Your message dated Sun, 22 Apr 2018 14:53:16 +0000
with message-id <[email protected]>
and subject line Bug#893663: fixed in freeplane 1.3.12-1+deb8u1
has caused the Debian Bug report #893663,
regarding freeplane: CVE-2018-1000069 XXE vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
893663: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893663
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: freeplane
X-Debbugs-CC: [email protected]
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
the following vulnerability was published for freeplane. Apparently only
stretch/jessie/wheezy might be affected.
@Felix
Can you tell us more about this vulnerability? There only seems to be a
reference in freeplane's wiki.
https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser
CVE-2018-1000069[0]:
| FreePlane version 1.5.9 and earlier contains a XML External Entity
| (XXE) vulnerability in XML Parser in mindmap loader that can result in
| stealing data from victim's machine. This attack appears to require
| the vicim to open a specially crafted mind map file. This
| vulnerability appears to have been fixed in 1.6+.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000069
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000069
Please adjust the affected versions in the BTS as needed.
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: freeplane
Source-Version: 1.3.12-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
freeplane, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Natter <[email protected]> (supplier of updated freeplane package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 06 Apr 2018 14:20:40 -0400
Source: freeplane
Binary: freeplane libjortho-freeplane-java
Architecture: source all
Version: 1.3.12-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Felix Natter <[email protected]>
Description:
freeplane - Java program for working with Mind Maps
libjortho-freeplane-java - Java spell-checking library
Closes: 893663
Changes:
freeplane (1.3.12-1+deb8u1) jessie-security; urgency=high
.
* Fix CVE-2018-1000069: Wojciech ReguĊa discovered that FreePlane was
affected by a XML External Entity (XXE) vulnerability in its mindmap
loader that could compromise a user's machine by opening a specially
crafted mind map file. (Closes: #893663)
Checksums-Sha1:
c91f85f633f072865c7610864b7ede4de34dc037 2698 freeplane_1.3.12-1+deb8u1.dsc
1f6ff61206efa607e8bcafcaf0e2e54599ad3de2 8491797 freeplane_1.3.12.orig.tar.gz
a6fe53ea8869b55a5713a497c29cdc21b3532bd4 26552
freeplane_1.3.12-1+deb8u1.debian.tar.xz
ce2448e373f9460caa3a0a1527877caacbf65d1a 8838852
freeplane_1.3.12-1+deb8u1_all.deb
ab6e30336b31bc66c1a7c38086ca600446bc52a5 69162
libjortho-freeplane-java_1.3.12-1+deb8u1_all.deb
Checksums-Sha256:
05051f5643049cbd0f4aca3bf17e8cf2d0843e0ab0bc575aeb8b72e21176c952 2698
freeplane_1.3.12-1+deb8u1.dsc
cc69438c128248d2a0a4cad5dbb6629b8deee01ade5da7e1b5d8b194a9ba13e8 8491797
freeplane_1.3.12.orig.tar.gz
e947a6d4df80d0fc1b372faf87b9b5c3bec3d672d39cfac4994e5a3e8bea0a9a 26552
freeplane_1.3.12-1+deb8u1.debian.tar.xz
0bd802875e1c128a17ae0a4108789969c3b031b29c0376740fc1ebe6151aec3e 8838852
freeplane_1.3.12-1+deb8u1_all.deb
f0a2f85a588ca945243d0809a54a3ba42f1dec4b53c34eecc3f9b375ddd2b518 69162
libjortho-freeplane-java_1.3.12-1+deb8u1_all.deb
Files:
13f0d59593e2dca38bafa383608056c3 2698 editors extra
freeplane_1.3.12-1+deb8u1.dsc
56bd70a124fb42e333d28d029d7dd349 8491797 editors extra
freeplane_1.3.12.orig.tar.gz
4883e3f0cd155c76e69dd802ed0c36dd 26552 editors extra
freeplane_1.3.12-1+deb8u1.debian.tar.xz
cfdf25bc3bdf8ba71672175bfba89ea7 8838852 editors extra
freeplane_1.3.12-1+deb8u1_all.deb
2f3abd353401e199d991015f4be414c9 69162 java extra
libjortho-freeplane-java_1.3.12-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrN5S5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkU/sQAJ52h1fUqpJFDt/TQPKtTEznvw78//Od6vHt
HPFw4wTIgTn162/6rZ/Dm1EZuoLIKabYU7zvNPzZwjlIpgsOQYM89j7L+DdKJwxR
zPX4IuxgeEoFnD7O/ykD5zAoMZ1Ir0FvOJzjQhA/HmW0BTh4OwvjBGdRo6irpimJ
6QzscBdo0RGLJZGYMV0zA5WAeRSBi5HCTT2H4dNDrmjGNdqWv/alHXX4O7toRvo4
TMAtWfrzo++9jMMs07D/kI4+8716TE4UUiwNcfo8+uKieoiwb//PhYBlwSiXnWcu
TEgVD/u7JheOlEjbaSXf+pzTc4iU/on4dZz+3MsBhHs/EwTo2unTPckjxhDPsftn
DR6n8hf7bBcovuF3IrRLsNXYHNc1DPLfLtn+io93FZiuOcKxvMf5Mvv9T4FeuzjN
5wKRCDMHlBVH0oz+yR66wJ7MIjHjzzhljwkRlIv1YkGU/wOJ9avX/wfmx4eOYBp4
aEgXjwbSpZalSdDnV2IjvhTfs99YskIeCvbNVEqTpFR48DxUmcAEgl0hu72FkZTb
U9S0f+t58LrEHfTAH0yAb8Cs++s/8p9TcgKcBa6B04nxCaRk/Xy2hwew8wmsOhtt
Wgju/51xsjuiyZ61ePjcwTMiJiHOwEiZsbcytc4Ec9HlzGCysL9HvU2IjKddebWh
VTtw1VW7
=tr91
-----END PGP SIGNATURE-----
--- End Message ---
