You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@openoffice.apache.org by Rob Weir <ro...@apache.org> on 2012/03/22 14:16:21 UTC
CVE-2012-0037: OpenOffice.org data leakage vulnerability
Please note, this is the official security bulletin, targeted for
security professionals. If you are an OpenOffice.org 3.3 user, and
are able to apply the mentioned patch, then you are encouraged to do
so. If someone else supports or manages your desktop, then please
forward this information to them.
Additional support is available on our Community Forums:
http://user.services.openoffice.org/
And via our ooo-users mailing list:
http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
Note: This security patch for OpenOffice.org is made available to
legacy OpenOffice.org users as a service by the Apache OpenOffice
Project Management Committee. The patch is made available under the
Apache License, and due to its importance, we are releasing it outside
of the standard release cycle.
-Rob
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
CVE-2012-0037: OpenOffice.org data leakage vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
Earlier versions may be also affected.
Description: An XML External Entity (XXE) attack is possible in the
above versions of OpenOffice.org. This vulnerability exploits the way
in
which external entities are processed in certain XML components of ODF
documents. By crafting an external entity to refer to other local
file system
resources, an attacker would be able to inject contents of other
locally- accessible files into the ODF document, without the user's
knowledge or permission. Data leakage then becomes possible when that
document is later distributed to other parties.
Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html
This vulnerability is also fixed in Apache OpenOffice 3.4 dev
snapshots since March 1st, 2012.
Source and Building: Information on obtaining the source code for this
patch, and for porting it or adapting it to OpenOffice.org derivatives
can be found here: http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
Credit: The Apache OpenOffice project acknowledges and thanks the
discoverer of this issue, Timothy D. Morgan of Virtual Security
Research, LLC.
References: http://security.openoffice.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
OZE/3v6XnehMD/32kipa
=/qce
-----END PGP SIGNATURE-----
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by drew <dr...@baseanswers.com>.
On Thu, 2012-03-22 at 11:39 -0400, Joseph Reynolds wrote:
> Thank you, I didn't see page 3 at first. I got it done
> Joe
Thanks for getting back, good to hear it worked out.
Best wishes,
//drew
<snip>
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Joseph Reynolds <jo...@gmail.com>.
Thank you, I didn't see page 3 at first. I got it done
Joe
On Thu, Mar 22, 2012 at 10:47 AM, drew jensen <dr...@gmail.com>wrote:
> On Thu, 2012-03-22 at 10:35 -0400, Joseph Reynolds wrote:
> > Does anyone know how to install this patch? I downloaded the file but
> don't
> > know how to proceed.
>
> Hi Joseph,
>
> In the zip file containing the actual patch is also a Readme.pdf file
> which explains how to do this.
>
> Are you saying that after reading the install instruction you are not
> sure how to proceed, or will pointing you to these instructions help?
>
> Thanks,
>
> //drew
>
>
> >
> > On Thu, Mar 22, 2012 at 10:03 AM, Stacie Jones <queenigraine@gmail.com
> >wrote:
> >
> > > So has data been leaked? Is that why we need the patch?
> > >
> > > On Thu, Mar 22, 2012 at 9:16 AM, Rob Weir <ro...@apache.org> wrote:
> > >
> > > > Please note, this is the official security bulletin, targeted for
> > > > security professionals. If you are an OpenOffice.org 3.3 user, and
> > > > are able to apply the mentioned patch, then you are encouraged to do
> > > > so. If someone else supports or manages your desktop, then please
> > > > forward this information to them.
> > > >
> > > > Additional support is available on our Community Forums:
> > > >
> > > > http://user.services.openoffice.org/
> > > >
> > > > And via our ooo-users mailing list:
> > > >
> > > >
> > > >
> > >
> http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
> > > >
> > > > Note: This security patch for OpenOffice.org is made available to
> > > > legacy OpenOffice.org users as a service by the Apache OpenOffice
> > > > Project Management Committee. The patch is made available under the
> > > > Apache License, and due to its importance, we are releasing it
> outside
> > > > of the standard release cycle.
> > > >
> > > > -Rob
> > > >
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA512
> > > >
> > > > CVE-2012-0037: OpenOffice.org data leakage vulnerability
> > > >
> > > > Severity: Important
> > > >
> > > > Vendor: The Apache Software Foundation
> > > >
> > > > Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
> > > > Earlier versions may be also affected.
> > > >
> > > > Description: An XML External Entity (XXE) attack is possible in the
> > > > above versions of OpenOffice.org. This vulnerability exploits the
> way
> > > > in
> > > > which external entities are processed in certain XML components of
> ODF
> > > > documents. By crafting an external entity to refer to other local
> > > > file system
> > > > resources, an attacker would be able to inject contents of other
> > > > locally- accessible files into the ODF document, without the user's
> > > > knowledge or permission. Data leakage then becomes possible when
> that
> > > > document is later distributed to other parties.
> > > >
> > > > Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install
> the
> > > > patch at:
> http://www.openoffice.org/security/cves/CVE-2012-0037.html
> > > >
> > > > This vulnerability is also fixed in Apache OpenOffice 3.4 dev
> > > > snapshots since March 1st, 2012.
> > > >
> > > > Source and Building: Information on obtaining the source code for
> this
> > > > patch, and for porting it or adapting it to OpenOffice.org
> derivatives
> > > > can be found here:
> > > > http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
> > > >
> > > > Credit: The Apache OpenOffice project acknowledges and thanks the
> > > > discoverer of this issue, Timothy D. Morgan of Virtual Security
> > > > Research, LLC.
> > > >
> > > > References: http://security.openoffice.org
> > > >
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: GnuPG v1.4.11 (GNU/Linux)
> > > >
> > > > iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
> > > > Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
> > > > ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
> > > > By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
> > > > ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
> > > > GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
> > > > JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
> > > > pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
> > > > X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
> > > > g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
> > > > bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
> > > > OZE/3v6XnehMD/32kipa
> > > > =/qce
> > > > -----END PGP SIGNATURE-----
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> > > > For additional commands, e-mail: ooo-users-help@incubator.apache.org
> > > >
> > > >
> > >
> > >
> > > --
> > > Peace,
> > > Stacie M. Jones
> > > ~"Lokaa samastaa sukhino bhavantu,"~
> > > "May all worlds be happy."
> > >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>
>
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by drew jensen <dr...@gmail.com>.
On Thu, 2012-03-22 at 10:35 -0400, Joseph Reynolds wrote:
> Does anyone know how to install this patch? I downloaded the file but don't
> know how to proceed.
Hi Joseph,
In the zip file containing the actual patch is also a Readme.pdf file
which explains how to do this.
Are you saying that after reading the install instruction you are not
sure how to proceed, or will pointing you to these instructions help?
Thanks,
//drew
>
> On Thu, Mar 22, 2012 at 10:03 AM, Stacie Jones <qu...@gmail.com>wrote:
>
> > So has data been leaked? Is that why we need the patch?
> >
> > On Thu, Mar 22, 2012 at 9:16 AM, Rob Weir <ro...@apache.org> wrote:
> >
> > > Please note, this is the official security bulletin, targeted for
> > > security professionals. If you are an OpenOffice.org 3.3 user, and
> > > are able to apply the mentioned patch, then you are encouraged to do
> > > so. If someone else supports or manages your desktop, then please
> > > forward this information to them.
> > >
> > > Additional support is available on our Community Forums:
> > >
> > > http://user.services.openoffice.org/
> > >
> > > And via our ooo-users mailing list:
> > >
> > >
> > >
> > http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
> > >
> > > Note: This security patch for OpenOffice.org is made available to
> > > legacy OpenOffice.org users as a service by the Apache OpenOffice
> > > Project Management Committee. The patch is made available under the
> > > Apache License, and due to its importance, we are releasing it outside
> > > of the standard release cycle.
> > >
> > > -Rob
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA512
> > >
> > > CVE-2012-0037: OpenOffice.org data leakage vulnerability
> > >
> > > Severity: Important
> > >
> > > Vendor: The Apache Software Foundation
> > >
> > > Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
> > > Earlier versions may be also affected.
> > >
> > > Description: An XML External Entity (XXE) attack is possible in the
> > > above versions of OpenOffice.org. This vulnerability exploits the way
> > > in
> > > which external entities are processed in certain XML components of ODF
> > > documents. By crafting an external entity to refer to other local
> > > file system
> > > resources, an attacker would be able to inject contents of other
> > > locally- accessible files into the ODF document, without the user's
> > > knowledge or permission. Data leakage then becomes possible when that
> > > document is later distributed to other parties.
> > >
> > > Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
> > > patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html
> > >
> > > This vulnerability is also fixed in Apache OpenOffice 3.4 dev
> > > snapshots since March 1st, 2012.
> > >
> > > Source and Building: Information on obtaining the source code for this
> > > patch, and for porting it or adapting it to OpenOffice.org derivatives
> > > can be found here:
> > > http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
> > >
> > > Credit: The Apache OpenOffice project acknowledges and thanks the
> > > discoverer of this issue, Timothy D. Morgan of Virtual Security
> > > Research, LLC.
> > >
> > > References: http://security.openoffice.org
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.4.11 (GNU/Linux)
> > >
> > > iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
> > > Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
> > > ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
> > > By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
> > > ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
> > > GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
> > > JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
> > > pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
> > > X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
> > > g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
> > > bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
> > > OZE/3v6XnehMD/32kipa
> > > =/qce
> > > -----END PGP SIGNATURE-----
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> > > For additional commands, e-mail: ooo-users-help@incubator.apache.org
> > >
> > >
> >
> >
> > --
> > Peace,
> > Stacie M. Jones
> > ~"Lokaa samastaa sukhino bhavantu,"~
> > "May all worlds be happy."
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Joseph Reynolds <jo...@gmail.com>.
Does anyone know how to install this patch? I downloaded the file but don't
know how to proceed.
On Thu, Mar 22, 2012 at 10:03 AM, Stacie Jones <qu...@gmail.com>wrote:
> So has data been leaked? Is that why we need the patch?
