incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joseph Reynolds <josephhreyno...@gmail.com>
Subject Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Thu, 22 Mar 2012 15:39:39 GMT
Thank you, I didn't see page 3 at first. I got  it done
Joe

On Thu, Mar 22, 2012 at 10:47 AM, drew jensen <drewjensen.inbox@gmail.com>wrote:

> On Thu, 2012-03-22 at 10:35 -0400, Joseph Reynolds wrote:
> > Does anyone know how to install this patch? I downloaded the file but
> don't
> > know how to proceed.
>
> Hi Joseph,
>
> In the zip file containing the actual patch is also a Readme.pdf file
> which explains how to do this.
>
> Are you saying that after reading the install instruction you are not
> sure how to proceed, or will pointing you to these instructions help?
>
> Thanks,
>
> //drew
>
>
> >
> > On Thu, Mar 22, 2012 at 10:03 AM, Stacie Jones <queenigraine@gmail.com
> >wrote:
> >
> > > So has data been leaked? Is that why we need the patch?
> > >
> > > On Thu, Mar 22, 2012 at 9:16 AM, Rob Weir <robweir@apache.org> wrote:
> > >
> > > > Please note, this is the official security bulletin, targeted for
> > > > security professionals.  If you are an OpenOffice.org 3.3 user, and
> > > > are able to apply the mentioned patch, then you are encouraged to do
> > > > so.  If someone else supports or manages your desktop, then please
> > > > forward this information to them.
> > > >
> > > > Additional support is available on our Community Forums:
> > > >
> > > > http://user.services.openoffice.org/
> > > >
> > > > And via our ooo-users mailing list:
> > > >
> > > >
> > > >
> > >
> http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
> > > >
> > > > Note:  This security patch for OpenOffice.org is made available to
> > > > legacy OpenOffice.org users as a service by the Apache OpenOffice
> > > > Project Management Committee.  The patch is made available under the
> > > > Apache License, and due to its importance, we are releasing it
> outside
> > > > of the standard release cycle.
> > > >
> > > > -Rob
> > > >
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA512
> > > >
> > > > CVE-2012-0037: OpenOffice.org data leakage vulnerability
> > > >
> > > > Severity: Important
> > > >
> > > > Vendor: The Apache Software Foundation
> > > >
> > > > Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
> > > > Earlier versions may be also affected.
> > > >
> > > > Description: An XML External Entity (XXE) attack is possible in the
> > > > above versions of OpenOffice.org.  This vulnerability exploits the
> way
> > > > in
> > > > which external entities are processed in certain XML components of
> ODF
> > > > documents.  By crafting an external entity to refer to other local
> > > > file system
> > > > resources, an attacker would be able to inject contents of other
> > > > locally- accessible files into the ODF document, without the user's
> > > > knowledge or permission.  Data leakage then becomes possible when
> that
> > > > document is later distributed to other parties.
> > > >
> > > > Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install
> the
> > > > patch at:
> http://www.openoffice.org/security/cves/CVE-2012-0037.html
> > > >
> > > > This vulnerability is also fixed in Apache OpenOffice 3.4 dev
> > > > snapshots since March 1st, 2012.
> > > >
> > > > Source and Building: Information on obtaining the source code for
> this
> > > > patch, and for porting it or adapting it to OpenOffice.org
> derivatives
> > > > can be found here:
> > > > http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
> > > >
> > > > Credit: The Apache OpenOffice project acknowledges and thanks the
> > > > discoverer of this issue, Timothy D. Morgan of Virtual Security
> > > > Research, LLC.
> > > >
> > > > References: http://security.openoffice.org
> > > >
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: GnuPG v1.4.11 (GNU/Linux)
> > > >
> > > > iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
> > > > Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
> > > > ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
> > > > By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
> > > > ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
> > > > GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
> > > > JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
> > > > pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
> > > > X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
> > > > g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
> > > > bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
> > > > OZE/3v6XnehMD/32kipa
> > > > =/qce
> > > > -----END PGP SIGNATURE-----
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> > > > For additional commands, e-mail: ooo-users-help@incubator.apache.org
> > > >
> > > >
> > >
> > >
> > > --
> > > Peace,
> > > Stacie M. Jones
> > > ~"Lokaa samastaa sukhino bhavantu,"~
> > > "May all worlds be happy."
> > >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message