Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Markus Koschany
apo at debian.org
Tue Mar 20 23:20:15 UTC 2018
Package: freeplane
X-Debbugs-CC: team at security.debian.org
X-Debbugs-CC: fnatter at gmx.net
Severity: important
Tags: security
Hi,
the following vulnerability was published for freeplane. Apparently only
stretch/jessie/wheezy might be affected.
@Felix
Can you tell us more about this vulnerability? There only seems to be a
reference in freeplane's wiki.
https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser
CVE-2018-1000069[0]:
| FreePlane version 1.5.9 and earlier contains a XML External Entity
| (XXE) vulnerability in XML Parser in mindmap loader that can result in
| stealing data from victim's machine. This attack appears to require
| the vicim to open a specially crafted mind map file. This
| vulnerability appears to have been fixed in 1.6+.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000069
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000069
Please adjust the affected versions in the BTS as needed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20180321/1f8df856/attachment-0001.sig>
More information about the pkg-java-maintainers
mailing list