CVE-2019-10648

NameCVE-2019-10648
DescriptionRobocode through 1.9.3.5 allows remote attackers to cause external service interaction (DNS), as demonstrated by a query for a unique subdomain name within an attacker-controlled DNS zone, because of a .openStream call within java.net.URL.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs926088

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
robocode (PTS)jessie1.6.2+dfsg2-1vulnerable
stretch1.9.2.5-2vulnerable
buster1.9.3.3-3fixed
bullseye, sid1.9.3.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
robocodesource(unstable)1.9.3.3-2low926088
robocodesourcejessie(unfixed)end-of-life

Notes

[stretch] - robocode <no-dsa> (Minor issue)
[jessie] - robocode <end-of-life> (games are not supported)
https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd#diff-0296a8f9d4a509789f4dc4f052d9c36f
https://sourceforge.net/p/robocode/bugs/406/

Search for package or bug name: Reporting problems