>
> On Thu, Mar 22, 2012 at 9:16 AM, Rob Weir <ro...@apache.org> wrote:
>
> > Please note, this is the official security bulletin, targeted for
> > security professionals. If you are an OpenOffice.org 3.3 user, and
> > are able to apply the mentioned patch, then you are encouraged to do
> > so. If someone else supports or manages your desktop, then please
> > forward this information to them.
> >
> > Additional support is available on our Community Forums:
> >
> > http://user.services.openoffice.org/
> >
> > And via our ooo-users mailing list:
> >
> >
> >
> http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
> >
> > Note: This security patch for OpenOffice.org is made available to
> > legacy OpenOffice.org users as a service by the Apache OpenOffice
> > Project Management Committee. The patch is made available under the
> > Apache License, and due to its importance, we are releasing it outside
> > of the standard release cycle.
> >
> > -Rob
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > CVE-2012-0037: OpenOffice.org data leakage vulnerability
> >
> > Severity: Important
> >
> > Vendor: The Apache Software Foundation
> >
> > Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
> > Earlier versions may be also affected.
> >
> > Description: An XML External Entity (XXE) attack is possible in the
> > above versions of OpenOffice.org. This vulnerability exploits the way
> > in
> > which external entities are processed in certain XML components of ODF
> > documents. By crafting an external entity to refer to other local
> > file system
> > resources, an attacker would be able to inject contents of other
> > locally- accessible files into the ODF document, without the user's
> > knowledge or permission. Data leakage then becomes possible when that
> > document is later distributed to other parties.
> >
> > Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
> > patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html
> >
> > This vulnerability is also fixed in Apache OpenOffice 3.4 dev
> > snapshots since March 1st, 2012.
> >
> > Source and Building: Information on obtaining the source code for this
> > patch, and for porting it or adapting it to OpenOffice.org derivatives
> > can be found here:
> > http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
> >
> > Credit: The Apache OpenOffice project acknowledges and thanks the
> > discoverer of this issue, Timothy D. Morgan of Virtual Security
> > Research, LLC.
> >
> > References: http://security.openoffice.org
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.11 (GNU/Linux)
> >
> > iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
> > Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
> > ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
> > By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
> > ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
> > GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
> > JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
> > pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
> > X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
> > g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
> > bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
> > OZE/3v6XnehMD/32kipa
> > =/qce
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: ooo-users-help@incubator.apache.org
> >
> >
>
>
> --
> Peace,
> Stacie M. Jones
> ~"Lokaa samastaa sukhino bhavantu,"~
> "May all worlds be happy."
>
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Rob Weir <ro...@apache.org>.
On Thu, Mar 22, 2012 at 10:03 AM, Stacie Jones <qu...@gmail.com> wrote:
> So has data been leaked? Is that why we need the patch?
>
Here's how it works:
Security researchers, some in large companies, some in small
specialized companies or consultancies, test software, open source and
proprietary, for possibly vulnerabilities. These are the good guys.
We sometimes call them the "white hats".
When they find a possible way in which an application could be
exploited, the contact the vendor (or open source project) to report
the vulnerability. We then work with the researcher to understand the
issue and how to mitigate it, how to patch it, and ultimately how to
notify the public. The industry calls this "Responsible Disclosure".
At the same time the "white hats" are working on finding
vulnerabilities, there are also unfortunately "black hats" doing the
same thing. They are looking for vulnerabilities to exploit for
malicious purposes. They are the ones who write viruses and worms to
exploit product vulnerabilities. They, obviously, do not work within
the system of Responsible Disclosure.
So this particular vulnerability, for which we announced a patch
today, came through the Responsible Disclosure route. We are aware of
no exploitation of it "in the wild". However, best practice would be
to still patch your system.
Regards,
-Rob
> On Thu, Mar 22, 2012 at 9:16 AM, Rob Weir <ro...@apache.org> wrote:
>
>> Please note, this is the official security bulletin, targeted for
>> security professionals. If you are an OpenOffice.org 3.3 user, and
>> are able to apply the mentioned patch, then you are encouraged to do
>> so. If someone else supports or manages your desktop, then please
>> forward this information to them.
>>
>> Additional support is available on our Community Forums:
>>
>> http://user.services.openoffice.org/
>>
>> And via our ooo-users mailing list:
>>
>>
>> http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
>>
>> Note: This security patch for OpenOffice.org is made available to
>> legacy OpenOffice.org users as a service by the Apache OpenOffice
>> Project Management Committee. The patch is made available under the
>> Apache License, and due to its importance, we are releasing it outside
>> of the standard release cycle.
>>
>> -Rob
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> CVE-2012-0037: OpenOffice.org data leakage vulnerability
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
>> Earlier versions may be also affected.
>>
>> Description: An XML External Entity (XXE) attack is possible in the
>> above versions of OpenOffice.org. This vulnerability exploits the way
>> in
>> which external entities are processed in certain XML components of ODF
>> documents. By crafting an external entity to refer to other local
>> file system
>> resources, an attacker would be able to inject contents of other
>> locally- accessible files into the ODF document, without the user's
>> knowledge or permission. Data leakage then becomes possible when that
>> document is later distributed to other parties.
>>
>> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
>> patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html
>>
>> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
>> snapshots since March 1st, 2012.
>>
>> Source and Building: Information on obtaining the source code for this
>> patch, and for porting it or adapting it to OpenOffice.org derivatives
>> can be found here:
>> http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
>>
>> Credit: The Apache OpenOffice project acknowledges and thanks the
>> discoverer of this issue, Timothy D. Morgan of Virtual Security
>> Research, LLC.
>>
>> References: http://security.openoffice.org
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>>
>> iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
>> Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
>> ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
>> By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
>> ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
>> GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
>> JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
>> pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
>> X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
>> g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
>> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
>> OZE/3v6XnehMD/32kipa
>> =/qce
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>>
>>
>
>
> --
> Peace,
> Stacie M. Jones
> ~"Lokaa samastaa sukhino bhavantu,"~
> "May all worlds be happy."
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Stacie Jones <qu...@gmail.com>.
So has data been leaked? Is that why we need the patch?
On Thu, Mar 22, 2012 at 9:16 AM, Rob Weir <ro...@apache.org> wrote:
> Please note, this is the official security bulletin, targeted for
> security professionals. If you are an OpenOffice.org 3.3 user, and
> are able to apply the mentioned patch, then you are encouraged to do
> so. If someone else supports or manages your desktop, then please
> forward this information to them.
>
> Additional support is available on our Community Forums:
>
> http://user.services.openoffice.org/
>
> And via our ooo-users mailing list:
>
>
> http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
>
> Note: This security patch for OpenOffice.org is made available to
> legacy OpenOffice.org users as a service by the Apache OpenOffice
> Project Management Committee. The patch is made available under the
> Apache License, and due to its importance, we are releasing it outside
> of the standard release cycle.
>
> -Rob
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> CVE-2012-0037: OpenOffice.org data leakage vulnerability
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
> Earlier versions may be also affected.
>
> Description: An XML External Entity (XXE) attack is possible in the
> above versions of OpenOffice.org. This vulnerability exploits the way
> in
> which external entities are processed in certain XML components of ODF
> documents. By crafting an external entity to refer to other local
> file system
> resources, an attacker would be able to inject contents of other
> locally- accessible files into the ODF document, without the user's
> knowledge or permission. Data leakage then becomes possible when that
> document is later distributed to other parties.
>
> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
> patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html
>
> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
> snapshots since March 1st, 2012.
>
> Source and Building: Information on obtaining the source code for this
> patch, and for porting it or adapting it to OpenOffice.org derivatives
> can be found here:
> http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
>
> Credit: The Apache OpenOffice project acknowledges and thanks the
> discoverer of this issue, Timothy D. Morgan of Virtual Security
> Research, LLC.
>
> References: http://security.openoffice.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
> Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
> ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
> By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
> ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
> GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
> JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
> pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
> X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
> g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
> OZE/3v6XnehMD/32kipa
> =/qce
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>
>
--
Peace,
Stacie M. Jones
~"Lokaa samastaa sukhino bhavantu,"~
"May all worlds be happy."
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Torokhov Sergey <to...@mail.ru>.
On Thursday 22 of March 2012 17:16:21 Rob Weir wrote:
> Please note, this is the official security bulletin, targeted for
> security professionals. If you are an OpenOffice.org 3.3 user, and
> are able to apply the mentioned patch, then you are encouraged to do
> so. If someone else supports or manages your desktop, then please
> forward this information to them.
>
> Additional support is available on our Community Forums:
>
> http://user.services.openoffice.org/
>
> And via our ooo-users mailing list:
>
> http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-
> list
>
> Note: This security patch for OpenOffice.org is made available to
> legacy OpenOffice.org users as a service by the Apache OpenOffice
> Project Management Committee. The patch is made available under the
> Apache License, and due to its importance, we are releasing it outside
> of the standard release cycle.
>
> -Rob
>
Well... it's good news as there is an external patch.
But for Gentoo Linux users as OpenOffice-3.3.0 was delivered only as just binary
file "OOo_3.3.0_Linux_x86-64_install-rpm-wJRE_en-US.tar.gz" from official
OpenOffice.org site.
So now there is only fast and simple way to escape this vulnerability for
Gentoo users - using current binary build of Apach Open Office 3.4 beta unpacked
to "/opt" directory for example.
[Translation] Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Paolo Pozzan <pa...@z2z.it>.
The italian community would like to translate the bullettin. It will
really help us to have the originals ODT versions of the README.pdf
files. Can someone provide them?
Thanks
Paolo Pozzan
Il 22/03/2012 14:16, Rob Weir ha scritto:
> Please note, this is the official security bulletin, targeted for
> security professionals. If you are an OpenOffice.org 3.3 user, and
> are able to apply the mentioned patch, then you are encouraged to do
> so. If someone else supports or manages your desktop, then please
> forward this information to them.
