Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Hello, I am currently in the process to upload freeplane to security master. Regards, Markus signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team . Please

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

On Apr/10, Felix Natter wrote: > Yes and no. On jessie the patch did not cleanly apply, so I would have > had to apply that change manually. Since removing the import has no > effect on the semantics of the program (as long as it still compiles), > I was too lazy. It should be ok. Let's leave it

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Salvatore Bonaccorso writes: > Hi Felix, hello Salvatore, > Sorry for the delay in getting back to you. > > On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote: >> hello Security Team, >> >> here are the CVE-2018-169 security updates for jessie and stretch: >>

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Hi Felix, Sorry for the delay in getting back to you. On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote: > hello Security Team, > > here are the CVE-2018-169 security updates for jessie and stretch: > > [jessie] >

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Hi Felix, On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote: > hello Security Team, > > here are the CVE-2018-169 security updates for jessie and stretch: > > [jessie] > https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-169 >

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

hello Security Team, here are the CVE-2018-169 security updates for jessie and stretch: [jessie] https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-169 (jessie-CVE-2018-169 branch) [stretch]

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Salvatore Bonaccorso writes: > Hi Felix, hello Salvatore, > On Sun, Apr 01, 2018 at 06:04:27PM +0200, Markus Koschany wrote: >> >> >> Am 01.04.2018 um 17:57 schrieb Felix Natter: >> [...] >> > Thanks, done. >> > BTW: Is it ok to close the bug with the stretch-security

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Hi Felix, On Sun, Apr 01, 2018 at 06:04:27PM +0200, Markus Koschany wrote: > > > Am 01.04.2018 um 17:57 schrieb Felix Natter: > [...] > > Thanks, done. > > BTW: Is it ok to close the bug with the stretch-security upload even if > > the jessie-security upload is still pending? > > Yes, that's

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Am 01.04.2018 um 17:57 schrieb Felix Natter: [...] > Thanks, done. > BTW: Is it ok to close the bug with the stretch-security upload even if > the jessie-security upload is still pending? Yes, that's ok. You can close the bug with both uploads. > What is there to do next? As soon as the

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Markus Koschany writes: > Hi Felix, hello Markus, > Am 01.04.2018 um 16:23 schrieb Felix Natter: >> hello Markus, >> >> I have prepared the patched 1.5.18-1+deb9u1 for stretch >> I hope I got the version number right? The changelog entry is probably >> not correct either. Can

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Hi Felix, Am 01.04.2018 um 16:23 schrieb Felix Natter: > hello Markus, > > I have prepared the patched 1.5.18-1+deb9u1 for stretch > I hope I got the version number right? The changelog entry is probably > not correct either. Can you advice what to read? > > I briefly tested saving+loading

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

hello Markus, I have prepared the patched 1.5.18-1+deb9u1 for stretch I hope I got the version number right? The changelog entry is probably not correct either. Can you advice what to read? I briefly tested saving+loading mindmaps. Here it is:

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Am 24.03.2018 um 11:32 schrieb Felix Natter: [...] > Since I am hiking this weekend, would it be possible to do this as the > first thing on the Easter weekend (next Friday)? I also need to fix the > knopflerfish RC bug (#893221), I will look into that this morning. > > BTW: I *think* the

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Markus Koschany writes: > Am 22.03.2018 um 20:52 schrieb Felix Natter: >> Markus Koschany writes: >> >>> Package: freeplane >>> X-Debbugs-CC: t...@security.debian.org >>> X-Debbugs-CC: fnat...@gmx.net >>> Severity: important >>> Tags: security >>> >>> Hi, >>

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Am 22.03.2018 um 20:52 schrieb Felix Natter: > Markus Koschany writes: > >> Package: freeplane >> X-Debbugs-CC: t...@security.debian.org >> X-Debbugs-CC: fnat...@gmx.net >> Severity: important >> Tags: security >> >> Hi, > > hello Markus, > >> the following vulnerability was

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Markus Koschany writes: > Package: freeplane > X-Debbugs-CC: t...@security.debian.org > X-Debbugs-CC: fnat...@gmx.net > Severity: important > Tags: security > > Hi, hello Markus, > the following vulnerability was published for freeplane. Apparently only > stretch/jessie/wheezy

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Looking at the release-1.5.20 tag: Security fix related to scripts and formulas Security fix related to loading of mind map files Change short cuts for MacOS to avoid collisions The fix might be: https://github.com/freeplane/freeplane/commit/a5dce7f9f4d29675fb256053aee3858bf8d76001 Regards,

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

For reference: the issue is linked from the security advisory page at https://www.freeplane.org/wiki/index.php/Fixed_security_vulnerabilities . Ahtough there is unfortunately no reference to the fixing commit (which wuould have been good for downstreams to help), we know the versions fixed are

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Package: freeplane X-Debbugs-CC: t...@security.debian.org X-Debbugs-CC: fnat...@gmx.net Severity: important Tags: security Hi, the following vulnerability was published for freeplane. Apparently only stretch/jessie/wheezy might be affected. @Felix Can you tell us more about this vulnerability?