Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Markus Koschany
apo at debian.org
Sun Apr 1 15:17:48 UTC 2018
Hi Felix,
Am 01.04.2018 um 16:23 schrieb Felix Natter:
> hello Markus,
>
> I have prepared the patched 1.5.18-1+deb9u1 for stretch
> I hope I got the version number right? The changelog entry is probably
> not correct either. Can you advice what to read?
>
> I briefly tested saving+loading mindmaps.
>
> Here it is:
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069
> (branch stretch-CVE-2018-1000069 in the freeplane alioth repo).
>
> I am in the process of setting up a vbox instance for jessie to address
> the other update.
>
> Cheers and Best Regards,
The version is correct. I would write in your changelog:
Fix CVE-2018-1000069: Wojciech Reguła discovered that FreePlane was
affected by a XML External Entity (XXE) vulnerability in its mindmap
loader that could compromise a user's machine by opening a specially
crafted mind map file. (Closes: #893663)
Distribution should be stretch-security though and the urgency is high.
Similar for Jessie, jessie-security and the version is 1.3.12-1+deb8u1
Cheers,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20180401/1e88f7ca/attachment.sig>
More information about the pkg-java-maintainers
mailing list