Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Markus Koschany
apo at debian.org
Thu Mar 22 22:39:06 UTC 2018
Am 22.03.2018 um 20:52 schrieb Felix Natter:
> Markus Koschany <apo at debian.org> writes:
>
>> Package: freeplane
>> X-Debbugs-CC: team at security.debian.org
>> X-Debbugs-CC: fnatter at gmx.net
>> Severity: important
>> Tags: security
>>
>> Hi,
>
> hello Markus,
>
>> the following vulnerability was published for freeplane. Apparently only
>> stretch/jessie/wheezy might be affected.
>
> Thank you for paying attention to this, I completely overlooked this!
Thanks for your reply!
>
>> @Felix
>> Can you tell us more about this vulnerability? There only seems to be a
>> reference in freeplane's wiki.
>
> I think it is very well explained here:
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>
> In short: External identities are "includes" for XML documents that can
> be specified in DTDs.
>
> Here is the commit that should fix it:
> https://github.com/freeplane/freeplane/commit/a5dce7f9f
That's what we were looking for.
[...]
> I can confirm that the the fix is in 1.5.20 and 1.6.1, so it's true that
> wheezy, jessie and stretch are affected.
>
> Shall I add the patch in git branches from the debian/X tags here?
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git
> Or did you want to do this, Markus?
Please prepare updates for Jessie and Stretch if time permits and I will
upload the fix either as a security update, provided the security team
agrees, or as a point-update. I will take care of Wheezy myself.
>
> I will read more about security updates on the weekend.
>
> Cheers and Best Regards,
Cheers,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20180322/6062449d/attachment.sig>
More information about the pkg-java-maintainers
mailing list