Markus Koschany <a...@debian.org> writes: > Am 22.03.2018 um 20:52 schrieb Felix Natter: >> Markus Koschany <a...@debian.org> writes: >> >>> Package: freeplane >>> X-Debbugs-CC: t...@security.debian.org >>> X-Debbugs-CC: fnat...@gmx.net >>> Severity: important >>> Tags: security >>> >>> Hi, >> >> hello Markus, >> >>> the following vulnerability was published for freeplane. Apparently only >>> stretch/jessie/wheezy might be affected. >> >> Thank you for paying attention to this, I completely overlooked this! >
Hi Markus, > Thanks for your reply! > >> >>> @Felix >>> Can you tell us more about this vulnerability? There only seems to be a >>> reference in freeplane's wiki. >> >> I think it is very well explained here: >> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing >> >> In short: External identities are "includes" for XML documents that can >> be specified in DTDs. >> >> Here is the commit that should fix it: >> https://github.com/freeplane/freeplane/commit/a5dce7f9f > > That's what we were looking for. > > [...] > > >> I can confirm that the the fix is in 1.5.20 and 1.6.1, so it's true that >> wheezy, jessie and stretch are affected. >> >> Shall I add the patch in git branches from the debian/X tags here? >> https://anonscm.debian.org/cgit/pkg-java/freeplane.git >> Or did you want to do this, Markus? > > Please prepare updates for Jessie and Stretch if time permits and I will > upload the fix either as a security update, provided the security team > agrees, or as a point-update. I will take care of Wheezy myself. Since I am hiking this weekend, would it be possible to do this as the first thing on the Easter weekend (next Friday)? I also need to fix the knopflerfish RC bug (#893221), I will look into that this morning. BTW: I *think* the patch should apply without major problems (the XML persistence hasn't changed much). But on the ant build systems (< 1.5) the sources are in <bundle>/src/** instead of <bundle>/src/main/java/**, so you can apply there with -p4 or something (and ignore the unmatched part for freeplane_plugin_script [1]). That part ([1]) can be applied manually. I will checkout the respective tag (debian/1.3.12-1, debian/1.5.18-1), create a branch from there ("jessie-security1", "stretch-security1"), import the patch, create a new changelog entry (will read about that) and test, ok? [1] freeplane_plugin_script/src/main/java/org/freeplane/plugin/script/ScriptingRegistration.java Cheers and Best Regards, -- Felix Natter debian/rules!
