Return-Path: X-Original-To: apmail-incubator-ooo-users-archive@minotaur.apache.org Delivered-To: apmail-incubator-ooo-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D44309C64 for ; Sun, 25 Mar 2012 13:52:11 +0000 (UTC) Received: (qmail 69216 invoked by uid 500); 25 Mar 2012 13:52:11 -0000 Delivered-To: apmail-incubator-ooo-users-archive@incubator.apache.org Received: (qmail 69177 invoked by uid 500); 25 Mar 2012 13:52:11 -0000 Mailing-List: contact ooo-users-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ooo-users@incubator.apache.org Delivered-To: mailing list ooo-users@incubator.apache.org Received: (qmail 69169 invoked by uid 99); 25 Mar 2012 13:52:11 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 25 Mar 2012 13:52:11 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of queenigraine@gmail.com designates 209.85.212.47 as permitted sender) Received: from [209.85.212.47] (HELO mail-vb0-f47.google.com) (209.85.212.47) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 25 Mar 2012 13:52:05 +0000 Received: by vbbfr13 with SMTP id fr13so2433367vbb.6 for ; Sun, 25 Mar 2012 06:51:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=dGwO9tVUOlffchnR9YIplfKEYbXQJBhoLmI0y27tpYc=; b=JKeZeARQ0b5QtKiSzzwKOydPbjnUa/19Xl/+0aWIfiTOe+TML9MvXCP5k9zSTkldrz MDryKCzD01JX/2xD4wdktyBQq3Etz92q9/JQ7sO2flktnQDDFgbPh5vfPMicOI3RHFx9 fKL4xwhjbxBAQypJmxwDgdLIIvV47eFxredEpZg9hYete3UlZC5ziTVMmEqziOHsPqC9 4emSEpT6S+22el0f9uSYYAzY1jo+0mxQcX3feveI6DRdeqfAEtUZXTWsJbZ44C3ZwST+ V7UbzITBG6l3R8I+d/35gm3yqeMyesXSDoOMvByAAZ7fjDBi8DHyoM663/TsWfzokpkG vbRA== MIME-Version: 1.0 Received: by 10.52.37.228 with SMTP id b4mr2774800vdk.131.1332683504075; Sun, 25 Mar 2012 06:51:44 -0700 (PDT) Received: by 10.220.187.200 with HTTP; Sun, 25 Mar 2012 06:51:43 -0700 (PDT) In-Reply-To: <4F6E52B3.90700@harbornet.com> References: <4F6E52B3.90700@harbornet.com> Date: Sun, 25 Mar 2012 09:51:43 -0400 Message-ID: Subject: Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability From: Stacie Jones To: ooo-users@incubator.apache.org Content-Type: multipart/alternative; boundary=bcaec51b9a03dbc3d104bc118e78 --bcaec51b9a03dbc3d104bc118e78 Content-Type: text/plain; charset=ISO-8859-1 Hello, I am a One Stop Shop for myself. If I knew about security, I'd manage it. I guess I can manage this. Thanks Stacie On Sat, Mar 24, 2012 at 7:03 PM, John Boyle wrote: > On 3/22/2012 6:16 AM, Rob Weir wrote: > >> Please note, this is the official security bulletin, targeted for >> security professionals. If you are an OpenOffice.org 3.3 user, and >> are able to apply the mentioned patch, then you are encouraged to do >> so. If someone else supports or manages your desktop, then please >> forward this information to them. >> >> Additional support is available on our Community Forums: >> >> http://user.services.**openoffice.org/ >> >> And via our ooo-users mailing list: >> >> http://incubator.apache.org/**openofficeorg/mailing-lists.** >> html#users-mailing-list >> >> Note: This security patch for OpenOffice.org is made available to >> legacy OpenOffice.org users as a service by the Apache OpenOffice >> Project Management Committee. The patch is made available under the >> Apache License, and due to its importance, we are releasing it outside >> of the standard release cycle. >> >> -Rob >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> CVE-2012-0037: OpenOffice.org data leakage vulnerability >> >> Severity: Important >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms. >> Earlier versions may be also affected. >> >> Description: An XML External Entity (XXE) attack is possible in the >> above versions of OpenOffice.org. This vulnerability exploits the way >> in >> which external entities are processed in certain XML components of ODF >> documents. By crafting an external entity to refer to other local >> file system >> resources, an attacker would be able to inject contents of other >> locally- accessible files into the ODF document, without the user's >> knowledge or permission. Data leakage then becomes possible when that >> document is later distributed to other parties. >> >> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the >> patch at: http://www.openoffice.org/**security/cves/CVE-2012-0037.**html >> >> This vulnerability is also fixed in Apache OpenOffice 3.4 dev >> snapshots since March 1st, 2012. >> >> Source and Building: Information on obtaining the source code for this >> patch, and for porting it or adapting it to OpenOffice.org derivatives >> can be found here: http://www.openoffice.org/** >> security/cves/CVE-2012-0037-**src.txt >> >> Credit: The Apache OpenOffice project acknowledges and thanks the >> discoverer of this issue, Timothy D. Morgan of Virtual Security >> Research, LLC. >> >> References: http://security.openoffice.org >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.11 (GNU/Linux) >> >> iQIcBAEBCgAGBQJPayGmAAoJEGFAoY**dHzLzHJVcP/jXzY+**ROwPTAaSItCc4GAn2q >> Gm3uL9D9aRrs/pp+**sofRkF9L3nyWEyyVfvZv6+IBrqOU/**2Tu1CD8cY6Kns1ZYxVO >> ZRDiR5hhr3pA6KfWlb9W9it/**8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7k**loPYswXG2w >> By2J19VanlHuwLQJoNV08652HBDy2X**pa6Wk7N5NoyETILOS47QTgizjAYZ2A**Y0GE >> ykBFu9A9yblLM5zftuMT/**4FxkHQ8Qx5I3NmV3V8cUgJlmbc2osc**sC23iIPcoulJF >> GSn8tub/e47xzgpJy69NoHgzmb6Ou+**J3BDXr0kmH008P6FaTpTgPTltZ8Fcu**a+T2 >> JSWjzW5IBOW/20J9RN+**5lkDJQTY5FiqqpjV7H6bZV3+**MVx3Fk/ih1uJPr2cVZqaT >> pDU5xtn79py7MNsmpjnzD7mPbdiA2O**fStzFpqUM60HOki7RgGpozvUPEvA0u**Iss9 >> X/**jP1KixPDdbGS2fMrM7KG9mnT8BOzwo**w0Vti7alP2x2BkTXZm2K/**qflXJDFCxTn >> g23OJIxlnhC8cK4etyezWNMSya4LLM**gz6ZO+**TEdvCSaaF6b3t6seskgnFAMcdPHY >> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+**cTE7sUO2NcFhHn6jXaiZFEatdh4XJE**EcTXl >> OZE/3v6XnehMD/32kipa >> =/qce >> -----END PGP SIGNATURE----- >> >> ------------------------------**------------------------------**--------- >> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org >> For additional commands, e-mail: ooo-users-help@incubator.**apache.org >> >> >> To users: I have not been able to install the patch, whatsoever, and I > am using Windows 7! Now, is there a 3.4 version For OpenOffice, anywhere? > Or would it be better to uninstall, until Apache OpenOffice comes out? Or, > would it be better to go ahead and download libre office, latest version > while waiting for Apache to come out with their own?:-\ > > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org > For additional commands, e-mail: ooo-users-help@incubator.**apache.org > > -- Peace, Stacie M. Jones ~"Lokaa samastaa sukhino bhavantu,"~ "May all worlds be happy." --bcaec51b9a03dbc3d104bc118e78--