>
> Additional support is available on our Community Forums:
>
> http://user.services.openoffice.org/
>
> And via our ooo-users mailing list:
>
> http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
>
> Note: This security patch for OpenOffice.org is made available to
> legacy OpenOffice.org users as a service by the Apache OpenOffice
> Project Management Committee. The patch is made available under the
> Apache License, and due to its importance, we are releasing it outside
> of the standard release cycle.
>
> -Rob
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> CVE-2012-0037: OpenOffice.org data leakage vulnerability
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
> Earlier versions may be also affected.
>
> Description: An XML External Entity (XXE) attack is possible in the
> above versions of OpenOffice.org. This vulnerability exploits the way
> in
> which external entities are processed in certain XML components of ODF
> documents. By crafting an external entity to refer to other local
> file system
> resources, an attacker would be able to inject contents of other
> locally- accessible files into the ODF document, without the user's
> knowledge or permission. Data leakage then becomes possible when that
> document is later distributed to other parties.
>
> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
> patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html
>
> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
> snapshots since March 1st, 2012.
>
> Source and Building: Information on obtaining the source code for this
> patch, and for porting it or adapting it to OpenOffice.org derivatives
> can be found here: http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
>
> Credit: The Apache OpenOffice project acknowledges and thanks the
> discoverer of this issue, Timothy D. Morgan of Virtual Security
> Research, LLC.
>
> References: http://security.openoffice.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
> Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
> ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
> By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
> ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
> GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
> JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
> pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
> X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
> g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
> OZE/3v6XnehMD/32kipa
> =/qce
> -----END PGP SIGNATURE-----
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Stacie Jones <qu...@gmail.com>.
Hello,
I am a One Stop Shop for myself. If I knew about security, I'd manage it. I
guess I can manage this.
Thanks Stacie
On Sat, Mar 24, 2012 at 7:03 PM, John Boyle <jb...@harbornet.com> wrote:
> On 3/22/2012 6:16 AM, Rob Weir wrote:
>
>> Please note, this is the official security bulletin, targeted for
>> security professionals. If you are an OpenOffice.org 3.3 user, and
>> are able to apply the mentioned patch, then you are encouraged to do
>> so. If someone else supports or manages your desktop, then please
>> forward this information to them.
>>
>> Additional support is available on our Community Forums:
>>
>> http://user.services.**openoffice.org/<http://user.services.openoffice.org/>
>>
>> And via our ooo-users mailing list:
>>
>> http://incubator.apache.org/**openofficeorg/mailing-lists.**
>> html#users-mailing-list<http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list>
>>
>> Note: This security patch for OpenOffice.org is made available to
>> legacy OpenOffice.org users as a service by the Apache OpenOffice
>> Project Management Committee. The patch is made available under the
>> Apache License, and due to its importance, we are releasing it outside
>> of the standard release cycle.
>>
>> -Rob
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> CVE-2012-0037: OpenOffice.org data leakage vulnerability
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
>> Earlier versions may be also affected.
>>
>> Description: An XML External Entity (XXE) attack is possible in the
>> above versions of OpenOffice.org. This vulnerability exploits the way
>> in
>> which external entities are processed in certain XML components of ODF
>> documents. By crafting an external entity to refer to other local
>> file system
>> resources, an attacker would be able to inject contents of other
>> locally- accessible files into the ODF document, without the user's
>> knowledge or permission. Data leakage then becomes possible when that
>> document is later distributed to other parties.
>>
>> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
>> patch at: http://www.openoffice.org/**security/cves/CVE-2012-0037.**html<http://www.openoffice.org/security/cves/CVE-2012-0037.html>
>>
>> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
>> snapshots since March 1st, 2012.
>>
>> Source and Building: Information on obtaining the source code for this
>> patch, and for porting it or adapting it to OpenOffice.org derivatives
>> can be found here: http://www.openoffice.org/**
>> security/cves/CVE-2012-0037-**src.txt<http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt>
>>
>> Credit: The Apache OpenOffice project acknowledges and thanks the
>> discoverer of this issue, Timothy D. Morgan of Virtual Security
>> Research, LLC.
>>
>> References: http://security.openoffice.org
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>>
>> iQIcBAEBCgAGBQJPayGmAAoJEGFAoY**dHzLzHJVcP/jXzY+**ROwPTAaSItCc4GAn2q
>> Gm3uL9D9aRrs/pp+**sofRkF9L3nyWEyyVfvZv6+IBrqOU/**2Tu1CD8cY6Kns1ZYxVO
>> ZRDiR5hhr3pA6KfWlb9W9it/**8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7k**loPYswXG2w
>> By2J19VanlHuwLQJoNV08652HBDy2X**pa6Wk7N5NoyETILOS47QTgizjAYZ2A**Y0GE
>> ykBFu9A9yblLM5zftuMT/**4FxkHQ8Qx5I3NmV3V8cUgJlmbc2osc**sC23iIPcoulJF
>> GSn8tub/e47xzgpJy69NoHgzmb6Ou+**J3BDXr0kmH008P6FaTpTgPTltZ8Fcu**a+T2
>> JSWjzW5IBOW/20J9RN+**5lkDJQTY5FiqqpjV7H6bZV3+**MVx3Fk/ih1uJPr2cVZqaT
>> pDU5xtn79py7MNsmpjnzD7mPbdiA2O**fStzFpqUM60HOki7RgGpozvUPEvA0u**Iss9
>> X/**jP1KixPDdbGS2fMrM7KG9mnT8BOzwo**w0Vti7alP2x2BkTXZm2K/**qflXJDFCxTn
>> g23OJIxlnhC8cK4etyezWNMSya4LLM**gz6ZO+**TEdvCSaaF6b3t6seskgnFAMcdPHY
>> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+**cTE7sUO2NcFhHn6jXaiZFEatdh4XJE**EcTXl
>> OZE/3v6XnehMD/32kipa
>> =/qce
>> -----END PGP SIGNATURE-----
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<oo...@incubator.apache.org>
>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<oo...@incubator.apache.org>
>>
>>
>> To users: I have not been able to install the patch, whatsoever, and I
> am using Windows 7! Now, is there a 3.4 version For OpenOffice, anywhere?
> Or would it be better to uninstall, until Apache OpenOffice comes out? Or,
> would it be better to go ahead and download libre office, latest version
> while waiting for Apache to come out with their own?:-\
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<oo...@incubator.apache.org>
> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<oo...@incubator.apache.org>
>
>
--
Peace,
Stacie M. Jones
~"Lokaa samastaa sukhino bhavantu,"~
"May all worlds be happy."
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by John Boyle <jb...@harbornet.com>.
On 3/22/2012 6:16 AM, Rob Weir wrote:
> Please note, this is the official security bulletin, targeted for
> security professionals. If you are an OpenOffice.org 3.3 user, and
> are able to apply the mentioned patch, then you are encouraged to do
> so. If someone else supports or manages your desktop, then please
> forward this information to them.
>
> Additional support is available on our Community Forums:
>
> http://user.services.openoffice.org/
>
> And via our ooo-users mailing list:
>
> http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
>
> Note: This security patch for OpenOffice.org is made available to
> legacy OpenOffice.org users as a service by the Apache OpenOffice
> Project Management Committee. The patch is made available under the
> Apache License, and due to its importance, we are releasing it outside
> of the standard release cycle.
>
> -Rob
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> CVE-2012-0037: OpenOffice.org data leakage vulnerability
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
> Earlier versions may be also affected.
>
> Description: An XML External Entity (XXE) attack is possible in the
> above versions of OpenOffice.org. This vulnerability exploits the way
> in
> which external entities are processed in certain XML components of ODF
> documents. By crafting an external entity to refer to other local
> file system
> resources, an attacker would be able to inject contents of other
> locally- accessible files into the ODF document, without the user's
> knowledge or permission. Data leakage then becomes possible when that
> document is later distributed to other parties.
>
> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
> patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html
>
> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
> snapshots since March 1st, 2012.
>
> Source and Building: Information on obtaining the source code for this
> patch, and for porting it or adapting it to OpenOffice.org derivatives
> can be found here: http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
>
> Credit: The Apache OpenOffice project acknowledges and thanks the
> discoverer of this issue, Timothy D. Morgan of Virtual Security
> Research, LLC.
>
> References: http://security.openoffice.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
> Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
> ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
> By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
> ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
> GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
> JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
> pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
> X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
> g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
> OZE/3v6XnehMD/32kipa
> =/qce
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>
>
To users: I have not been able to install the patch, whatsoever, and I
am using Windows 7! Now, is there a 3.4 version For OpenOffice,
anywhere? Or would it be better to uninstall, until Apache OpenOffice
comes out? Or, would it be better to go ahead and download libre office,
latest version while waiting for Apache to come out with their own?:-\
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Niall Martin <ni...@rndmartin.cix.co.uk>.
That's good advice: apart from odd bits of stuff that belong with the op system and its
maintenance I put all programmes in a separate partition from the op system, helping to
minimize the mess that Windows makes of things. I also have a separate partition for data,
on a separate hard disc.
On 28 Mar 2012 at 15:28, Scooter C wrote:
Send reply to: ooo-users@incubator.apache.org
Date sent: Wed, 28 Mar 2012 15:28:30 -0400
From: Scooter C <sc...@scootersdesk.com>
To: "ooo-users@incubator.apache.org >> Group for Users Open
Office" <oo...@incubator.apache.org>
Subject: Fwd: Re: CVE-2012-0037: OpenOffice.org data leakage
vulnerability
> Two points I want to make.
> The PDF instructions WERE adequate but misleading. I agree with John,
> it should be more straight-forward or installable.
>
> One trick I learned years ago: Always put the program files where YOU
> want them, not where the installer normally puts them. MY OOa Files
> are in a folder named Office. Easy to keep track of new or replaced
> files. I found unordfmi.dll easily, (due to prior experiences, I
> renamed the file adding unordfmi.dll.OLD to the
> extention,just-in-case). I copied the new unordfmi.dll to the same
> folder and that was that - no complaining from the system.
