the XStream project is pleased to announce the release of XStream 1.4.7.
The release is primarily a security release to address CVE-2013-7285. XStream
will no longer handle any java.bean.EventHandler instance as immediate
consequence. If you know what you do, you may still register the
ReflectionConverter for this type. Unless you unmarshal such objects, XStream
1.4.7 is meant as drop-in replacement.
XStream contains now on top of this a security framework, where you can fine-
control any type that is permitted by XStream to unmarshall. All security
related aspects are described in this new documentation: