Your message dated Sun, 22 Apr 2018 14:50:35 +0000
with message-id <[email protected]>
and subject line Bug#893663: fixed in freeplane 1.5.18-1+deb9u1
has caused the Debian Bug report #893663,
regarding freeplane: CVE-2018-1000069 XXE vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
893663: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893663
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: freeplane
X-Debbugs-CC: [email protected]
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
the following vulnerability was published for freeplane. Apparently only
stretch/jessie/wheezy might be affected.
@Felix
Can you tell us more about this vulnerability? There only seems to be a
reference in freeplane's wiki.
https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser
CVE-2018-1000069[0]:
| FreePlane version 1.5.9 and earlier contains a XML External Entity
| (XXE) vulnerability in XML Parser in mindmap loader that can result in
| stealing data from victim's machine. This attack appears to require
| the vicim to open a specially crafted mind map file. This
| vulnerability appears to have been fixed in 1.6+.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000069
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000069
Please adjust the affected versions in the BTS as needed.
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: freeplane
Source-Version: 1.5.18-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
freeplane, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Natter <[email protected]> (supplier of updated freeplane package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 01 Apr 2018 17:55:27 +0200
Source: freeplane
Binary: freeplane freeplane-scripting-api
Architecture: source all
Version: 1.5.18-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Felix Natter <[email protected]>
Description:
freeplane - Java program for working with Mind Maps
freeplane-scripting-api - Java program for working with Mind Maps (groovy
scripting API)
Closes: 893663
Changes:
freeplane (1.5.18-1+deb9u1) stretch-security; urgency=high
.
* Fix CVE-2018-1000069: Wojciech ReguĊa discovered that FreePlane was
affected by a XML External Entity (XXE) vulnerability in its mindmap
loader that could compromise a user's machine by opening a specially
crafted mind map file. (Closes: #893663)
Checksums-Sha1:
7fc64bd1219fef8773144310d03ac031617fb7cc 2763 freeplane_1.5.18-1+deb9u1.dsc
8ae540e4fa09b7323c219a24cee23d531f24c90a 8976826 freeplane_1.5.18.orig.tar.gz
0c912622bbd38083ecad9346aceba76ed69c10b7 25664
freeplane_1.5.18-1+deb9u1.debian.tar.xz
315f7916ebb42f6e23b93cf02fedb3762e1ecf47 83382
freeplane-scripting-api_1.5.18-1+deb9u1_all.deb
76a19eb8f93a1737c1ab7244c2aebe3fc18dd3c8 10611804
freeplane_1.5.18-1+deb9u1_all.deb
371538da2d0f4a43a58d2dde3def93cb7508ca4c 16651
freeplane_1.5.18-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
8eb42ed893d6ac804508c7c0bd46b7b059c85b432dfae7e52b5b332971f601c9 2763
freeplane_1.5.18-1+deb9u1.dsc
d0eef445f228c798271a10e6c7ae7f64d04cebf90738445e0b5d955b0b2b391a 8976826
freeplane_1.5.18.orig.tar.gz
f5dc1c5301b9aeca3868128bbcb7a91228480488f013266e4ba59acabc512c05 25664
freeplane_1.5.18-1+deb9u1.debian.tar.xz
789e08ddfca64e9c7bfee36f19c6732f0ee22d3dc84d0450c3129ff814396d08 83382
freeplane-scripting-api_1.5.18-1+deb9u1_all.deb
431a1f5600a20106ad5932aec71f1fbf567a37838259c763c019bfc198768f5a 10611804
freeplane_1.5.18-1+deb9u1_all.deb
299a5f067eda7fb74c9cf08b551f4e21af60b880f985b410a41d80ffd1905d4b 16651
freeplane_1.5.18-1+deb9u1_amd64.buildinfo
Files:
5b25f52cf1a08404fd9f5869634e7363 2763 editors extra
freeplane_1.5.18-1+deb9u1.dsc
26fe3c209a1c22e2a67990f066679edf 8976826 editors extra
freeplane_1.5.18.orig.tar.gz
594ba9b02ecc3debe35bc09e55eacd3c 25664 editors extra
freeplane_1.5.18-1+deb9u1.debian.tar.xz
29e1796804cb3414d81aad8acf44742e 83382 doc extra
freeplane-scripting-api_1.5.18-1+deb9u1_all.deb
a7736317fafb3344e7f9761e925e5927 10611804 editors extra
freeplane_1.5.18-1+deb9u1_all.deb
573a979036e65e38507c4f8619161539 16651 editors extra
freeplane_1.5.18-1+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrN5lpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkyigP/1XZs6wa/Jxl3PFhfWHyjLqU6DX8NSeAlbi5
WvwCwqGsiJ3x3QeQJGKSsJ0J1/A+5g3yFfY8QmbzebmCXL7XqRsxZqcJxVIglfZs
oTpSwuhWclIYQ5n89O+puJknqrof8JBbvEegEg0twzUTh6GZ6miWZNNBDowXDpNb
w2G1PPog9NkM/IiD3J13dpDavU8jfAsGFlvieLHf7WA4pT9cvi0BaVw9OIcarlPL
31/LyUa+p6FAUI5rg/vDeuLZGP51Vi0JcRyGt6lDAHlKy7eicwDLc7GSoqfHEaiG
O1xgvY8CCF83yFeygWb55GYyl6CfrYFl1cbwDohLAtCo2kITOsbQYoYCc8kAMMaL
G3flHGjpyAFGw6KaICW0wLhP9cWxI+y8ePqwRfljRIXSb5bEXnCHPozMbIg/Qo3C
8ffjS30Q4k5Y08lxQrFvwamZSZi5GkWXR7jyjxyXD4fOfhmUptO6BygHxm8Bj6F/
TPcrjuJ+99S5NsHGe0LmSFaYmC+sldD/2PG+/2Kw1A6eeIph7yKiin5XpkoGIR7K
7B39iokZMLe5R1fVWh/p1Pm1TS8j3i5mCSVPc5oLx9asTKNqkV0GJH2kbna/v0SR
muqOU1MuWxxIZhPPOW+8OnCUA63Wdz7269FgRlCeG87xSfo97z/At9p9JCBLqXYH
7Dzb7XpJ
=RHkJ
-----END PGP SIGNATURE-----
--- End Message ---
