Re: [Freecol-developers] FreeCol XXE Vulnerability
On Tue, 31 Dec 2019 02:06:21 -0800 David Lewis wrote: > I think we might be okay to start releasing RC versions of 0.12 right away, > since "0.x" implies beta, we don't need to necessarily support the 0.11 > line, and thus don't need to worry about backporting fixes, so long as we > release an update that contains the fixes that folks can upgrade to. I have been working through the bug list and while there are indeed new annoying open issues, perhaps the CVE-fix is enough reason to just forge ahead. >[wintertime, regarding the news item] > Should it be mentioned that even older versions are affected and which? AFAICT the dodgy Java call has been in use since at least 0.10.0. Ironically, there used to be a lot more of them! I mentioned 0.11.6 explicitly because that the only version we are really supporting at this point (i.e. if you report a bug in earlier FreeCol the first thing I want to know is if you have tried the current release). However feel free to say something like "All supported FreeCol releases prior to 20191227" or thereabouts. > When should people upgrade? Well I always tell people who just want to play FreeCol to use the latest stable release, and I would continue to say that. However that is just my opinion. Do we even want to make an Official Recommendation? Cheers, Mike Pope pgpmV2hBih2nV.pgp Description: OpenPGP digital signature ___ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers
Re: [Freecol-developers] FreeCol website upload
On Tue, 31 Dec 2019 11:12:04 +0100 win...@genial.ms wrote: > The usual Ruby way is to do: > $ gem update jekyll > I think, your Linux distribution may want you to get it from their > package manager / repository Quite so. AFAICT jekyll 4 has been packaged for the next Fedora release so I can probably pull it in early with a little hackery. Or just wait a few months:-). > Ok, nice. I'll continue with it for a bit on my repo. You all can take > a look on https://github.com/wintertime/FreeCol/tree/jekyll and when > it is ready we put it in main and compile/upload. I am sufficiently convinced this is an improvement, please push forward as you see fit. Cheers, Mike Pope pgpibJZU9Pp35.pgp Description: OpenPGP digital signature ___ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers
Re: [Freecol-developers] FreeCol XXE Vulnerability
Hi, I edited the dates and put it into the attached file. I hope the mailing list allows attachments. Should it be mentioned that even older versions are affected and which? When should people upgrade? Please, see if everything looks alright! I'll merge the Jekyll changes for the website now, to allow using markdown for the news. Greetings wintertime > Gesendet: Dienstag, 31. Dezember 2019 um 11:25 Uhr > Von: win...@genial.ms > An: "Michael T. Pope" > Cc: freecol-developers@lists.sourceforge.net > Betreff: Re: [Freecol-developers] FreeCol XXE Vulnerability > > I think, the 20191227 version already included the fix? > I'll prepare an empty draft news for when you all are ready. > > > Gesendet: Dienstag, 31. Dezember 2019 um 10:30 Uhr > > Von: "Michael T. Pope" > > An: freecol-developers@lists.sourceforge.net > > Betreff: Re: [Freecol-developers] FreeCol XXE Vulnerability > > > > Here is some text (markdown) for the website wranglers to consider adding > > as a news item. I made a lame effort to build a proof-of-concept exploit, > > but lost interest fairly quickly. I remain unconvinced we need to backport > > to 0.11.6 and release 0.11.7 given the low level of threat posed, but am > > interested in other opinions (and/or volunteers). > > > > Cheers, > > Mike Pope > > > > - > > FreeCol 0.11.6 and subsequent development versions up to 20191227 are > > subject to an XML External Entity parsing bug, due to use of a > > vulnerable Java library, as detailed in > > [CVE-2018-1000825](https://www.cvedetails.com/cve/CVE-2018-1000825/). > > > > According to the CVE the bug can lead to disclosure of confidential > > data, denial of service, SSRF, or port scanning, albeit with limited > > attacker control. > > > > Exploiting the bug requires convincing a player to load a specially > > crafted FreeCol save game, either directly or by joining a hostile > > FreeCol server. > > > > The FreeCol team are unaware of any actual cases of this bug being > > exploited. It is fixed in the [nightly > > releases](https://github.com/FreeCol/freecol/releases) > > from 20191229 onward. > 2019-12-31-freecol-xxe-vulnerability-fixed.md Description: Binary data ___ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers
Re: [Freecol-developers] FreeCol XXE Vulnerability
