CVE-2018-1000825

NameCVE-2018-1000825
DescriptionFreeCol version <= nightly-2018-08-22 contains a XML External Entity (XXE) vulnerability in FreeColXMLReader parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Freecol file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs917023

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
freecol (PTS)buster0.11.6+dfsg2-2+deb10u1fixed
bullseye0.11.6+dfsg2-3fixed
bookworm1.0.0-1fixed
sid, trixie1.1.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
freecolsourcejessie(unfixed)end-of-life
freecolsourcestretch(unfixed)end-of-life
freecolsourcebuster0.11.6+dfsg2-2+deb10u1
freecolsource(unstable)0.11.6+dfsg2-3low917023

Notes

[stretch] - freecol <end-of-life> (Games are not supported)
[jessie] - freecol <end-of-life> (Games are not supported)
https://github.com/FreeCol/freecol/issues/26
https://github.com/FreeCol/freecol/commit/8963506897e3270a75b062f28486934bcb79b1e3

Search for package or bug name: Reporting problems