Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Felix Natter
fnatter at gmx.net
Tue Apr 3 19:24:53 UTC 2018
Salvatore Bonaccorso <carnil at debian.org> writes:
> Hi Felix,
hello Salvatore,
> On Sun, Apr 01, 2018 at 06:04:27PM +0200, Markus Koschany wrote:
>>
>>
>> Am 01.04.2018 um 17:57 schrieb Felix Natter:
>> [...]
>> > Thanks, done.
>> > BTW: Is it ok to close the bug with the stretch-security upload even if
>> > the jessie-security upload is still pending?
>>
>> Yes, that's ok. You can close the bug with both uploads.
>>
>> > What is there to do next?
>>
>> As soon as the security team has approved the changes, I can upload your
>> packages to security-master.
>
> Thanks for working on it, the issue is severe enought that it warrants
> a DSA. Could you send the security team alias
> (team at security.debian.org) debdiffs resulting from the build and
> tested packages for a short review + ack?
The stretch update is here (branch stretch-CVE-2018-1000069):
https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069&showmsg=1
This is tested:
- activation log message is seen
- Save and Load XML works
In what format would you like the "tested packages"? *.deb?
Here is the upstream commit:
https://github.com/freeplane/freeplane/commit/a5dce7f9f
The debdiff (for stretch-security) is attached.
I am still working on the jessie update, this could take until Saturday
(sorry for the delay).
Best Regards,
--
Felix Natter
debian/rules!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stretch-CVE-2018-100006.debdiff
Type: application/octet-stream
Size: 13630 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20180403/2ec910b8/attachment-0001.obj>
More information about the pkg-java-maintainers
mailing list