Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Salvatore Bonaccorso
carnil at debian.org
Sat Apr 7 05:03:48 UTC 2018
Hi Felix,
On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote:
> hello Security Team,
>
> here are the CVE-2018-1000069 security updates for jessie and stretch:
>
> [jessie]
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-1000069
> (jessie-CVE-2018-1000069 branch)
>
> [stretch]
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069
> (stretch-CVE-2018-1000069 branch)
>
> Both are tested:
> - builds
> - activation log message is seen
> - Save and Load XML works
>
> In what format would you like the "tested packages"? *.deb?
>
> Here is the corrsponding upstream commit:
> https://github.com/freeplane/freeplane/commit/a5dce7f9f
>
> The debdiffs are attached.
Thanks, I will try to review and ack those over this weekend. Thanks a
lot for your both work.
Reegarding the question:
Regarding:
> In what format would you like the "tested packages"? *.deb?
That's not needed. We just have the requirement that the debdiff
should be the resulting one from the packages in the archive against
the built and tested packages, the later for obvious reason that we
want some assurance the packages have been tested to work.
The debdiff requirement (rather than only VCS commits) is to avoid
surprises on the actual result which will be uploaded to the archive
rather than just a series of commit in the packaging repos to be
reviewed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list