Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Salvatore Bonaccorso
carnil at debian.org
Mon Apr 9 07:58:40 UTC 2018
Hi Felix,
Sorry for the delay in getting back to you.
On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote:
> hello Security Team,
>
> here are the CVE-2018-1000069 security updates for jessie and stretch:
>
> [jessie]
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-1000069
> (jessie-CVE-2018-1000069 branch)
>
> [stretch]
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069
> (stretch-CVE-2018-1000069 branch)
>
> Both are tested:
> - builds
> - activation log message is seen
> - Save and Load XML works
>
> In what format would you like the "tested packages"? *.deb?
>
> Here is the corrsponding upstream commit:
> https://github.com/freeplane/freeplane/commit/a5dce7f9f
>
> The debdiffs are attached.
Debdiffs looks good to me. I just have a question, for the
jessie-debdiff: In the ScriptingRegistration.java was the removal of
the import of org.freeplane.n3.nanoxml.XMLParserFactory not done on
purpose?
Other than that, when above question commented on, feel free to upload
to security-master (AFICS you will need a sponsor, but guess Markus
will cime in here as well). Remember that both needs to be build with
-sa.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list