Hi, I edited the dates and put it into the attached file. I hope the mailing list allows attachments. Should it be mentioned that even older versions are affected and which? When should people upgrade? Please, see if everything looks alright!
I'll merge the Jekyll changes for the website now, to allow using markdown for the news. Greetings wintertime > Gesendet: Dienstag, 31. Dezember 2019 um 11:25 Uhr > Von: win...@genial.ms > An: "Michael T. Pope" <mp...@computer.org> > Cc: freecol-developers@lists.sourceforge.net > Betreff: Re: [Freecol-developers] FreeCol XXE Vulnerability > > I think, the 20191227 version already included the fix? > I'll prepare an empty draft news for when you all are ready. > > > Gesendet: Dienstag, 31. Dezember 2019 um 10:30 Uhr > > Von: "Michael T. Pope" <mp...@computer.org> > > An: freecol-developers@lists.sourceforge.net > > Betreff: Re: [Freecol-developers] FreeCol XXE Vulnerability > > > > Here is some text (markdown) for the website wranglers to consider adding > > as a news item. I made a lame effort to build a proof-of-concept exploit, > > but lost interest fairly quickly. I remain unconvinced we need to backport > > to 0.11.6 and release 0.11.7 given the low level of threat posed, but am > > interested in other opinions (and/or volunteers). > > > > Cheers, > > Mike Pope > > > > ----------------- > > FreeCol 0.11.6 and subsequent development versions up to 20191227 are > > subject to an XML External Entity parsing bug, due to use of a > > vulnerable Java library, as detailed in > > [CVE-2018-1000825](https://www.cvedetails.com/cve/CVE-2018-1000825/). > > > > According to the CVE the bug can lead to disclosure of confidential > > data, denial of service, SSRF, or port scanning, albeit with limited > > attacker control. > > > > Exploiting the bug requires convincing a player to load a specially > > crafted FreeCol save game, either directly or by joining a hostile > > FreeCol server. > > > > The FreeCol team are unaware of any actual cases of this bug being > > exploited. It is fixed in the [nightly > > releases](https://github.com/FreeCol/freecol/releases) > > from 20191229 onward. >
2019-12-31-freecol-xxe-vulnerability-fixed.md
Description: Binary data
_______________________________________________ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers
