Hi Felix, Am 01.04.2018 um 16:23 schrieb Felix Natter: > hello Markus, > > I have prepared the patched 1.5.18-1+deb9u1 for stretch > I hope I got the version number right? The changelog entry is probably > not correct either. Can you advice what to read? > > I briefly tested saving+loading mindmaps. > > Here it is: > https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069 > (branch stretch-CVE-2018-1000069 in the freeplane alioth repo). > > I am in the process of setting up a vbox instance for jessie to address > the other update. > > Cheers and Best Regards,
The version is correct. I would write in your changelog: Fix CVE-2018-1000069: Wojciech Reguła discovered that FreePlane was affected by a XML External Entity (XXE) vulnerability in its mindmap loader that could compromise a user's machine by opening a specially crafted mind map file. (Closes: #893663) Distribution should be stretch-security though and the urgency is high. Similar for Jessie, jessie-security and the version is 1.3.12-1+deb8u1 Cheers, Markus
signature.asc
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
