Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-65577

XStream upgrade to 1.4.17

    XMLWordPrintable

Details

    Description

      Problem

      XStream is vulnerable to security exploits including CVE-2021-29505. This ticket tracks it's upgrade to 1.4.17 

      Atlassian Update - July 2021

      We have upgraded XStream to 1.4.17.  If your plugin bundles your own version of XStream you will also need to upgrade to this version or later. This is because XStream 1.4.16 provides a newer implementation of XmlPullParser through service loader. XStream's default parser has changed from Xpp3 to MXParser, which is a fork of Xpp3.  You can read more about the changes in the XStream change log.

      When upgrading XStream in our own plugins, we found that it remained compatible with older Confluence versions, as there's a dependency of xpp3_min which helps the plugin to work with older XmlPullParser implementations mentioned in service loader in older Confluence versions.

      Environment

      Confluence v7.4

      Workaround

      There are no workaround available for this up til now.

      Attachments

        Issue Links

          links to

          Web Link Original (master branch) ticket on AsecJ > VULN

          mentioned in

          Page Loading...

          Page Loading...

          Activity

            People

              ggautam Ganesh Gautam
              haftab Hassan Aftab
              Votes:
              5 Vote for this issue
              Watchers:
              28 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: