2021-04-15 14:34:16 +00:00
|
|
|
-------------------------------------------------------------------
|
2021-05-31 08:03:39 +00:00
|
|
|
Mon May 31 07:59:25 UTC 2021 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
|
|
|
|
- Upgrade to 1.4.17
|
|
|
|
|
* Security fix:
|
|
|
|
|
* bsc#1186651, CVE-2021-29505: potential code execution when
|
|
|
|
|
unmarshalling with XStream instances using an uninitialized
|
|
|
|
|
security framework
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2021-04-15 14:34:16 +00:00
|
|
|
Thu Apr 15 14:31:31 UTC 2021 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
|
|
|
|
- Upgrade to 1.4.16
|
2021-04-15 16:15:22 +00:00
|
|
|
* Security fixes:
|
|
|
|
|
+ bsc#1184796, CVE-2021-21351: remote attacker to load and
|
|
|
|
|
execute arbitrary code
|
|
|
|
|
+ bsc#1184797, CVE-2021-21349: SSRF can lead to a remote
|
|
|
|
|
attacker to request data from internal resources
|
|
|
|
|
+ bsc#1184380, CVE-2021-21350: arbitrary code execution
|
|
|
|
|
+ bsc#1184374, CVE-2021-21348: remote attacker could cause
|
|
|
|
|
denial of service by consuming maximum CPU time
|
|
|
|
|
+ bsc#1184378, CVE-2021-21347: remote attacker to load and
|
|
|
|
|
execute arbitrary code from a remote host
|
|
|
|
|
+ bsc#1184375, CVE-2021-21344: remote attacker could load and
|
|
|
|
|
execute arbitrary code from a remote host
|
|
|
|
|
+ bsc#1184379, CVE-2021-21342: server-side forgery
|
|
|
|
|
+ bsc#1184377, CVE-2021-21341: remote attacker could cause a
|
|
|
|
|
denial of service by allocating 100% CPU time
|
|
|
|
|
+ bsc#1184373, CVE-2021-21346: remote attacker could load and
|
|
|
|
|
execute arbitrary code
|
|
|
|
|
+ bsc#1184372, CVE-2021-21345: remote attacker with sufficient
|
|
|
|
|
rights could execute commands
|
|
|
|
|
+ bsc#1184376, CVE-2021-21343: replace or inject objects, that
|
|
|
|
|
result in the deletion of files on the local host
|
2021-04-15 14:34:16 +00:00
|
|
|
- Add patch:
|
|
|
|
|
* Revert-MXParser-changes.patch
|
|
|
|
|
+ revert changes that would force us to add new dependency
|
|
|
|
|
|
2021-01-18 10:17:12 +00:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jan 18 10:14:56 UTC 2021 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
|
|
|
|
- Upgrade to 1.4.15
|
|
|
|
|
* fixes bsc#1180146, CVE-2020-26258 and bsc#1180145,
|
|
|
|
|
CVE-2020-26259
|
|
|
|
|
|
2021-01-18 09:59:17 +00:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jan 18 09:58:41 UTC 2021 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
|
|
|
|
- Upgrade to 1.4.14
|
|
|
|
|
* fixes bsc#1180994, CVE-2020-26217
|
2021-01-18 10:05:52 +00:00
|
|
|
- Remove patches:
|
|
|
|
|
* 0001-Prevent-deserialization-of-void.patch
|
|
|
|
|
* xstream-1.4.9-javadoc.patch
|
|
|
|
|
+ integrated in upstream sources
|
2021-01-18 09:59:17 +00:00
|
|
|
|
2019-06-04 08:19:12 +00:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 4 08:18:44 UTC 2019 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
2021-01-18 10:17:12 +00:00
|
|
|
- Initial packaging of xstream 1.4.9
|
