Re: [Freecol-developers] FreeCol XXE Vulnerability
On Tue, 14 Jan 2020 09:15:42 +0100 win...@genial.ms wrote: > As far as the discussion was gone, which we had about doing > 0.12.0 soon, is there any annoying+blocking bugs left? I am working through the github issues. I want to at least look at them before we have an semi-official-tentative-alpha release. > - Is the fix to the returning from Europe bug sufficient > or is it necessary to do something for the very few cases > where in a save the ship was already in Europe? I have not properly understood that one yet. > - I'd like to see https://github.com/FreeCol/freecol/issues/15 > fixed, cause it is irritating to play like that You are in luck, I got to that one today: git.e7a40b4. It was indeed very annoying, and alas a result of me having to stop work mid-project. Cheers, Mike Pope pgpmzoOeN2CrC.pgp Description: OpenPGP digital signature ___ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers
Re: [Freecol-developers] FreeCol XXE Vulnerability
Hi, > Gesendet: Montag, 13. Januar 2020 um 23:10 Uhr > Von: "Michael T. Pope" > An: win...@genial.ms > Betreff: Re: [Freecol-developers] FreeCol XXE Vulnerability > > By all means go ahead with the website changes. I had to update the post date, then I committed it and freshly uploaded the website. I also put the news item on the project page: https://sourceforge.net/p/freecol/news/ As far as the discussion was gone, which we had about doing 0.12.0 soon, is there any annoying+blocking bugs left? - Is the fix to the returning from Europe bug sufficient or is it necessary to do something for the very few cases where in a save the ship was already in Europe? - I'd like to see https://github.com/FreeCol/freecol/issues/15 fixed, cause it is irritating to play like that, but if 0.12.1 would come fast it should be ok to fix it later. Greetings wintertime ___ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers
Re: [Freecol-developers] FreeCol XXE Vulnerability
Hi, I added a sentence on older versions to the news, the new file is attached. Please, proofread! You may want to change the file name to have a different date, but you can just drop the file into _posts directory and compile the website with Jekyll, as it contains the necessary yaml header. All links should automatically be updated, though it may be better to double-check the links in homepage, news index and sitemap, especially when you use the older Jekyll version. Running "gem update jekyll" should work correctly, because there is so many gems they should leave the option, no guarantees though as to how your distro modified stuff to make it incompatible. It might be useful if you copy the non-header part of the text to https://sourceforge.net/p/freecol/news/ and use same title, same time you do the website upload. When I played a recent version it was kinda annoying with the green cursor switching to terrain often and not being able to see next unit or turn end info on lower right. It also did not blink. Otherwise it seemed playable (in the short time I tried it), now that the not being able to return from Europe bug is nearly fixed (old safegames with ship already in Europe stay broken). So, putting out 0.12.0 may be a good choice, considering 0.11.6 also contains a number of bugs discovered and fixed meanwhile. Greetings wintertime > Gesendet: Mittwoch, 01. Januar 2020 um 06:26 Uhr > Von: "Michael T. Pope" > An: "FreeCol Developers" > Betreff: Re: [Freecol-developers] FreeCol XXE Vulnerability > > On Tue, 31 Dec 2019 02:06:21 -0800 > David Lewis wrote: > > I think we might be okay to start releasing RC versions of 0.12 right away, > > since "0.x" implies beta, we don't need to necessarily support the 0.11 > > line, and thus don't need to worry about backporting fixes, so long as we > > release an update that contains the fixes that folks can upgrade to. > > I have been working through the bug list and while there are indeed new > annoying open issues, perhaps the CVE-fix is enough reason to just forge > ahead. > > >[wintertime, regarding the news item] > > Should it be mentioned that even older versions are affected and which? > > AFAICT the dodgy Java call has been in use since at least 0.10.0. Ironically, > there used to be a lot more of them! I mentioned 0.11.6 explicitly because > that > the only version we are really supporting at this point (i.e. if you report a > bug in earlier FreeCol the first thing I want to know is if you have tried the > current release). However feel free to say something like "All supported > FreeCol releases prior to 20191227" or thereabouts. > > > When should people upgrade? > > Well I always tell people who just want to play FreeCol to use the latest > stable release, and I would continue to say that. However that is just my > opinion. Do we even want to make an Official Recommendation? > > Cheers, > Mike Pope 2019-12-31-freecol-xxe-vulnerability-fixed.md Description: Binary data ___ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers
Re: [Freecol-developers] FreeCol XXE Vulnerability
On Tue, 31 Dec 2019 02:06:21 -0800 David Lewis wrote: > I think we might be okay to start releasing RC versions of 0.12 right away, > since "0.x" implies beta, we don't need to necessarily support the 0.11 > line, and thus don't need to worry about backporting fixes, so long as we > release an update that contains the fixes that folks can upgrade to. I have been working through the bug list and while there are indeed new annoying open issues, perhaps the CVE-fix is enough reason to just forge ahead. >[wintertime, regarding the news item] > Should it be mentioned that even older versions are affected and which? AFAICT the dodgy Java call has been in use since at least 0.10.0. Ironically, there used to be a lot more of them! I mentioned 0.11.6 explicitly because that the only version we are really supporting at this point (i.e. if you report a bug in earlier FreeCol the first thing I want to know is if you have tried the current release). However feel free to say something like "All supported FreeCol releases prior to 20191227" or thereabouts. > When should people upgrade? Well I always tell people who just want to play FreeCol to use the latest stable release, and I would continue to say that. However that is just my opinion. Do we even want to make an Official Recommendation? Cheers, Mike Pope pgpmV2hBih2nV.pgp Description: OpenPGP digital signature ___ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers
