| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 01-java7-compatibility.patch | Replaces the call to Method.isDefault() by a reflexive call to compile with Java 7 | Emmanuel Bourg <ebourg@apache.org> | not-needed | |||
| 02-disable-beastax-driver.patch | Removes the dependency on the com.bea.xml.stream package (not needed, allows us to drop the StAX dependency) | Emmanuel Bourg <ebourg@apache.org> | not-needed | |||
| enable-security-whitelist-by-default.patch | enable-security-whitelist-by-default | Markus Koschany <apo@debian.org> | no | 2021-10-02 | ||
| SecurityVulnerabilityTest.patch | SecurityVulnerabilityTest | Markus Koschany <apo@debian.org> | no | 2021-10-02 | ||
| debian-specific-whitelist-extension.patch | debian-specific-whitelist-extension | Markus Koschany <apo@debian.org> | no | 2021-10-02 | ||
| CVE-2022-41966.patch | CVE-2022-41966 | Markus Koschany <apo@debian.org> | no | debian | https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391 | 2023-01-11 |
| 0007-CVE-2021-43859.patch | CVE-2021-43859 | =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org> | yes | upstream | https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846 | 2024-12-21 |
| 0008-CVE-2024-47072.patch | CVE-2024-47072 This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. |
=?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org> | yes | debian upstream | backport, https://github.com/x-stream/xstream/commit/c8a939075f99895d76fe49de69d3570a3c401976 | 2024-12-21 |