Bug#926088: robocode: CVE-2019-10648
Salvatore Bonaccorso
carnil at debian.org
Sun Mar 31 13:33:47 BST 2019
Source: robocode
Version: 1.9.3.3-1
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/robocode/bugs/406/
Hi,
The following vulnerability was published for robocode.
CVE-2019-10648[0]:
| Robocode through 1.9.3.5 allows remote attackers to cause external
| service interaction (DNS), as demonstrated by a query for a unique
| subdomain name within an attacker-controlled DNS zone, because of a
| .openStream call within java.net.URL.
The respective upstream issue[2] is unfortunatley forbidden to access
but the commit [3] is associatd with it. Not sure on the severity so
choosing important for now.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10648
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10648
[1] https://sourceforge.net/p/robocode/bugs/406/
[2] https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd#diff-0296a8f9d4a509789f4dc4f052d9c36f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list