Markus Koschany <a...@debian.org> writes: > Hi Felix,
hello Markus, > Am 01.04.2018 um 16:23 schrieb Felix Natter: >> hello Markus, >> >> I have prepared the patched 1.5.18-1+deb9u1 for stretch >> I hope I got the version number right? The changelog entry is probably >> not correct either. Can you advice what to read? >> >> I briefly tested saving+loading mindmaps. >> >> Here it is: >> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069 >> (branch stretch-CVE-2018-1000069 in the freeplane alioth repo). >> >> I am in the process of setting up a vbox instance for jessie to address >> the other update. >> >> Cheers and Best Regards, > > The version is correct. I would write in your changelog: > > Fix CVE-2018-1000069: Wojciech Reguła discovered that FreePlane was > affected by a XML External Entity (XXE) vulnerability in its mindmap > loader that could compromise a user's machine by opening a specially > crafted mind map file. (Closes: #893663) Thanks, done. BTW: Is it ok to close the bug with the stretch-security upload even if the jessie-security upload is still pending? What is there to do next? > Distribution should be stretch-security though and the urgency is high. > Similar for Jessie, jessie-security and the version is 1.3.12-1+deb8u1 I will do this soon, hopefully tomorrow. Cheers and Best Regards, -- Felix Natter debian/rules!
