Denial of Service in 1.4.21

54 views
Skip to first unread message

yaqi guo

unread,
Jan 9, 2025, 6:51:31 AMJan 9
to XStream User
Hello,

I found an issue in XStream 1.4.21 that can cause a Denial of Service due to a stack overflow. Who should I email about this?

Thanks,
Yaqi Guo  

Jörg Schaible

unread,
Jan 13, 2025, 3:26:12 PMJan 13
to XStream User, 'yaqi guo' via XStream User
You have been invited to the XStream security list. Please send all
information about the security problem you have found to this list.

Regards,
Jörg


Message has been deleted

yaqi guo

unread,
Jan 14, 2025, 10:16:45 PMJan 14
to XStream User
I haven't been invited to the XStream security list.

yaqi guo

unread,
Jan 14, 2025, 10:17:15 PMJan 14
to XStream User

I haven't been invited to the XStream security list.
在2025年1月14日星期二 UTC+8 04:26:12<Jörg Schaible> 写道:

Jörg Schaible

unread,
Jan 15, 2025, 3:15:19 PMJan 15
to xstrea...@googlegroups.com
On Wednesday, 15. January 2025, 04:16:45 CET 'yaqi guo' wrote via XStream
User:
> I haven't been invited to the XStream security list.

I've resent the invitation. It has been sent to the same email address you're
using for this Google group.

Regards,
Jörg


yaqi guo

unread,
Jan 19, 2025, 9:16:35 PMJan 19
to XStream User
Please resend the link to invite to join the group, because now there is always an error when clicking the link.

Jörg Schaible

unread,
Jan 20, 2025, 1:44:29 PMJan 20
to xstrea...@googlegroups.com
On Monday, 20. January 2025, 03:16:35 CET 'yaqi guo' wrote via XStream User:
> Please resend the link to invite to join the group, because now there is
> always an error when clicking the link.

Done.

Regards,
Jörg


yaqi guo

unread,
Jan 20, 2025, 9:05:19 PMJan 20
to XStream User
Sorry,I didn't receive a new invitation email图片1.png

Jörg Schaible

unread,
Jan 22, 2025, 3:03:54 PMJan 22
to XStream User, 'yaqi guo' via XStream User

On Tuesday, 21. January 2025, 03:05:19 CET 'yaqi guo' via XStream User wrote:

> Sorry,I didn't receive a new invitation email[image: 图片1.png]


Well, what may I say else (sorry, Google ignored my attempts to switch to an English surface):



However, I activated now the "Private vulnerability reporting" in GitHub for XStream. Maybe that's the better way to receive reports in future anyway...


Hope this helps!


Regards,

Jörg

Bild

Jörg Schaible

unread,
Feb 9, 2025, 5:36:04 PMFeb 9
to XStream User, 'yaqi guo' via XStream User
Hi,

On Wednesday, 22. January 2025, 21:03:51 CET 'Jörg Schaible' wrote via
XStream User:
> On Tuesday, 21. January 2025, 03:05:19 CET 'yaqi guo' via XStream User
wrote:
> > Sorry,I didn't receive a new invitation email[image: 图片1.png]
>
> Well, what may I say else (sorry, Google ignored my attempts to switch to an
> English surface):
>
> [1]
>
> However, I activated now the "Private vulnerability reporting" in GitHub for
> XStream. Maybe that's the better way to receive reports in future anyway...
>
> Hope this helps!

There have been no report, neither from the security list nor from the private
reports at Github...

- Jörg


yaqi guo

unread,
Feb 9, 2025, 9:15:22 PMFeb 9
to XStream User
Hi,

I just reported it on github

yaqi guo

unread,
Feb 19, 2025, 1:50:37 AMFeb 19
to XStream User
Hello,

I have reported it on github

I would like to ask if there is any new progress on this issue now?

thanks

Jörg Schaible

unread,
Feb 19, 2025, 2:54:30 PMFeb 19
to XStream User
Hi,

On Wednesday, 19th February 2025, 07:50:36 CET 'yaqi guo' via XStream User
wrote:

> Hello,
>
> I have reported it on github
> https://github.com/x-stream/xstream/security/advisories/GHSA-x64x-329c-8hvh
>
> I would like to ask if there is any new progress on this issue now?

The case is valid, although not very often in use. I'll create a CVE request
and will release a new version, but currently I am completely overloaded with
other tasks. So it will take some time.

Thanks for the report, though!

Regards,
Jörg



Reply all
Reply to author
Forward
0 new messages