Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Salvatore Bonaccorso carnil at debian.org
Mon Apr 9 07:58:40 UTC 2018


Hi Felix,

Sorry for the delay in getting back to you.

On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote:
> hello Security Team,
> 
> here are the CVE-2018-1000069 security updates for jessie and stretch:
> 
> [jessie]
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-1000069
> (jessie-CVE-2018-1000069 branch)
> 
> [stretch]
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069
> (stretch-CVE-2018-1000069 branch)
> 
> Both are tested:
> - builds
> - activation log message is seen
> - Save and Load XML works
> 
> In what format would you like the "tested packages"? *.deb?
> 
> Here is the corrsponding upstream commit:
> https://github.com/freeplane/freeplane/commit/a5dce7f9f
> 
> The debdiffs are attached.

Debdiffs looks good to me. I just have a question, for the
jessie-debdiff: In the ScriptingRegistration.java was the removal of
the import of org.freeplane.n3.nanoxml.XMLParserFactory not done on
purpose?

Other than that, when above question commented on, feel free to upload
to security-master (AFICS you will need a sponsor, but guess Markus
will cime in here as well). Remember that both needs to be build with
-sa.

Regards,
Salvatore



More information about the pkg-java-maintainers mailing list