Debian DSA-4175-1 : freeplane - security update

medium Nessus Plugin ID 109093

Synopsis

The remote Debian host is missing a security-related update.

Description

Wojciech Regula discovered an XML External Entity vulnerability in the XML Parser of the mindmap loader in freeplane, a Java program for working with mind maps, resulting in potential information disclosure if a malicious mind map file is opened.

Solution

Upgrade the freeplane packages.

For the oldstable distribution (jessie), this problem has been fixed in version 1.3.12-1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in version 1.5.18-1+deb9u1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893663

https://security-tracker.debian.org/tracker/source-package/freeplane

https://packages.debian.org/source/jessie/freeplane

https://packages.debian.org/source/stretch/freeplane

https://www.debian.org/security/2018/dsa-4175

Plugin Details

Severity: Medium

ID: 109093

File Name: debian_DSA-4175.nasl

Version: 1.4

Type: local

Agent: unix

Published: 4/18/2018

Updated: 11/13/2018

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:freeplane, cpe:/o:debian:debian_linux:8.0, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 4/18/2018

Reference Information

CVE: CVE-2018-1000069

DSA: 4175