Markus Koschany <a...@debian.org> writes: > Package: freeplane > X-Debbugs-CC: t...@security.debian.org > X-Debbugs-CC: fnat...@gmx.net > Severity: important > Tags: security > > Hi,
hello Markus, > the following vulnerability was published for freeplane. Apparently only > stretch/jessie/wheezy might be affected. Thank you for paying attention to this, I completely overlooked this! > @Felix > Can you tell us more about this vulnerability? There only seems to be a > reference in freeplane's wiki. I think it is very well explained here: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing In short: External identities are "includes" for XML documents that can be specified in DTDs. Here is the commit that should fix it: https://github.com/freeplane/freeplane/commit/a5dce7f9f > https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser > > CVE-2018-1000069[0]: > | FreePlane version 1.5.9 and earlier contains a XML External Entity > | (XXE) vulnerability in XML Parser in mindmap loader that can result in > | stealing data from victim's machine. This attack appears to require > | the vicim to open a specially crafted mind map file. This > | vulnerability appears to have been fixed in 1.6+. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2018-1000069 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000069 > > Please adjust the affected versions in the BTS as needed. I can confirm that the the fix is in 1.5.20 and 1.6.1, so it's true that wheezy, jessie and stretch are affected. Shall I add the patch in git branches from the debian/X tags here? https://anonscm.debian.org/cgit/pkg-java/freeplane.git Or did you want to do this, Markus? I will read more about security updates on the weekend. Cheers and Best Regards, -- Felix Natter debian/rules!
