[ANN][SECURITY] XStream 1.4.7 released

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[ANN][SECURITY] XStream 1.4.7 released

Jörg Schaible-2

the XStream project is pleased to announce the release of XStream 1.4.7.

The release is primarily a security release to address CVE-2013-7285. XStream
will no longer handle any java.bean.EventHandler instance as immediate
consequence. If you know what you do, you may still register the
ReflectionConverter for this type. Unless you unmarshal such objects, XStream
1.4.7 is meant as drop-in replacement.

XStream contains now on top of this a security framework, where you can fine-
control any type that is permitted by XStream to unmarshall. All security
related aspects are described in this new documentation:


Check it out yourself:


XStream Committers

To unsubscribe from this list, please visit: