Here is some text (markdown) for the website wranglers to consider adding as a news item. I made a lame effort to build a proof-of-concept exploit, but lost interest fairly quickly. I remain unconvinced we need to backport to 0.11.6 and release 0.11.7 given the low level of threat posed, but am interested in other opinions (and/or volunteers).
Cheers, Mike Pope ----------------- FreeCol 0.11.6 and subsequent development versions up to 20191227 are subject to an XML External Entity parsing bug, due to use of a vulnerable Java library, as detailed in [CVE-2018-1000825](https://www.cvedetails.com/cve/CVE-2018-1000825/). According to the CVE the bug can lead to disclosure of confidential data, denial of service, SSRF, or port scanning, albeit with limited attacker control. Exploiting the bug requires convincing a player to load a specially crafted FreeCol save game, either directly or by joining a hostile FreeCol server. The FreeCol team are unaware of any actual cases of this bug being exploited. It is fixed in the [nightly releases](https://github.com/FreeCol/freecol/releases) from 20191229 onward.
pgpkK01Pu1gRl.pgp
Description: OpenPGP digital signature
_______________________________________________ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers