Wojciech Regula discovered an XML External Entity vulnerability in the XML Parser of the mindmap loader in freeplane, a Java program for working with mind maps, resulting in potential information disclosure if a malicious mind map file is opened.
CVE: (none) => CVE-2018-1000069
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Fixed on Cauldron and mga6 too!
CC: (none) => geiger.david68210
Thanks David! Debian has issued an advisory for this on April 18: https://www.debian.org/security/2018/dsa-4175 Advisory: ======================== Updated freeplane packages fix security vulnerability: Wojciech Regula discovered an XML External Entity vulnerability in the XML Parser of the mindmap loader in freeplane, a Java program for working with mind maps, resulting in potential information disclosure if a malicious mind map file is opened (CVE-2018-1000069). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000069 https://www.debian.org/security/2018/dsa-4175 ======================== Updated packages in core/updates_testing: ======================== freeplane-1.3.15-3.1.mga6 freeplane-1.3.15-3.1.mga6.src.rpm
Version: Cauldron => 6Summary: freeplane security vulnerabilities CVE-2018-1000069 => freeplane new security issue CVE-2018-1000069Source RPM: freeplane => freeplane-1.3.15-3.mga6.src.rpmAssignee: pkg-bugs => qa-bugs
Mageia 6, x86_64 Installed this and had a quick look at it before updating. There is a built-in tutorial which I did not attempt to follow but was able to produce a primitive mind-map by tinkering with the menus, creating nodes, child nodes and child sibling nodes and entering text. It was basically ideas for an essay. Saved the map as a .mm file, all text in a rich-text format with XML-style delimiters and passages of HTML. Images and other types of files can be included. Ran freeplane again to reopen the mind-map and continue editing, then saved an printed the file on several sheets of paper. It is pure WYSIWYG. As far as these simple tests go the application appears to work alright after updating.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0210.html
Status: NEW => RESOLVEDResolution: (none) => FIXED