CVE-2018-1000825

NameCVE-2018-1000825
DescriptionFreeCol version <= nightly-2018-08-22 contains a XML External Entity (XXE) vulnerability in FreeColXMLReader parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Freecol file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs917023

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
freecol (PTS)stretch0.11.6+dfsg-1vulnerable
buster0.11.6+dfsg2-2vulnerable
bullseye, sid0.11.6+dfsg2-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
freecolsourcejessie(unfixed)end-of-life
freecolsource(unstable)0.11.6+dfsg2-3low917023

Notes

[buster] - freecol <no-dsa> (Minor issue, will be fixed via spu)
[stretch] - freecol <no-dsa> (Minor issue)
[jessie] - freecol <end-of-life> (Games are not supported)
https://github.com/FreeCol/freecol/issues/26
https://github.com/FreeCol/freecol/commit/8963506897e3270a75b062f28486934bcb79b1e3

Search for package or bug name: Reporting problems