I think, the 20191227 version already included the fix? I'll prepare an empty draft news for when you all are ready. > Gesendet: Dienstag, 31. Dezember 2019 um 10:30 Uhr > Von: "Michael T. Pope" > An: freecol-developers@lists.sourceforge.net > Betreff: Re: [Freecol-developers] FreeCol XXE Vulnerability > > Here is some text (markdown) for the website wranglers to consider adding > as a news item. I made a lame effort to build a proof-of-concept exploit, > but lost interest fairly quickly. I remain unconvinced we need to backport > to 0.11.6 and release 0.11.7 given the low level of threat posed, but am > interested in other opinions (and/or volunteers). > > Cheers, > Mike Pope > > - > FreeCol 0.11.6 and subsequent development versions up to 20191227 are > subject to an XML External Entity parsing bug, due to use of a > vulnerable Java library, as detailed in > [CVE-2018-1000825](https://www.cvedetails.com/cve/CVE-2018-1000825/). > > According to the CVE the bug can lead to disclosure of confidential > data, denial of service, SSRF, or port scanning, albeit with limited > attacker control. > > Exploiting the bug requires convincing a player to load a specially > crafted FreeCol save game, either directly or by joining a hostile > FreeCol server. > > The FreeCol team are unaware of any actual cases of this bug being > exploited. It is fixed in the [nightly > releases](https://github.com/FreeCol/freecol/releases) > from 20191229 onward. ___ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers
Re: [Freecol-developers] FreeCol website upload
Hi, > Gesendet: Dienstag, 31. Dezember 2019 um 06:04 Uhr > Von: "Michael T. Pope" > > > Sorry, I'm late. :o Merry Christmas and Happy New Year! > > And indeed to you too. I was cutting our Christmas tree on the afternoon > of the 23rd so I will not be criticizing anyone for lateness. > thank you. :) > > > OK, so www.freecol.org/docs/Freecol.{html,pdf} were broken, and should > > > be fixed now. Are there more? > > > > I just tried, and there is 0.11.3 version on server. > > Yes, I only fixed the git master, I have not done the upload. > This time, I just did. ;) > >>[Jekyll] > Configuration file: none It should have found my _config.yml . Had you checked out a commit where it was existing already? It is necessary to get the news to appear in their old place with the correct template used, maybe more later. I'm still not sure if the date should be in the news file name after compilation or not to avoid changing to not break old links? > 1135 Malbec] jekyll -v > jekyll 3.8.6 > > Not quite what you wanted. However I looked at the contents of _site > and could not see any obvious failure. So it looks like it worked for me. > The usual Ruby way is to do: $ gem update jekyll I think, your Linux distribution may want you to get it from their package manager / repository, not rubygems.org , though. If both aren't working, I can try to work around the incompatibilities: https://jekyllrb.com/docs/upgrading/3-to-4/ There is also the possibility of using Bundler, which is the Ruby way of getting your own versions of gem dependencies. It's even recommended, but I wanted to avoid it, to simplify everything a bit. > As usual I am wary of more dependencies, but a static generator is > probably the best tradeoff for us now, and I think markdown is a good > compromise. So I think this is looking promising. > Ok, nice. I'll continue with it for a bit on my repo. You all can take a look on https://github.com/wintertime/FreeCol/tree/jekyll and when it is ready we put it in main and compile/upload. Greetings wintertime ___ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers
Re: [Freecol-developers] FreeCol XXE Vulnerability
Here is some text (markdown) for the website wranglers to consider adding as a news item. I made a lame effort to build a proof-of-concept exploit, but lost interest fairly quickly. I remain unconvinced we need to backport to 0.11.6 and release 0.11.7 given the low level of threat posed, but am interested in other opinions (and/or volunteers). Cheers, Mike Pope - FreeCol 0.11.6 and subsequent development versions up to 20191227 are subject to an XML External Entity parsing bug, due to use of a vulnerable Java library, as detailed in [CVE-2018-1000825](https://www.cvedetails.com/cve/CVE-2018-1000825/). According to the CVE the bug can lead to disclosure of confidential data, denial of service, SSRF, or port scanning, albeit with limited attacker control. Exploiting the bug requires convincing a player to load a specially crafted FreeCol save game, either directly or by joining a hostile FreeCol server. The FreeCol team are unaware of any actual cases of this bug being exploited. It is fixed in the [nightly releases](https://github.com/FreeCol/freecol/releases) from 20191229 onward. pgpkK01Pu1gRl.pgp Description: OpenPGP digital signature ___ Freecol-developers mailing list Freecol-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freecol-developers