https://github.com/jenkinsci/jenkins/pull/5685 updated XStream (Jenkins 2.309 and higher).

The library has a public CVE and whilst Jenkins already uses an allow list so is not impacted it would be nice to pull this update into the LTS version to keep some scanners happy.

This is a retrospective ticket that was assigned after the fact to start an LTS backport discussion.

See also https://groups.google.com/g/jenkinsci-dev/c/jX0f6Kz6zhc