Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html
rhn.redhat.com/errata/RHSA-2016-2822.html
rhn.redhat.com/errata/RHSA-2016-2823.html
www.debian.org/security/2016/dsa-3575
www.openwall.com/lists/oss-security/2016/03/25/8
www.openwall.com/lists/oss-security/2016/03/28/1
www.securityfocus.com/bid/85381
www.securitytracker.com/id/1036419
x-stream.github.io/changes.html#1.4.9
github.com/x-stream/xstream/issues/25