Am 22.03.2018 um 20:52 schrieb Felix Natter: > Markus Koschany <a...@debian.org> writes: > >> Package: freeplane >> X-Debbugs-CC: t...@security.debian.org >> X-Debbugs-CC: fnat...@gmx.net >> Severity: important >> Tags: security >> >> Hi, > > hello Markus, > >> the following vulnerability was published for freeplane. Apparently only >> stretch/jessie/wheezy might be affected. > > Thank you for paying attention to this, I completely overlooked this!
Thanks for your reply! > >> @Felix >> Can you tell us more about this vulnerability? There only seems to be a >> reference in freeplane's wiki. > > I think it is very well explained here: > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing > > In short: External identities are "includes" for XML documents that can > be specified in DTDs. > > Here is the commit that should fix it: > https://github.com/freeplane/freeplane/commit/a5dce7f9f That's what we were looking for. [...] > I can confirm that the the fix is in 1.5.20 and 1.6.1, so it's true that > wheezy, jessie and stretch are affected. > > Shall I add the patch in git branches from the debian/X tags here? > https://anonscm.debian.org/cgit/pkg-java/freeplane.git > Or did you want to do this, Markus? Please prepare updates for Jessie and Stretch if time permits and I will upload the fix either as a security update, provided the security team agrees, or as a point-update. I will take care of Wheezy myself. > > I will read more about security updates on the weekend. > > Cheers and Best Regards, Cheers, Markus
signature.asc
Description: OpenPGP digital signature
