Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Felix Natter
fnatter at gmx.net
Tue Apr 10 18:33:22 UTC 2018
Salvatore Bonaccorso <carnil at debian.org> writes:
> Hi Felix,
hello Salvatore,
> Sorry for the delay in getting back to you.
>
> On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote:
>> hello Security Team,
>>
>> here are the CVE-2018-1000069 security updates for jessie and stretch:
>>
>> [jessie]
>> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-1000069
>> (jessie-CVE-2018-1000069 branch)
>>
>> [stretch]
>> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069
>> (stretch-CVE-2018-1000069 branch)
>>
>> Both are tested:
>> - builds
>> - activation log message is seen
>> - Save and Load XML works
>>
>> In what format would you like the "tested packages"? *.deb?
>>
>> Here is the corrsponding upstream commit:
>> https://github.com/freeplane/freeplane/commit/a5dce7f9f
>>
>> The debdiffs are attached.
>
> Debdiffs looks good to me. I just have a question, for the
> jessie-debdiff: In the ScriptingRegistration.java was the removal of
> the import of org.freeplane.n3.nanoxml.XMLParserFactory not done on
> purpose?
Yes and no. On jessie the patch did not cleanly apply, so I would have
had to apply that change manually. Since removing the import has no
effect on the semantics of the program (as long as it still compiles), I
was too lazy. It should be ok.
> Other than that, when above question commented on, feel free to upload
> to security-master (AFICS you will need a sponsor, but guess Markus
> will cime in here as well). Remember that both needs to be build with
> -sa.
May I ask why the full source must be included?
@Markus: Would you be so kind to take care of uploading?
Cheers and Best Regards,
--
Felix Natter
debian/rules!
More information about the pkg-java-maintainers
mailing list