>
> Take Care,
> Scooter
>
> -------- Original Message --------
> Subject: Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
> Date: Sun, 25 Mar 2012 19:59:56 +1100 From: Martin Groenescheij
> <Ma...@Groenescheij.COM> Reply-To: ooo-users@incubator.apache.org
> To: ooo-users@incubator.apache.org
>
>
>
> Hi Boiling John,
>
> You could be a little more polite, keep in mind
> that Rob provide this patch to protect or security.
> The instructions are clear and I didn't had a
> problem to install it.
>
> Martin
>
> On 25/03/2012 5:18 PM, John Boyle wrote:
> > On 3/22/2012 6:16 AM, Rob Weir wrote:
> >> Please note, this is the official security
> >> bulletin, targeted for
> >> security professionals. If you are an
> >> OpenOffice.org 3.3 user, and
> >> are able to apply the mentioned patch, then you
> >> are encouraged to do
> >> so. If someone else supports or manages your
> >> desktop, then please
> >> forward this information to them.
> >>
> >> Additional support is available on our
> >> Community Forums:
> >>
> >> http://user.services.openoffice.org/
> >>
> >> And via our ooo-users mailing list:
> >>
> >> http://incubator.apache.org/openofficeorg/mailing-lists.html#users
> >> -mailing-list
> >>
> >>
> >> Note: This security patch for OpenOffice.org
> >> is made available to
> >> legacy OpenOffice.org users as a service by the
> >> Apache OpenOffice
> >> Project Management Committee. The patch is
> >> made available under the
> >> Apache License, and due to its importance, we
> >> are releasing it outside
> >> of the standard release cycle.
> >>
> >> -Rob
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA512
> >>
> >> CVE-2012-0037: OpenOffice.org data leakage
> >> vulnerability
> >>
> >> Severity: Important
> >>
> >> Vendor: The Apache Software Foundation
> >>
> >> Versions Affected: OpenOffice.org 3.3 and 3.4
> >> Beta, on all platforms.
> >> Earlier versions may be also affected.
> >>
> >> Description: An XML External Entity (XXE)
> >> attack is possible in the
> >> above versions of OpenOffice.org. This
> >> vulnerability exploits the way
> >> in
> >> which external entities are processed in
> >> certain XML components of ODF
> >> documents. By crafting an external entity to
> >> refer to other local
> >> file system
> >> resources, an attacker would be able to inject
> >> contents of other
> >> locally- accessible files into the ODF
> >> document, without the user's
> >> knowledge or permission. Data leakage then
> >> becomes possible when that
> >> document is later distributed to other parties.
> >>
> >> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta
> >> users should install the
> >> patch at:
> >> http://www.openoffice.org/security/cves/CVE-2012-0037.html
> >>
> >>
> >> This vulnerability is also fixed in Apache
> >> OpenOffice 3.4 dev
> >> snapshots since March 1st, 2012.
> >>
> >> Source and Building: Information on obtaining
> >> the source code for this
> >> patch, and for porting it or adapting it to
> >> OpenOffice.org derivatives
> >> can be found here:
> >> http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
> >>
> >>
> >> Credit: The Apache OpenOffice project
> >> acknowledges and thanks the
> >> discoverer of this issue, Timothy D. Morgan of
> >> Virtual Security
> >> Research, LLC.
> >>
> >> References: http://security.openoffice.org
> >>
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.4.11 (GNU/Linux)
> >>
> >> iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
> >>
> >> Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
> >>
> >> ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
> >>
> >> By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
> >>
> >> ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
> >>
> >> GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
> >>
> >> JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
> >>
> >> pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
> >>
> >> X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
> >>
> >> g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
> >>
> >> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
> >>
> >> OZE/3v6XnehMD/32kipa
> >> =/qce
> >> -----END PGP SIGNATURE-----
> >>
> >> ------------------------------------------------------------------
> >> ---
> >>
> >> To unsubscribe, e-mail:
> >> ooo-users-unsubscribe@incubator.apache.org
> >> For additional commands, e-mail:
> >> ooo-users-help@incubator.apache.org
> >>
> >>
> > To Rob Weir: I have been a user of computers
> > since the TRS 80 from Tandy and a user of
> > OpenOffice for I don't know how many years! The
> > asinine patch that was put out to be installed
> > was badly done and I cannot use it whatsoever!
> > Now, if someone cannot get it to their heads
> > that a patch must be a simple install from the
> > get go, then they are going to lose users of
> > open office for their arrogance. A four-part
> > Idiotic message claiming to give you a patch is
> > actually totally worthless! Have you ever heard
> > of the DUMMIES books and method of approach to
> > this problem?:-( :-( :-(
> >
> > -------------------------------------------------------------------
> > --
> >
> > To unsubscribe, e-mail:
> > ooo-users-unsubscribe@incubator.apache.org
> > For additional commands, e-mail:
> > ooo-users-help@incubator.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org For
> additional commands, e-mail: ooo-users-help@incubator.apache.org
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org For
> additional commands, e-mail: ooo-users-help@incubator.apache.org
>
Niall Martin
Phone 0131 4678468
Please reply to: niall<at>rndmartin.cix.co.uk
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Fwd: Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Scooter C <sc...@scootersdesk.com>.
Two points I want to make.
The PDF instructions WERE adequate but misleading. I agree with John, it
should be more straight-forward or installable.
One trick I learned years ago: Always put the program files where YOU
want them, not where the installer normally puts them.
MY OOa Files are in a folder named Office. Easy to keep track of new or
replaced files.
I found unordfmi.dll easily, (due to prior experiences, I renamed the
file adding unordfmi.dll.OLD to the extention,just-in-case).
I copied the new unordfmi.dll to the same folder and that was that - no
complaining from the system.
Take Care,
Scooter
-------- Original Message --------
Subject: Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date: Sun, 25 Mar 2012 19:59:56 +1100
From: Martin Groenescheij <Ma...@Groenescheij.COM>
Reply-To: ooo-users@incubator.apache.org
To: ooo-users@incubator.apache.org
Hi Boiling John,
You could be a little more polite, keep in mind
that Rob provide this patch to protect or security.
The instructions are clear and I didn't had a
problem to install it.
Martin
On 25/03/2012 5:18 PM, John Boyle wrote:
> On 3/22/2012 6:16 AM, Rob Weir wrote:
>> Please note, this is the official security
>> bulletin, targeted for
>> security professionals. If you are an
>> OpenOffice.org 3.3 user, and
>> are able to apply the mentioned patch, then you
>> are encouraged to do
>> so. If someone else supports or manages your
>> desktop, then please
>> forward this information to them.
>>
>> Additional support is available on our
>> Community Forums:
>>
>> http://user.services.openoffice.org/
>>
>> And via our ooo-users mailing list:
>>
>> http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
>>
>>
>> Note: This security patch for OpenOffice.org
>> is made available to
>> legacy OpenOffice.org users as a service by the
>> Apache OpenOffice
>> Project Management Committee. The patch is
>> made available under the
>> Apache License, and due to its importance, we
>> are releasing it outside
>> of the standard release cycle.
>>
>> -Rob
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> CVE-2012-0037: OpenOffice.org data leakage
>> vulnerability
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected: OpenOffice.org 3.3 and 3.4
>> Beta, on all platforms.
>> Earlier versions may be also affected.
>>
>> Description: An XML External Entity (XXE)
>> attack is possible in the
>> above versions of OpenOffice.org. This
>> vulnerability exploits the way
>> in
>> which external entities are processed in
>> certain XML components of ODF
>> documents. By crafting an external entity to
>> refer to other local
>> file system
>> resources, an attacker would be able to inject
>> contents of other
>> locally- accessible files into the ODF
>> document, without the user's
>> knowledge or permission. Data leakage then
>> becomes possible when that
>> document is later distributed to other parties.
>>
>> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta
>> users should install the
>> patch at:
>> http://www.openoffice.org/security/cves/CVE-2012-0037.html
>>
>>
>> This vulnerability is also fixed in Apache
>> OpenOffice 3.4 dev
>> snapshots since March 1st, 2012.
>>
>> Source and Building: Information on obtaining
>> the source code for this
>> patch, and for porting it or adapting it to
>> OpenOffice.org derivatives
>> can be found here:
>> http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
>>
>>
>> Credit: The Apache OpenOffice project
>> acknowledges and thanks the
>> discoverer of this issue, Timothy D. Morgan of
>> Virtual Security
>> Research, LLC.
>>
>> References: http://security.openoffice.org
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>>
>> iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
>>
>> Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
>>
>> ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
>>
>> By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
>>
>> ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
>>
>> GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
>>
>> JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
>>
>> pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
>>
>> X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
>>
>> g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
>>
>> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
>>
>> OZE/3v6XnehMD/32kipa
>> =/qce
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>>
>> To unsubscribe, e-mail:
>> ooo-users-unsubscribe@incubator.apache.org
>> For additional commands, e-mail:
>> ooo-users-help@incubator.apache.org
>>
>>
> To Rob Weir: I have been a user of computers
> since the TRS 80 from Tandy and a user of
> OpenOffice for I don't know how many years! The
> asinine patch that was put out to be installed
> was badly done and I cannot use it whatsoever!
> Now, if someone cannot get it to their heads
> that a patch must be a simple install from the
> get go, then they are going to lose users of
> open office for their arrogance. A four-part
> Idiotic message claiming to give you a patch is
> actually totally worthless! Have you ever heard
> of the DUMMIES books and method of approach to
> this problem?:-( :-( :-(
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail:
> ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail:
> ooo-users-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Stacie Jones <qu...@gmail.com>.
Is there another thread where people can be rude and argue? I don't like
that cluttering up my inbox.
On Sun, Mar 25, 2012 at 8:13 PM, John Boyle <jh...@gmail.com> wrote:
> On 3/25/2012 1:59 AM, Martin Groenescheij wrote:
>
>> Hi Boiling John,
>>
>> You could be a little more polite, keep in mind that Rob provide this
>> patch to protect or security.
