Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Felix Natter
fnatter at gmx.net
Sun Apr 1 15:57:55 UTC 2018
Markus Koschany <apo at debian.org> writes:
> Hi Felix,
hello Markus,
> Am 01.04.2018 um 16:23 schrieb Felix Natter:
>> hello Markus,
>>
>> I have prepared the patched 1.5.18-1+deb9u1 for stretch
>> I hope I got the version number right? The changelog entry is probably
>> not correct either. Can you advice what to read?
>>
>> I briefly tested saving+loading mindmaps.
>>
>> Here it is:
>> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069
>> (branch stretch-CVE-2018-1000069 in the freeplane alioth repo).
>>
>> I am in the process of setting up a vbox instance for jessie to address
>> the other update.
>>
>> Cheers and Best Regards,
>
> The version is correct. I would write in your changelog:
>
> Fix CVE-2018-1000069: Wojciech Reguła discovered that FreePlane was
> affected by a XML External Entity (XXE) vulnerability in its mindmap
> loader that could compromise a user's machine by opening a specially
> crafted mind map file. (Closes: #893663)
Thanks, done.
BTW: Is it ok to close the bug with the stretch-security upload even if
the jessie-security upload is still pending?
What is there to do next?
> Distribution should be stretch-security though and the urgency is high.
> Similar for Jessie, jessie-security and the version is 1.3.12-1+deb8u1
I will do this soon, hopefully tomorrow.
Cheers and Best Regards,
--
Felix Natter
debian/rules!
More information about the pkg-java-maintainers
mailing list