:53:25 +0200

libxstream-java (1.4.7-2) unstable; urgency=medium

  * Depend on libcglib3-java instead of libcglib-java
  * Standards-Version updated to 3.9.6 (no changes)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 29 Sep 2014 19:53:09 +0200

libxstream-java (1.4.7-1) unstable; urgency=low

  * New upstream release
    - Fixes CVE-2013-7285 (Closes: #734821)
    - Added a dependency on libjdom2-java
  * Standards-Version updated to 3.9.5 (no changes)
  * Use XZ compression for the upstream tarball
  * Build depend on debhelper >= 9
  * debian/copyright: Updated to the Copyright Format 1.0

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 12 Mar 2014 14:06:33 +0100

libxstream-java (1.4.4-1) unstable; urgency=low

  * New upstream release
  * Update Standards-Version: 3.9.4 (no changes)
  * Use canonical URLs for the Vcs-* fields
  * debian/rules: Improved the clean target to allow rebuilds

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 02 Jul 2013 22:38:00 +0200

libxstream-java (1.4.2-1) unstable; urgency=low

  [ tony mancill ]
  * Remove Michael Koch from Uploaders (Closes: #654106)
  * Update Standards-Version: 3.9.3.

  [ Damien Raude-Morvan ]
  * New upstream release (Closes: #655908)
    - Add Build-Depends on libstax-java, libwoodstox-java, libstax2-api-java
      and libkxml2-java (and Suggests).
  * Use maven-ant-helper for build:
    - Add Build-Depends on maven-ant-helper.
    - New debian/build.xml.
    - Drop patch on MANIFEST.MF update and use jh_manifest.
    - Add Build-Depends on javahelper.
  * Add myself as Uploader.

 -- Damien Raude-Morvan <drazzib@debian.org>  Mon, 28 May 2012 23:14:16 +0200

libxstream-java (1.3.1-7) unstable; urgency=low

  * Switch to source format 3.0.
  * Update Standards-Version: 3.9.1.

 -- Torsten Werner <twerner@debian.org>  Thu, 18 Aug 2011 15:01:00 +0200

libxstream-java (1.3.1-6) unstable; urgency=low

  [ Onkar Shinde ]
  * debian/control
    - Add quilt build dependency.
  * debian/rules
    - Include patchsys-quilt.mk rule.
  * debian/patches/01_fix_classpath.diff
    - Add appropriate jar files in classpath using manifest attribute.
      (LP: #457660)
  * debian/patches/series
    - Create new and include the new patch added.
  * debian/README.source
    - Add to comply with policy.

  [ Michael Koch ]
  * Added myself to Uploaders.

 -- Michael Koch <konqueror@gmx.de>  Wed, 04 Nov 2009 21:10:05 +0100

libxstream-java (1.3.1-5) unstable; urgency=low

  * Switch to default-jdk
  * Build-Depends: replace cglib2.1 with cglib (Closes: #550613)
  * Bump Standards-Version to 3.8.3
  * Bump dh compat to 7

 -- Varun Hiremath <varun@debian.org>  Thu, 15 Oct 2009 14:35:55 -0400

libxstream-java (1.3.1-4) unstable; urgency=low

  * Add missing dependencies to Depends and Suggests

 -- Ludovic Claude <ludovic.claude@laposte.net>  Fri, 14 Aug 2009 23:30:34 +0100

libxstream-java (1.3.1-3) unstable; urgency=low

  * Upload to unstable.

 -- Torsten Werner <twerner@debian.org>  Sun, 09 Aug 2009 12:57:52 +0200

libxstream-java (1.3.1-2) experimental; urgency=low

  * Change section to java
  * Bump up Standards-Version to 3.8.2
  * Add ${misc:Depends} to Depends to clear Lintian warnings
  * Remove Depends on Java runtimes as it is a library
  * Add the Maven POM to the package
  * Add a Build-Depends-Indep dependency on maven-repo-helper

 -- Ludovic Claude <ludovic.claude@laposte.net>  Tue, 28 Jul 2009 20:51:09 +0100

libxstream-java (1.3.1-1) unstable; urgency=low

  * New upstream release
  * Minor cleanups

 -- Torsten Werner <twerner@debian.org>  Thu, 01 Jan 2009 01:20:34 +0100

libxstream-java (1.3-4) unstable; urgency=low

  * Fix java bytecode / java runtime version mismatch by setting -source
    and -target to 1.5 (Closes: #503789)

 -- Varun Hiremath <varun@debian.org>  Sat, 01 Nov 2008 11:41:26 -0400

libxstream-java (1.3-3) unstable; urgency=low

  * Really move package to main.

 -- Torsten Werner <twerner@debian.org>  Mon, 11 Aug 2008 18:13:41 +0200

libxstream-java (1.3-2) unstable; urgency=low

  * Build package with OpenJDK now.
  * Move package to main.
  * Bump Standards-Version: 3.8.0 (no changes needed).

 -- Torsten Werner <twerner@debian.org>  Mon, 11 Aug 2008 17:50:31 +0200

libxstream-java (1.3-1) unstable; urgency=low

  * New upstream release
  * Add myself to Uploaders
  * Bump Standards-Version to 3.7.3
  * Remove patches/encoding.diff - not required

 -- Varun Hiremath <varun@debian.org>  Thu, 28 Feb 2008 15:30:34 +0530

libxstream-java (1.2.2-1) unstable; urgency=low

  * initial version (Closes: #453149)

 -- Torsten Werner <twerner@debian.org>  Sat, 24 Nov 2007 00:01:40 +0100
