incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stacie Jones <queenigra...@gmail.com>
Subject Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Sun, 25 Mar 2012 13:51:43 GMT
Hello,
I am a One Stop Shop for myself. If I knew about security, I'd manage it. I
guess I can manage this.
Thanks Stacie

On Sat, Mar 24, 2012 at 7:03 PM, John Boyle <jboyle@harbornet.com> wrote:

> On 3/22/2012 6:16 AM, Rob Weir wrote:
>
>> Please note, this is the official security bulletin, targeted for
>> security professionals.  If you are an OpenOffice.org 3.3 user, and
>> are able to apply the mentioned patch, then you are encouraged to do
>> so.  If someone else supports or manages your desktop, then please
>> forward this information to them.
>>
>> Additional support is available on our Community Forums:
>>
>> http://user.services.**openoffice.org/<http://user.services.openoffice.org/>
>>
>> And via our ooo-users mailing list:
>>
>> http://incubator.apache.org/**openofficeorg/mailing-lists.**
>> html#users-mailing-list<http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list>
>>
>> Note:  This security patch for OpenOffice.org is made available to
>> legacy OpenOffice.org users as a service by the Apache OpenOffice
>> Project Management Committee.  The patch is made available under the
>> Apache License, and due to its importance, we are releasing it outside
>> of the standard release cycle.
>>
>> -Rob
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> CVE-2012-0037: OpenOffice.org data leakage vulnerability
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
>> Earlier versions may be also affected.
>>
>> Description: An XML External Entity (XXE) attack is possible in the
>> above versions of OpenOffice.org.  This vulnerability exploits the way
>> in
>> which external entities are processed in certain XML components of ODF
>> documents.  By crafting an external entity to refer to other local
>> file system
>> resources, an attacker would be able to inject contents of other
>> locally- accessible files into the ODF document, without the user's
>> knowledge or permission.  Data leakage then becomes possible when that
>> document is later distributed to other parties.
>>
>> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
>> patch at:  http://www.openoffice.org/**security/cves/CVE-2012-0037.**html<http://www.openoffice.org/security/cves/CVE-2012-0037.html>
>>
>> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
>> snapshots since March 1st, 2012.
>>
>> Source and Building: Information on obtaining the source code for this
>> patch, and for porting it or adapting it to OpenOffice.org derivatives
>> can be found here: http://www.openoffice.org/**
>> security/cves/CVE-2012-0037-**src.txt<http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt>
>>
>> Credit: The Apache OpenOffice project acknowledges and thanks the
>> discoverer of this issue, Timothy D. Morgan of Virtual Security
>> Research, LLC.
>>
>> References: http://security.openoffice.org
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>>
>> iQIcBAEBCgAGBQJPayGmAAoJEGFAoY**dHzLzHJVcP/jXzY+**ROwPTAaSItCc4GAn2q
>> Gm3uL9D9aRrs/pp+**sofRkF9L3nyWEyyVfvZv6+IBrqOU/**2Tu1CD8cY6Kns1ZYxVO
>> ZRDiR5hhr3pA6KfWlb9W9it/**8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7k**loPYswXG2w
>> By2J19VanlHuwLQJoNV08652HBDy2X**pa6Wk7N5NoyETILOS47QTgizjAYZ2A**Y0GE
>> ykBFu9A9yblLM5zftuMT/**4FxkHQ8Qx5I3NmV3V8cUgJlmbc2osc**sC23iIPcoulJF
>> GSn8tub/e47xzgpJy69NoHgzmb6Ou+**J3BDXr0kmH008P6FaTpTgPTltZ8Fcu**a+T2
>> JSWjzW5IBOW/20J9RN+**5lkDJQTY5FiqqpjV7H6bZV3+**MVx3Fk/ih1uJPr2cVZqaT
>> pDU5xtn79py7MNsmpjnzD7mPbdiA2O**fStzFpqUM60HOki7RgGpozvUPEvA0u**Iss9
>> X/**jP1KixPDdbGS2fMrM7KG9mnT8BOzwo**w0Vti7alP2x2BkTXZm2K/**qflXJDFCxTn
>> g23OJIxlnhC8cK4etyezWNMSya4LLM**gz6ZO+**TEdvCSaaF6b3t6seskgnFAMcdPHY
>> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+**cTE7sUO2NcFhHn6jXaiZFEatdh4XJE**EcTXl
>> OZE/3v6XnehMD/32kipa
>> =/qce
>> -----END PGP SIGNATURE-----
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<ooo-users-unsubscribe@incubator.apache.org>
>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<ooo-users-help@incubator.apache.org>
>>
>>
>>  To users: I have not been able to install the patch, whatsoever, and I
> am using Windows 7! Now, is there a 3.4 version For OpenOffice, anywhere?
> Or would it be better to uninstall, until Apache OpenOffice comes out? Or,
> would it be better to go ahead and download libre office, latest version
> while waiting for Apache to come out with their own?:-\
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<ooo-users-unsubscribe@incubator.apache.org>
> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<ooo-users-help@incubator.apache.org>
>
>


-- 
Peace,
Stacie M. Jones
~"Lokaa samastaa sukhino bhavantu,"~
"May all worlds be happy."

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message