Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Felix Natter fnatter at gmx.net
Sun Apr 1 15:57:55 UTC 2018


Markus Koschany <apo at debian.org> writes:

> Hi Felix,

hello Markus,

> Am 01.04.2018 um 16:23 schrieb Felix Natter:
>> hello Markus,
>> 
>> I have prepared the patched 1.5.18-1+deb9u1 for stretch
>> I hope I got the version number right? The changelog entry is probably
>> not correct either. Can you advice what to read?
>> 
>> I briefly tested saving+loading mindmaps.
>> 
>> Here it is:
>> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069
>> (branch stretch-CVE-2018-1000069 in the freeplane alioth repo).
>> 
>> I am in the process of setting up a vbox instance for jessie to address
>> the other update.
>> 
>> Cheers and Best Regards,
>
> The version is correct. I would write in your changelog:
>
> Fix CVE-2018-1000069: Wojciech Reguła discovered that FreePlane was
> affected by a XML External Entity (XXE) vulnerability in its mindmap
> loader that could compromise a user's machine by opening a specially
> crafted mind map file. (Closes: #893663)

Thanks, done.
BTW: Is it ok to close the bug with the stretch-security upload even if
the jessie-security upload is still pending?

What is there to do next?

> Distribution should be stretch-security though and the urgency is high.
> Similar for Jessie, jessie-security and the version is 1.3.12-1+deb8u1

I will do this soon, hopefully tomorrow.

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!



More information about the pkg-java-maintainers mailing list