>> The instructions are clear and I didn't had a problem to install it.
>>
>> Martin
>>
>> On 25/03/2012 5:18 PM, John Boyle wrote:
>>
>>> On 3/22/2012 6:16 AM, Rob Weir wrote:
>>>
>>>> Please note, this is the official security bulletin, targeted for
>>>> security professionals. If you are an OpenOffice.org 3.3 user, and
>>>> are able to apply the mentioned patch, then you are encouraged to do
>>>> so. If someone else supports or manages your desktop, then please
>>>> forward this information to them.
>>>>
>>>> Additional support is available on our Community Forums:
>>>>
>>>> http://user.services.**openoffice.org/<http://user.services.openoffice.org/>
>>>>
>>>> And via our ooo-users mailing list:
>>>>
>>>> http://incubator.apache.org/**openofficeorg/mailing-lists.**
>>>> html#users-mailing-list<http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list>
>>>>
>>>> Note: This security patch for OpenOffice.org is made available to
>>>> legacy OpenOffice.org users as a service by the Apache OpenOffice
>>>> Project Management Committee. The patch is made available under the
>>>> Apache License, and due to its importance, we are releasing it outside
>>>> of the standard release cycle.
>>>>
>>>> -Rob
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA512
>>>>
>>>> CVE-2012-0037: OpenOffice.org data leakage vulnerability
>>>>
>>>> Severity: Important
>>>>
>>>> Vendor: The Apache Software Foundation
>>>>
>>>> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
>>>> Earlier versions may be also affected.
>>>>
>>>> Description: An XML External Entity (XXE) attack is possible in the
>>>> above versions of OpenOffice.org. This vulnerability exploits the way
>>>> in
>>>> which external entities are processed in certain XML components of ODF
>>>> documents. By crafting an external entity to refer to other local
>>>> file system
>>>> resources, an attacker would be able to inject contents of other
>>>> locally- accessible files into the ODF document, without the user's
>>>> knowledge or permission. Data leakage then becomes possible when that
>>>> document is later distributed to other parties.
>>>>
>>>> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
>>>> patch at: http://www.openoffice.org/**security/cves/CVE-2012-0037.**
>>>> html <http://www.openoffice.org/security/cves/CVE-2012-0037.html>
>>>>
>>>> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
>>>> snapshots since March 1st, 2012.
>>>>
>>>> Source and Building: Information on obtaining the source code for this
>>>> patch, and for porting it or adapting it to OpenOffice.org derivatives
>>>> can be found here: http://www.openoffice.org/**
>>>> security/cves/CVE-2012-0037-**src.txt<http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt>
>>>>
>>>> Credit: The Apache OpenOffice project acknowledges and thanks the
>>>> discoverer of this issue, Timothy D. Morgan of Virtual Security
>>>> Research, LLC.
>>>>
>>>> References: http://security.openoffice.org
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>>
>>>> iQIcBAEBCgAGBQJPayGmAAoJEGFAoY**dHzLzHJVcP/jXzY+**ROwPTAaSItCc4GAn2q
>>>> Gm3uL9D9aRrs/pp+**sofRkF9L3nyWEyyVfvZv6+IBrqOU/**2Tu1CD8cY6Kns1ZYxVO
>>>> ZRDiR5hhr3pA6KfWlb9W9it/**8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7k**loPYswXG2w
>>>> By2J19VanlHuwLQJoNV08652HBDy2X**pa6Wk7N5NoyETILOS47QTgizjAYZ2A**Y0GE
>>>> ykBFu9A9yblLM5zftuMT/**4FxkHQ8Qx5I3NmV3V8cUgJlmbc2osc**sC23iIPcoulJF
>>>> GSn8tub/e47xzgpJy69NoHgzmb6Ou+**J3BDXr0kmH008P6FaTpTgPTltZ8Fcu**a+T2
>>>> JSWjzW5IBOW/20J9RN+**5lkDJQTY5FiqqpjV7H6bZV3+**MVx3Fk/ih1uJPr2cVZqaT
>>>> pDU5xtn79py7MNsmpjnzD7mPbdiA2O**fStzFpqUM60HOki7RgGpozvUPEvA0u**Iss9
>>>> X/**jP1KixPDdbGS2fMrM7KG9mnT8BOzwo**w0Vti7alP2x2BkTXZm2K/**qflXJDFCxTn
>>>> g23OJIxlnhC8cK4etyezWNMSya4LLM**gz6ZO+**TEdvCSaaF6b3t6seskgnFAMcdPHY
>>>> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+**cTE7sUO2NcFhHn6jXaiZFEatdh4XJE**EcTXl
>>>> OZE/3v6XnehMD/32kipa
>>>> =/qce
>>>> -----END PGP SIGNATURE-----
>>>>
>>>> ------------------------------**------------------------------**
>>>> ---------
>>>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<oo...@incubator.apache.org>
>>>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<oo...@incubator.apache.org>
>>>>
>>>>
>>>> To Rob Weir: I have been a user of computers since the TRS 80 from
>>> Tandy and a user of OpenOffice for I don't know how many years! The asinine
>>> patch that was put out to be installed was badly done and I cannot use it
>>> whatsoever! Now, if someone cannot get it to their heads that a patch must
>>> be a simple install from the get go, then they are going to lose users of
>>> open office for their arrogance. A four-part Idiotic message claiming to
>>> give you a patch is actually totally worthless! Have you ever heard of the
>>> DUMMIES books and method of approach to this problem?:-( :-( :-(
>>>
>>> ------------------------------**------------------------------**
>>> ---------
>>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<oo...@incubator.apache.org>
>>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<oo...@incubator.apache.org>
>>>
>>>
>>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<oo...@incubator.apache.org>
>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<oo...@incubator.apache.org>
>>
>>
>> To Rob and Martin: I had no intention of being Impolite, but I never
> found any third page I keep hearing about and cannot figure how to install
> the patch! I was just asking if there wasn't a simpler way or where the
> heck was the patch at? I can't figure it out from what you've gotten And I
> started with computers on a TRS 80 computer. I simply would like to get my
> OpenOffice patched correctly and am asking if it's at all possible?:-\
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<oo...@incubator.apache.org>
> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<oo...@incubator.apache.org>
>
>
--
Peace,
Stacie M. Jones
~"Lokaa samastaa sukhino bhavantu,"~
"May all worlds be happy."
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Terry <te...@yahoo.com.au>.
Evidently there is a readme file: "Download, unzip and follow the instructions in the enclosed readme.pdf file."
----- Original Message -----
> From: John Boyle <jh...@gmail.com>
> To: ooo-users@incubator.apache.org
> Cc:
> Sent: Monday, 26 March 2012 11:13 AM
> Subject: Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
>
> On 3/25/2012 1:59 AM, Martin Groenescheij wrote:
>> Hi Boiling John,
>>
>> You could be a little more polite, keep in mind that Rob provide this patch
> to protect or security.
>> The instructions are clear and I didn't had a problem to install it.
>>
>> Martin
>>
>> On 25/03/2012 5:18 PM, John Boyle wrote:
>>> On 3/22/2012 6:16 AM, Rob Weir wrote:
>>>> Please note, this is the official security bulletin, targeted for
>>>> security professionals. If you are an OpenOffice.org 3.3 user, and
>>>> are able to apply the mentioned patch, then you are encouraged to
> do
>>>> so. If someone else supports or manages your desktop, then please
>>>> forward this information to them.
>>>>
>>>> <snip>
>>>>
>>> To Rob Weir: I have been a user of computers since the TRS 80 from
> Tandy and a user of OpenOffice for I don't know how many years! The asinine
> patch that was put out to be installed was badly done and I cannot use it
> whatsoever! Now, if someone cannot get it to their heads that a patch must be a
> simple install from the get go, then they are going to lose users of open office
> for their arrogance. A four-part Idiotic message claiming to give you a patch is
> actually totally worthless! Have you ever heard of the DUMMIES books and method
> of approach to this problem?:-( :-( :-(
>>>
>>> <snip>
>>
>>
> To Rob and Martin: I had no intention of being Impolite, but I never found any
> third page I keep hearing about and cannot figure how to install the patch! I
> was just asking if there wasn't a simpler way or where the heck was the
> patch at? I can't figure it out from what you've gotten And I started
> with computers on a TRS 80 computer. I simply would like to get my OpenOffice
> patched correctly and am asking if it's at all possible?:-\
>
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Nicholas Kircher <Ni...@sil.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings:
I have been following this thread with interest. When I got to the
download that you clearly listed in your message, I got the following
message, " 403 Forbidden, you do not have permission to access...on this
server" and then it gave the mirror site name where I have the dots. I
then tried to use other mirror sites and I got the same message. The
first time I tried downloading the instructions, I wondered what all the
sites were for. I didn't work through all the sites the other times,
thinking that I was missing something or that I would be going to
download something that either I didn't need or I might access something
damaging to my computer.
This time, when I started to work my way down the various http sites on
the download mirrors and kept getting the "403 Forbidden..." message
when I pressed the download buttons. After, four times, getting the same
message, I finally found one mirror that downloaded the instructions.
John was more vocal about his frustration but I experienced similar
kinds of emotions in my following of your instructions... I don't know
what needs to change...
Thank you for your attention on this.
Sincerely,
Nick Kircher
On 3/26/12 9:58 AM, Rob Weir wrote:
> On Sun, Mar 25, 2012 at 8:13 PM, John Boyle <jh...@gmail.com> wrote:
>
>> On 3/25/2012 1:59 AM, Martin Groenescheij wrote:
>>
>>> Hi Boiling John,
>>>
>>> You could be a little more polite, keep in mind that Rob provide this
>>> patch to protect or security.
>>> The instructions are clear and I didn't had a problem to install it.
>>>
>>> Martin
>>>
>>> On 25/03/2012 5:18 PM, John Boyle wrote:
>>>
>>>> On 3/22/2012 6:16 AM, Rob Weir wrote:
>>>>
>>>>> Please note, this is the official security bulletin, targeted for
>>>>> security professionals. If you are an OpenOffice.org 3.3 user, and
>>>>> are able to apply the mentioned patch, then you are encouraged to do
>>>>> so. If someone else supports or manages your desktop, then please
>>>>> forward this information to them.
>>>>>
>>>>> Additional support is available on our Community Forums:
>>>>>
>>>>>
http://user.services.**openoffice.org/<http://user.services.openoffice.org/>
>>>>>
>>>>> And via our ooo-users mailing list:
>>>>>
>>>>> http://incubator.apache.org/**openofficeorg/mailing-lists.**
>>>>>
html#users-mailing-list<http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list>
>>>>>
>>>>> Note: This security patch for OpenOffice.org is made available to
>>>>> legacy OpenOffice.org users as a service by the Apache OpenOffice
>>>>> Project Management Committee. The patch is made available under the
>>>>> Apache License, and due to its importance, we are releasing it outside
>>>>> of the standard release cycle.
>>>>>
>>>>> -Rob
>>>>>
> CVE-2012-0037: OpenOffice.org data leakage vulnerability
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
> Earlier versions may be also affected.
>
> Description: An XML External Entity (XXE) attack is possible in the
> above versions of OpenOffice.org. This vulnerability exploits the way
> in
> which external entities are processed in certain XML components of ODF
> documents. By crafting an external entity to refer to other local
> file system
> resources, an attacker would be able to inject contents of other
> locally- accessible files into the ODF document, without the user's
> knowledge or permission. Data leakage then becomes possible when that
> document is later distributed to other parties.
>
> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
> patch at: http://www.openoffice.org/**security/cves/CVE-2012-0037.**
> html <http://www.openoffice.org/security/cves/CVE-2012-0037.html>
>
> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
> snapshots since March 1st, 2012.
>
> Source and Building: Information on obtaining the source code for this
> patch, and for porting it or adapting it to OpenOffice.org derivatives
> can be found here: http://www.openoffice.org/**
> security/cves/CVE-2012-0037-**src.txt<http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt>
>
> Credit: The Apache OpenOffice project acknowledges and thanks the
> discoverer of this issue, Timothy D. Morgan of Virtual Security
> Research, LLC.
>
> References: http://security.openoffice.org
>
>>>>>
>>>>> ------------------------------**------------------------------**
>>>>> ---------
>>>>> To unsubscribe, e-mail:
ooo-users-unsubscribe@**incubator.apache.org<oo...@incubator.apache.org>
>>>>> For additional commands, e-mail:
ooo-users-help@incubator.**apache.org<oo...@incubator.apache.org>
>>>>>
>>>>>
>>>>> To Rob Weir: I have been a user of computers since the TRS 80 from
>>>> Tandy and a user of OpenOffice for I don't know how many years! The
asinine
>>>> patch that was put out to be installed was badly done and I cannot
use it
>>>> whatsoever! Now, if someone cannot get it to their heads that a
patch must
>>>> be a simple install from the get go, then they are going to lose
users of
>>>> open office for their arrogance. A four-part Idiotic message claiming to
>>>> give you a patch is actually totally worthless! Have you ever heard
of the
>>>> DUMMIES books and method of approach to this problem?:-( :-( :-(
>>>>
>>>> ------------------------------**------------------------------**
>>>> ---------
>>>> To unsubscribe, e-mail:
ooo-users-unsubscribe@**incubator.apache.org<oo...@incubator.apache.org>
>>>> For additional commands, e-mail:
ooo-users-help@incubator.**apache.org<oo...@incubator.apache.org>
>>>>
>>>>
>>>>
>>> ------------------------------**------------------------------**---------
>>> To unsubscribe, e-mail:
ooo-users-unsubscribe@**incubator.apache.org<oo...@incubator.apache.org>
>>> For additional commands, e-mail:
ooo-users-help@incubator.**apache.org<oo...@incubator.apache.org>
>>>
>>>
>>> To Rob and Martin: I had no intention of being Impolite, but I never
>> found any third page I keep hearing about and cannot figure how to install
>> the patch! I was just asking if there wasn't a simpler way or where the
>> heck was the patch at? I can't figure it out from what you've gotten And I
>> started with computers on a TRS 80 computer. I simply would like to get my
>> OpenOffice patched correctly and am asking if it's at all possible?:-\
>>
>>
>>
>
> Hi John.
>
> Let's break it down.
>
> See the original note, where I wrote;
>
> "Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
> patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html"
>
> Start with that page. Load that URL in your browser.
>
> Then on that page you will see something that says, "OpenOffice.org 3.3.0
> and 3.4 beta users can patch their installation with the following patches.
> Download, unzip and follow the instructions in the enclosed readme.pdf
> file."
>
> Right below that there are two links, one labeled "For Windows" and the
> other "For MacOS". Download the appropriate one, unzip and load the
> readme.pdf inside. If you are not able to unzip or read a PDF file then
> let me know.
>
> The readme.pdf file has its own instructions, with pictures, which should
> make the remaining steps clear. But let me know if you have further
> questions.
>
> -Rob
>
>
>
>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail:
ooo-users-unsubscribe@**incubator.apache.org<oo...@incubator.apache.org>
>> For additional commands, e-mail:
ooo-users-help@incubator.**apache.org<oo...@incubator.apache.org>
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9v1G0ACgkQFgUvDYSMGtCb5ACghWcTvKNGJQmnK5jw7KSQajw0
Vu4AoIAxWao/aZnXUXvxErCnfnTsJyB7
=z1Lf
-----END PGP SIGNATURE-----
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Rob Weir <ro...@apache.org>.
On Sun, Mar 25, 2012 at 8:13 PM, John Boyle <jh...@gmail.com> wrote:
> On 3/25/2012 1:59 AM, Martin Groenescheij wrote:
>
>> Hi Boiling John,
>>
>> You could be a little more polite, keep in mind that Rob provide this
>> patch to protect or security.
>> The instructions are clear and I didn't had a problem to install it.
>>
>> Martin
>>
>> On 25/03/2012 5:18 PM, John Boyle wrote:
>>
>>> On 3/22/2012 6:16 AM, Rob Weir wrote:
>>>
>>>> Please note, this is the official security bulletin, targeted for
>>>> security professionals. If you are an OpenOffice.org 3.3 user, and
>>>> are able to apply the mentioned patch, then you are encouraged to do
>>>> so. If someone else supports or manages your desktop, then please
>>>> forward this information to them.
>>>>
>>>> Additional support is available on our Community Forums:
>>>>
>>>> http://user.services.**openoffice.org/<http://user.services.openoffice.org/>
>>>>
>>>> And via our ooo-users mailing list:
>>>>
>>>> http://incubator.apache.org/**openofficeorg/mailing-lists.**
>>>> html#users-mailing-list<http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list>
>>>>
>>>> Note: This security patch for OpenOffice.org is made available to
>>>> legacy OpenOffice.org users as a service by the Apache OpenOffice
>>>> Project Management Committee. The patch is made available under the
>>>> Apache License, and due to its importance, we are releasing it outside
>>>> of the standard release cycle.
>>>>
>>>> -Rob
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA512
>>>>
>>>> CVE-2012-0037: OpenOffice.org data leakage vulnerability
>>>>
>>>> Severity: Important
>>>>
>>>> Vendor: The Apache Software Foundation
>>>>
>>>> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
>>>> Earlier versions may be also affected.
>>>>
>>>> Description: An XML External Entity (XXE) attack is possible in the
>>>> above versions of OpenOffice.org. This vulnerability exploits the way
>>>> in
>>>> which external entities are processed in certain XML components of ODF
>>>> documents. By crafting an external entity to refer to other local
>>>> file system
>>>> resources, an attacker would be able to inject contents of other
>>>> locally- accessible files into the ODF document, without the user's
>>>> knowledge or permission. Data leakage then becomes possible when that
>>>> document is later distributed to other parties.
>>>>
>>>> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
>>>> patch at: http://www.openoffice.org/**security/cves/CVE-2012-0037.**
>>>> html <http://www.openoffice.org/security/cves/CVE-2012-0037.html>
>>>>
>>>> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
>>>> snapshots since March 1st, 2012.
>>>>
>>>> Source and Building: Information on obtaining the source code for this
>>>> patch, and for porting it or adapting it to OpenOffice.org derivatives
>>>> can be found here: http://www.openoffice.org/**
>>>> security/cves/CVE-2012-0037-**src.txt<http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt>
>>>>
>>>> Credit: The Apache OpenOffice project acknowledges and thanks the
>>>> discoverer of this issue, Timothy D. Morgan of Virtual Security
>>>> Research, LLC.
>>>>
>>>> References: http://security.openoffice.org
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>>
>>>> iQIcBAEBCgAGBQJPayGmAAoJEGFAoY**dHzLzHJVcP/jXzY+**ROwPTAaSItCc4GAn2q
>>>> Gm3uL9D9aRrs/pp+**sofRkF9L3nyWEyyVfvZv6+IBrqOU/**2Tu1CD8cY6Kns1ZYxVO
>>>> ZRDiR5hhr3pA6KfWlb9W9it/**8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7k**loPYswXG2w
>>>> By2J19VanlHuwLQJoNV08652HBDy2X**pa6Wk7N5NoyETILOS47QTgizjAYZ2A**Y0GE
>>>> ykBFu9A9yblLM5zftuMT/**4FxkHQ8Qx5I3NmV3V8cUgJlmbc2osc**sC23iIPcoulJF
>>>> GSn8tub/e47xzgpJy69NoHgzmb6Ou+**J3BDXr0kmH008P6FaTpTgPTltZ8Fcu**a+T2
>>>> JSWjzW5IBOW/20J9RN+**5lkDJQTY5FiqqpjV7H6bZV3+**MVx3Fk/ih1uJPr2cVZqaT
>>>> pDU5xtn79py7MNsmpjnzD7mPbdiA2O**fStzFpqUM60HOki7RgGpozvUPEvA0u**Iss9
>>>> X/**jP1KixPDdbGS2fMrM7KG9mnT8BOzwo**w0Vti7alP2x2BkTXZm2K/**qflXJDFCxTn
>>>> g23OJIxlnhC8cK4etyezWNMSya4LLM**gz6ZO+**TEdvCSaaF6b3t6seskgnFAMcdPHY
>>>> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+**cTE7sUO2NcFhHn6jXaiZFEatdh4XJE**EcTXl
>>>> OZE/3v6XnehMD/32kipa
>>>> =/qce
>>>> -----END PGP SIGNATURE-----
>>>>
>>>> ------------------------------**------------------------------**
>>>> ---------
>>>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<oo...@incubator.apache.org>
>>>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<oo...@incubator.apache.org>
>>>>
>>>>
>>>> To Rob Weir: I have been a user of computers since the TRS 80 from
>>> Tandy and a user of OpenOffice for I don't know how many years! The asinine
>>> patch that was put out to be installed was badly done and I cannot use it
>>> whatsoever! Now, if someone cannot get it to their heads that a patch must
>>> be a simple install from the get go, then they are going to lose users of
>>> open office for their arrogance. A four-part Idiotic message claiming to
>>> give you a patch is actually totally worthless! Have you ever heard of the
>>> DUMMIES books and method of approach to this problem?:-( :-( :-(
>>>
>>> ------------------------------**------------------------------**
>>> ---------
>>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<oo...@incubator.apache.org>
>>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<oo...@incubator.apache.org>
>>>
>>>
>>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<oo...@incubator.apache.org>
>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<oo...@incubator.apache.org>
>>
>>
>> To Rob and Martin: I had no intention of being Impolite, but I never
> found any third page I keep hearing about and cannot figure how to install
> the patch! I was just asking if there wasn't a simpler way or where the
> heck was the patch at? I can't figure it out from what you've gotten And I
> started with computers on a TRS 80 computer. I simply would like to get my
> OpenOffice patched correctly and am asking if it's at all possible?:-\
>
>
>
Hi John.
Let's break it down.
See the original note, where I wrote;
"Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html"
Start with that page. Load that URL in your browser.
Then on that page you will see something that says, "OpenOffice.org 3.3.0
and 3.4 beta users can patch their installation with the following patches.
Download, unzip and follow the instructions in the enclosed readme.pdf
file."
Right below that there are two links, one labeled "For Windows" and the
other "For MacOS". Download the appropriate one, unzip and load the
readme.pdf inside. If you are not able to unzip or read a PDF file then
let me know.
The readme.pdf file has its own instructions, with pictures, which should
make the remaining steps clear. But let me know if you have further
questions.
-Rob
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<oo...@incubator.apache.org>
> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<oo...@incubator.apache.org>
>
>
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by John Boyle <jh...@gmail.com>.
On 3/25/2012 1:59 AM, Martin Groenescheij wrote:
> Hi Boiling John,
>
> You could be a little more polite, keep in mind that Rob provide this
> patch to protect or security.
> The instructions are clear and I didn't had a problem to install it.
>
> Martin
>
> On 25/03/2012 5:18 PM, John Boyle wrote:
>> On 3/22/2012 6:16 AM, Rob Weir wrote:
>>> Please note, this is the official security bulletin, targeted for
>>> security professionals. If you are an OpenOffice.org 3.3 user, and
>>> are able to apply the mentioned patch, then you are encouraged to do
>>> so. If someone else supports or manages your desktop, then please
>>> forward this information to them.
>>>
>>> Additional support is available on our Community Forums:
>>>
>>> http://user.services.openoffice.org/
>>>
>>> And via our ooo-users mailing list:
>>>
>>> http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
>>>
>>>
>>> Note: This security patch for OpenOffice.org is made available to
>>> legacy OpenOffice.org users as a service by the Apache OpenOffice
>>> Project Management Committee. The patch is made available under the
>>> Apache License, and due to its importance, we are releasing it outside
>>> of the standard release cycle.
>>>
>>> -Rob
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> CVE-2012-0037: OpenOffice.org data leakage vulnerability
>>>
>>> Severity: Important
>>>
>>> Vendor: The Apache Software Foundation
>>>
>>> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
>>> Earlier versions may be also affected.
>>>
>>> Description: An XML External Entity (XXE) attack is possible in the
>>> above versions of OpenOffice.org. This vulnerability exploits the way
>>> in
>>> which external entities are processed in certain XML components of ODF
>>> documents. By crafting an external entity to refer to other local
>>> file system
>>> resources, an attacker would be able to inject contents of other
>>> locally- accessible files into the ODF document, without the user's
>>> knowledge or permission. Data leakage then becomes possible when that
>>> document is later distributed to other parties.
>>>
>>> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
>>> patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html
>>>
>>> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
>>> snapshots since March 1st, 2012.
>>>
>>> Source and Building: Information on obtaining the source code for this
>>> patch, and for porting it or adapting it to OpenOffice.org derivatives
>>> can be found here:
>>> http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
>>>
>>> Credit: The Apache OpenOffice project acknowledges and thanks the
>>> discoverer of this issue, Timothy D. Morgan of Virtual Security
>>> Research, LLC.
>>>
>>> References: http://security.openoffice.org
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>
>>> iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
>>> Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
>>> ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
>>> By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
>>> ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
>>> GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
>>> JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
>>> pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
>>> X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
>>> g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
>>> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
>>> OZE/3v6XnehMD/32kipa
>>> =/qce
>>> -----END PGP SIGNATURE-----
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>>>
>>>
>> To Rob Weir: I have been a user of computers since the TRS 80 from
>> Tandy and a user of OpenOffice for I don't know how many years! The
>> asinine patch that was put out to be installed was badly done and I
>> cannot use it whatsoever! Now, if someone cannot get it to their
>> heads that a patch must be a simple install from the get go, then
>> they are going to lose users of open office for their arrogance. A
>> four-part Idiotic message claiming to give you a patch is actually
>> totally worthless! Have you ever heard of the DUMMIES books and
>> method of approach to this problem?:-( :-( :-(
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>
>
To Rob and Martin: I had no intention of being Impolite, but I never
found any third page I keep hearing about and cannot figure how to
install the patch! I was just asking if there wasn't a simpler way or
where the heck was the patch at? I can't figure it out from what you've
gotten And I started with computers on a TRS 80 computer. I simply would
like to get my OpenOffice patched correctly and am asking if it's at all
possible?:-\
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Martin Groenescheij <Ma...@Groenescheij.COM>.
Hi Boiling John,
You could be a little more polite, keep in mind
that Rob provide this patch to protect or security.
The instructions are clear and I didn't had a
problem to install it.
Martin
On 25/03/2012 5:18 PM, John Boyle wrote:
> On 3/22/2012 6:16 AM, Rob Weir wrote:
>> Please note, this is the official security
>> bulletin, targeted for
>> security professionals. If you are an
>> OpenOffice.org 3.3 user, and
>> are able to apply the mentioned patch, then you
>> are encouraged to do
>> so. If someone else supports or manages your
>> desktop, then please
>> forward this information to them.
>>
>> Additional support is available on our
>> Community Forums:
>>
>> http://user.services.openoffice.org/
>>
>> And via our ooo-users mailing list:
>>
>> http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
>>
>>
>> Note: This security patch for OpenOffice.org
>> is made available to
>> legacy OpenOffice.org users as a service by the
>> Apache OpenOffice
>> Project Management Committee. The patch is
>> made available under the
>> Apache License, and due to its importance, we
>> are releasing it outside
>> of the standard release cycle.
>>
>> -Rob
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> CVE-2012-0037: OpenOffice.org data leakage
>> vulnerability
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected: OpenOffice.org 3.3 and 3.4
>> Beta, on all platforms.
>> Earlier versions may be also affected.
>>
>> Description: An XML External Entity (XXE)
>> attack is possible in the
>> above versions of OpenOffice.org. This
>> vulnerability exploits the way
>> in
>> which external entities are processed in
>> certain XML components of ODF
>> documents. By crafting an external entity to
>> refer to other local
>> file system
>> resources, an attacker would be able to inject
>> contents of other
>> locally- accessible files into the ODF
>> document, without the user's
>> knowledge or permission. Data leakage then
>> becomes possible when that
>> document is later distributed to other parties.
>>
>> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta
>> users should install the
>> patch at:
>> http://www.openoffice.org/security/cves/CVE-2012-0037.html
>>
>>
>> This vulnerability is also fixed in Apache
>> OpenOffice 3.4 dev
>> snapshots since March 1st, 2012.
>>
>> Source and Building: Information on obtaining
>> the source code for this
>> patch, and for porting it or adapting it to
>> OpenOffice.org derivatives
>> can be found here:
>> http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
>>
>>
>> Credit: The Apache OpenOffice project
>> acknowledges and thanks the
>> discoverer of this issue, Timothy D. Morgan of
>> Virtual Security
>> Research, LLC.
>>
>> References: http://security.openoffice.org
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>>
>> iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
>>
>> Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
>>
>> ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
>>
>> By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
>>
>> ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
>>
>> GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
>>
>> JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
>>
>> pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
>>
>> X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
>>
>> g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
>>
>> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
>>
>> OZE/3v6XnehMD/32kipa
>> =/qce
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>>
>> To unsubscribe, e-mail:
>> ooo-users-unsubscribe@incubator.apache.org
>> For additional commands, e-mail:
>> ooo-users-help@incubator.apache.org
>>
>>
> To Rob Weir: I have been a user of computers
> since the TRS 80 from Tandy and a user of
> OpenOffice for I don't know how many years! The
> asinine patch that was put out to be installed
> was badly done and I cannot use it whatsoever!
> Now, if someone cannot get it to their heads
> that a patch must be a simple install from the
> get go, then they are going to lose users of
> open office for their arrogance. A four-part
> Idiotic message claiming to give you a patch is
> actually totally worthless! Have you ever heard
> of the DUMMIES books and method of approach to
> this problem?:-( :-( :-(
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail:
> ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail:
> ooo-users-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by John Boyle <jb...@harbornet.com>.
On 3/22/2012 6:16 AM, Rob Weir wrote:
> Please note, this is the official security bulletin, targeted for
> security professionals. If you are an OpenOffice.org 3.3 user, and
> are able to apply the mentioned patch, then you are encouraged to do
> so. If someone else supports or manages your desktop, then please
> forward this information to them.
>
> Additional support is available on our Community Forums:
>
> http://user.services.openoffice.org/
>
> And via our ooo-users mailing list:
>
> http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
>
> Note: This security patch for OpenOffice.org is made available to
> legacy OpenOffice.org users as a service by the Apache OpenOffice
> Project Management Committee. The patch is made available under the
> Apache License, and due to its importance, we are releasing it outside
> of the standard release cycle.
>
> -Rob
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> CVE-2012-0037: OpenOffice.org data leakage vulnerability
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
> Earlier versions may be also affected.
>
> Description: An XML External Entity (XXE) attack is possible in the
> above versions of OpenOffice.org. This vulnerability exploits the way
> in
> which external entities are processed in certain XML components of ODF
> documents. By crafting an external entity to refer to other local
> file system
> resources, an attacker would be able to inject contents of other
> locally- accessible files into the ODF document, without the user's
> knowledge or permission. Data leakage then becomes possible when that
> document is later distributed to other parties.
>
> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
> patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html
>
> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
> snapshots since March 1st, 2012.
>
> Source and Building: Information on obtaining the source code for this
> patch, and for porting it or adapting it to OpenOffice.org derivatives
> can be found here: http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
>
> Credit: The Apache OpenOffice project acknowledges and thanks the
> discoverer of this issue, Timothy D. Morgan of Virtual Security
> Research, LLC.
>
> References: http://security.openoffice.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
> Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
> ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
> By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
> ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
> GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
> JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
> pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
> X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
> g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
> OZE/3v6XnehMD/32kipa
> =/qce
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>
>
To Rob Weir: I have been a user of computers since the TRS 80 from Tandy
and a user of OpenOffice for I don't know how many years! The asinine
patch that was put out to be installed was badly done and I cannot use
it whatsoever! Now, if someone cannot get it to their heads that a patch
must be a simple install from the get go, then they are going to lose
users of open office for their arrogance. A four-part Idiotic message
claiming to give you a patch is actually totally worthless! Have you
ever heard of the DUMMIES books and method of approach to this
problem?:-( :-( :-(
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Andrea Pescetti <pe...@apache.org>.
On 07/04/2012 Andrea Pescetti wrote:
> What would be the best way to translate both
> http://www.openoffice.org/security/cves/CVE-2012-0037.html
> and readme.pdf? Perhaps the following?
> - Create a new page under http://www.openoffice.org/it
> - Add an "Italian version" link to
> http://www.openoffice.org/security/cves/CVE-2012-0037.html pointing to
> the new page
> - In the new page, preserve all links to the ZIP file and when "the
> enclosed readme.pdf file" is mentioned, link the Italian version too.
I've now implemented this.
http://www.openoffice.org/security/cves/CVE-2012-0037.html
now contains a section named "Unofficial translations" with a link to
the Italian version ("Unofficial" here meaning "not reviewed by the
security team"); conversely, the Italian translation links back to the
English page as the "Official version".
All links to the patch are preserved in the Italian version; we merely
provide an additional Italian readme.pdf for convenience.
If there is anything to fix, feel free to do so.
Regards,
Andrea.
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Andrea Pescetti <pe...@apache.org>.
On 22/03/2012 Rob Weir wrote:
> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
> patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html
What would be the best way to translate both
http://www.openoffice.org/security/cves/CVE-2012-0037.html
and readme.pdf? Perhaps the following?
- Create a new page under http://www.openoffice.org/it
- Add an "Italian version" link to
http://www.openoffice.org/security/cves/CVE-2012-0037.html pointing to
the new page
- In the new page, preserve all links to the ZIP file and when "the
enclosed readme.pdf file" is mentioned, link the Italian version too.
Would this work? We already have all translations available and of
course we don't want to touch the ZIP archive containing readme.pdf, so
this seems the most reasonable solution.
Regards,
Andrea.
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Rob Weir <ro...@apache.org>.
On Sun, Mar 25, 2012 at 6:48 AM, Terry <te...@yahoo.com.au> wrote:
> It occurs to me that this should also be published on the announce list.
>
>
I agree. But maybe wait for the Linux version of the patch?
-Rob
>
>
> ----- Original Message -----
> > From: Rob Weir <ro...@apache.org>
> > To: ooo-users@incubator.apache.org
> > Cc:
> > Sent: Friday, 23 March 2012 12:16 AM
> > Subject: CVE-2012-0037: OpenOffice.org data leakage vulnerability
> >
> > Please note, this is the official security bulletin, targeted for
> > security professionals. If you are an OpenOffice.org 3.3 user, and
> > are able to apply the mentioned patch, then you are encouraged to do
> > so. If someone else supports or manages your desktop, then please
> > forward this information to them.
> >
> > Additional support is available on our Community Forums:
> >
> > http://user.services.openoffice.org/
> >
> > And via our ooo-users mailing list:
> >
> >
> http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
> >
> > Note: This security patch for OpenOffice.org is made available to
> > legacy OpenOffice.org users as a service by the Apache OpenOffice
> > Project Management Committee. The patch is made available under the
> > Apache License, and due to its importance, we are releasing it outside
> > of the standard release cycle.
> >
> > -Rob
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > CVE-2012-0037: OpenOffice.org data leakage vulnerability
> >
> > Severity: Important
> >
> > Vendor: The Apache Software Foundation
> >
> > Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
> > Earlier versions may be also affected.
> >
> > Description: An XML External Entity (XXE) attack is possible in the
> > above versions of OpenOffice.org. This vulnerability exploits the way
> > in
> > which external entities are processed in certain XML components of ODF
> > documents. By crafting an external entity to refer to other local
> > file system
> > resources, an attacker would be able to inject contents of other
> > locally- accessible files into the ODF document, without the user's
> > knowledge or permission. Data leakage then becomes possible when that
> > document is later distributed to other parties.
> >
> > Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
> > patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html
> >
> > This vulnerability is also fixed in Apache OpenOffice 3.4 dev
> > snapshots since March 1st, 2012.
> >
> > Source and Building: Information on obtaining the source code for this
> > patch, and for porting it or adapting it to OpenOffice.org derivatives
> > can be found here:
> http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
> >
> > Credit: The Apache OpenOffice project acknowledges and thanks the
> > discoverer of this issue, Timothy D. Morgan of Virtual Security
> > Research, LLC.
> >
> > References: http://security.openoffice.org
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.11 (GNU/Linux)
> >
> > iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
> > Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
> > ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
> > By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
> > ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
> > GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
> > JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
> > pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
> > X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
> > g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
> > bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
> > OZE/3v6XnehMD/32kipa
> > =/qce
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: ooo-users-help@incubator.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>
>
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Kazunari Hirano <kh...@gmail.com>.
Hi all,
On Sun, Mar 25, 2012 at 7:48 PM, Terry <te...@yahoo.com.au> wrote:
> It occurs to me that this should also be published on the announce list.
+1 I think so, too.
Then I will announce it on our native language list,
ooo-general-ja@incubator.apache.org, in Japanese, with Japanese
instructions how to install it :)
Thanks,
khirano
--
khirano@apache.org
Apache OpenOffice (incubating)
http://incubator.apache.org/openofficeorg/
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Posted by Terry <te...@yahoo.com.au>.
It occurs to me that this should also be published on the announce list.
----- Original Message -----
> From: Rob Weir <ro...@apache.org>
> To: ooo-users@incubator.apache.org
> Cc:
> Sent: Friday, 23 March 2012 12:16 AM
> Subject: CVE-2012-0037: OpenOffice.org data leakage vulnerability
>
> Please note, this is the official security bulletin, targeted for
> security professionals. If you are an OpenOffice.org 3.3 user, and
> are able to apply the mentioned patch, then you are encouraged to do
> so. If someone else supports or manages your desktop, then please
> forward this information to them.
>
> Additional support is available on our Community Forums:
>
> http://user.services.openoffice.org/
>
> And via our ooo-users mailing list:
>
> http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
>
> Note: This security patch for OpenOffice.org is made available to
> legacy OpenOffice.org users as a service by the Apache OpenOffice
> Project Management Committee. The patch is made available under the
> Apache License, and due to its importance, we are releasing it outside
> of the standard release cycle.
>
> -Rob
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> CVE-2012-0037: OpenOffice.org data leakage vulnerability
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
> Earlier versions may be also affected.
>
> Description: An XML External Entity (XXE) attack is possible in the
> above versions of OpenOffice.org. This vulnerability exploits the way
> in
> which external entities are processed in certain XML components of ODF
> documents. By crafting an external entity to refer to other local
> file system
> resources, an attacker would be able to inject contents of other
> locally- accessible files into the ODF document, without the user's
> knowledge or permission. Data leakage then becomes possible when that
> document is later distributed to other parties.
>
> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
> patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html
>
> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
> snapshots since March 1st, 2012.
>
> Source and Building: Information on obtaining the source code for this
> patch, and for porting it or adapting it to OpenOffice.org derivatives
> can be found here: http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
>
> Credit: The Apache OpenOffice project acknowledges and thanks the
> discoverer of this issue, Timothy D. Morgan of Virtual Security
> Research, LLC.
>
> References: http://security.openoffice.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
> Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
> ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
> By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
> ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
> GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
> JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
> pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
> X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
> g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
> OZE/3v6XnehMD/32kipa
> =/qce
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org