Re: [Freecol-developers] FreeCol XXE Vulnerability
Hi, I edited the dates and put it into the attached file. I hope the mailing list allows attachments. Should it be mentioned that even older versions are affected and which? When should people upgrade? Please, see if everything looks alright! I'll merge the Jekyll changes for the website now, to allow using markdown for the news. Greetings wintertime > Gesendet: Dienstag, 31. Dezember 2019 um 11:25 Uhr > Von: win...@genial.ms > An: "Michael T. Pope" > Cc: freecol-developers@lists.sourceforge.net > Betreff: Re: [Freecol-developers] FreeCol XXE Vulnerability > > I think, the 20191227 version already included the fix? > I'll prepare an empty draft news for when you all are ready. > > > Gesendet: Dienstag, 31. Dezember 2019 um 10:30 Uhr > > Von: "Michael T. Pope" > > An: freecol-developers@lists.sourceforge.net > > Betreff: Re: [Freecol-developers] FreeCol XXE Vulnerability > > > > Here is some text (markdown) for the website wranglers to consider adding > > as a news item. I made a lame effort to build a proof-of-concept exploit, > > but lost interest fairly quickly. I remain unconvinced we need to backport > > to 0.11.6 and release 0.11.7 given the low level of threat posed, but am > > interested in other opinions (and/or volunteers). > > > > Cheers, > > Mike Pope > > > > - > > FreeCol 0.11.6 and subsequent development versions up to 20191227 are > > subject to an XML External Entity parsing bug, due to use of a > > vulnerable Java library, as detailed in > > [CVE-2018-1000825](https://www.cvedetails.com/cve/CVE-2018-1000825/). > > > > According to the CVE the bug can lead to disclosure of confidential > > data, denial of service, SSRF, or port scanning, albeit with limited > > attacker control. > > > > Exploiting the bug requires convincing a player to load a specially > > crafted FreeCol save game, either directly or by joining a hostile > > FreeCol server. > > > > The FreeCol team are unaware of any actual cases of this bug being > > exploited. It is fixed in the [nightly > > releases](https://github.com/FreeCol/freecol/releases) > > from 20191229 onward. > 2019-12-31-freecol-xxe-vulnerability-fixed.md Description: Binary data ___ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers
Re: [Freecol-developers] FreeCol XXE Vulnerability
I think, the 20191227 version already included the fix? I'll prepare an empty draft news for when you all are ready. > Gesendet: Dienstag, 31. Dezember 2019 um 10:30 Uhr > Von: "Michael T. Pope" > An: freecol-developers@lists.sourceforge.net > Betreff: Re: [Freecol-developers] FreeCol XXE Vulnerability > > Here is some text (markdown) for the website wranglers to consider adding > as a news item. I made a lame effort to build a proof-of-concept exploit, > but lost interest fairly quickly. I remain unconvinced we need to backport > to 0.11.6 and release 0.11.7 given the low level of threat posed, but am > interested in other opinions (and/or volunteers). > > Cheers, > Mike Pope > > - > FreeCol 0.11.6 and subsequent development versions up to 20191227 are > subject to an XML External Entity parsing bug, due to use of a > vulnerable Java library, as detailed in > [CVE-2018-1000825](https://www.cvedetails.com/cve/CVE-2018-1000825/). > > According to the CVE the bug can lead to disclosure of confidential > data, denial of service, SSRF, or port scanning, albeit with limited > attacker control. > > Exploiting the bug requires convincing a player to load a specially > crafted FreeCol save game, either directly or by joining a hostile > FreeCol server. > > The FreeCol team are unaware of any actual cases of this bug being > exploited. It is fixed in the [nightly > releases](https://github.com/FreeCol/freecol/releases) > from 20191229 onward. ___ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers
Re: [Freecol-developers] FreeCol XXE Vulnerability
Here is some text (markdown) for the website wranglers to consider adding as a news item. I made a lame effort to build a proof-of-concept exploit, but lost interest fairly quickly. I remain unconvinced we need to backport to 0.11.6 and release 0.11.7 given the low level of threat posed, but am interested in other opinions (and/or volunteers). Cheers, Mike Pope - FreeCol 0.11.6 and subsequent development versions up to 20191227 are subject to an XML External Entity parsing bug, due to use of a vulnerable Java library, as detailed in [CVE-2018-1000825](https://www.cvedetails.com/cve/CVE-2018-1000825/). According to the CVE the bug can lead to disclosure of confidential data, denial of service, SSRF, or port scanning, albeit with limited attacker control. Exploiting the bug requires convincing a player to load a specially crafted FreeCol save game, either directly or by joining a hostile FreeCol server. The FreeCol team are unaware of any actual cases of this bug being exploited. It is fixed in the [nightly releases](https://github.com/FreeCol/freecol/releases) from 20191229 onward. pgpkK01Pu1gRl.pgp Description: OpenPGP digital signature ___ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers
Re: [Freecol-developers] FreeCol XXE Vulnerability
On Sat, 28 Dec 2019 01:02:33 +0100 "Sebastian Zhorel" wrote: > Maybe it'd be faster to just backport the patch to stable branch and > throw out 0.11.7, to skip doing long investigations? That is an option, albeit a heavyweight one. I have forwarded this to the development list to solicit more opinion. Call me lazy, but an announcement that says "beware of running games from untrusted sources or servers" is probably enough. > for people stuck with the old version (I wish we could just make the > 0.12.0 release from master, but I guess that's still months away). I am reviewing the bug list right now. There is still a nasty performance problem on large games, but we were in decent shape for an alpha release back when I had to step away earlier this year. Cheers, Mike Pope pgpObP7u2JZeg.pgp Description: OpenPGP digital signature ___ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers