I think, the 20191227 version already included the fix? I'll prepare an empty draft news for when you all are ready.
> Gesendet: Dienstag, 31. Dezember 2019 um 10:30 Uhr > Von: "Michael T. Pope" <mp...@computer.org> > An: freecol-developers@lists.sourceforge.net > Betreff: Re: [Freecol-developers] FreeCol XXE Vulnerability > > Here is some text (markdown) for the website wranglers to consider adding > as a news item. I made a lame effort to build a proof-of-concept exploit, > but lost interest fairly quickly. I remain unconvinced we need to backport > to 0.11.6 and release 0.11.7 given the low level of threat posed, but am > interested in other opinions (and/or volunteers). > > Cheers, > Mike Pope > > ----------------- > FreeCol 0.11.6 and subsequent development versions up to 20191227 are > subject to an XML External Entity parsing bug, due to use of a > vulnerable Java library, as detailed in > [CVE-2018-1000825](https://www.cvedetails.com/cve/CVE-2018-1000825/). > > According to the CVE the bug can lead to disclosure of confidential > data, denial of service, SSRF, or port scanning, albeit with limited > attacker control. > > Exploiting the bug requires convincing a player to load a specially > crafted FreeCol save game, either directly or by joining a hostile > FreeCol server. > > The FreeCol team are unaware of any actual cases of this bug being > exploited. It is fixed in the [nightly > releases](https://github.com/FreeCol/freecol/releases) > from 20191229 onward. _______________________________________________ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers
