You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openoffice.apache.org by hd...@apache.org on 2013/07/26 09:28:32 UTC
svn commit: r1507204 - in /openoffice/ooo-site/trunk/content/security:
bulletin.html cves/CVE-2013-2189.html cves/CVE-2013-4156.html
Author: hdu
Date: Fri Jul 26 07:28:31 2013
New Revision: 1507204
URL: http://svn.apache.org/r1507204
Log:
updated for CVE-2013-2189 and CVE-2013-4156
Added:
openoffice/ooo-site/trunk/content/security/cves/CVE-2013-2189.html
openoffice/ooo-site/trunk/content/security/cves/CVE-2013-4156.html
Modified:
openoffice/ooo-site/trunk/content/security/bulletin.html
Modified: openoffice/ooo-site/trunk/content/security/bulletin.html
URL: http://svn.apache.org/viewvc/openoffice/ooo-site/trunk/content/security/bulletin.html?rev=1507204&r1=1507203&r2=1507204&view=diff
==============================================================================
--- openoffice/ooo-site/trunk/content/security/bulletin.html (original)
+++ openoffice/ooo-site/trunk/content/security/bulletin.html Fri Jul 26 07:28:31 2013
@@ -5,20 +5,25 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
- <title>OpenOffice.org Security Team Bulletin</title>
+ <title>Apache OpenOffice Security Team Bulletin</title>
<style type="text/css">
/*<![CDATA[*/
hr { display: block }
/*]]>*/
</style>
-
</head>
<body>
- <h2>OpenOffice.org Security Team Bulletin</h2>
+ <h2>Apache OpenOffice Security Team Bulletin</h2>
+
+ <p><strong>If you want to stay up to date on Apache OpenOffice security announcements, please subscribe to our <a href="alerts.html">security-alerts mailing list</a>.</strong></p>
- <p><strong>If you want to stay up to date on OpenOffice.org security announcements, please subscribe to our <a href="alerts.html">security-alerts mailing list</a>.</strong></p>
+ <h3>Fixed in Apache OpenOffice 4.0.0</h3>
+<ul>
+<li><a href="cves/CVE-2013-2189.html">CVE-2013-2189</a>: DOC Memory Corruption Vulnerability in Apache OpenOffice</li>
+<li><a href="cves/CVE-2013-4156.html">CVE-2013-4156</a>: DOCM Memory Corruption Vulnerability in Apache OpenOffice</li>
+</ul>
<h3>Fixed in Apache OpenOffice 3.4.1</h3>
<ul>
Added: openoffice/ooo-site/trunk/content/security/cves/CVE-2013-2189.html
URL: http://svn.apache.org/viewvc/openoffice/ooo-site/trunk/content/security/cves/CVE-2013-2189.html?rev=1507204&view=auto
==============================================================================
--- openoffice/ooo-site/trunk/content/security/cves/CVE-2013-2189.html (added)
+++ openoffice/ooo-site/trunk/content/security/cves/CVE-2013-2189.html Fri Jul 26 07:28:31 2013
@@ -0,0 +1,41 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head profile="http://www.w3.org/2005/10/profile">
+ <title>CVE-2013-2189</title>
+ <style type="text/css"></style>
+</head>
+
+<body>
+ <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2189">CVE-2013-2189</a></h2>
+
+ <h3>OpenOffice DOC Memory Corruption Vulnerability</h3>
+
+ <ul>
+ <h4>Severity: Important</h4>
+ <h4>Vendor: The Apache Software Foundation</h4>
+ <h4>Versions Affected:</h4>
+ <ul>
+ <li>Apache OpenOffice 3.4.0 to 3.4.1, on all platforms.</li>
+ <li>Earlier versions may be also affected.</li>
+ </ul>
+
+ <h4>Description:</h4>
+ <p>The vulnerability is caused by operating on invalid PLCF (Plex of Character Positions in File) data when parsing a malformed DOC document file.
+ Specially crafted documents can be used for denial-of-service attacks.
+ Further exploits are possible but have not been verified.
+
+ <h4>Mitigation</h4>
+ <p>Apache OpenOffice 3.4 users are advised to <a href="http://download.openoffice.org">upgrade to Apache OpenOffice 4.0</a>.
+ Users who are unable to upgrade immediately should be cautious when opening untrusted documents.
+
+ <h4>Credits</h4>
+ <p>The Apache OpenOffice security team credits Jeremy Brown of Microsoft Vulnerability Research as the discoverer of this flaw.</p>
+
+ <hr />
+
+ <p><a href="http://security.openoffice.org">Security Home</a>
+ -> <a href="http://security.openoffice.org/bulletin.html">Bulletin</a>
+ -> <a href="http://security.openoffice.org/security/cves/CVE-2013-2189.html">CVE-2013-2189</a></p>
+</body>
+</html>
+
Added: openoffice/ooo-site/trunk/content/security/cves/CVE-2013-4156.html
URL: http://svn.apache.org/viewvc/openoffice/ooo-site/trunk/content/security/cves/CVE-2013-4156.html?rev=1507204&view=auto
==============================================================================
--- openoffice/ooo-site/trunk/content/security/cves/CVE-2013-4156.html (added)
+++ openoffice/ooo-site/trunk/content/security/cves/CVE-2013-4156.html Fri Jul 26 07:28:31 2013
@@ -0,0 +1,41 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head profile="http://www.w3.org/2005/10/profile">
+ <title>CVE-2013-4156</title>
+ <style type="text/css"></style>
+</head>
+
+<body>
+ <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-4156">CVE-2013-4156</a></h2>
+
+ <h3>OpenOffice DOCM Memory Corruption Vulnerability</h3>
+
+ <ul>
+ <h4>Severity: Important</h4>
+ <h4>Vendor: The Apache Software Foundation</h4>
+ <h4>Versions Affected:</h4>
+ <ul>
+ <li>Apache OpenOffice 3.4.0 to 3.4.1, on all platforms.</li>
+ <li>Earlier versions may be also affected.</li>
+ </ul>
+
+ <h4>Description:</h4>
+ <p>The vulnerability is caused by mishandling of unknown XML elements when parsing OOXML document files.
+ Specially crafted documents can be used for denial-of-service attacks.
+ Further exploits are possible but have not been verified.
+
+ <h4>Mitigation</h4>
+ <p>Apache OpenOffice 3.4 users are advised to <a href="http://download.openoffice.org">upgrade to Apache OpenOffice 4.0</a>.
+ Users who are unable to upgrade immediately should be cautious when opening untrusted documents.
+
+ <h4>Credits</h4>
+ <p>The Apache OpenOffice security team credits Jeremy Brown of Microsoft Vulnerability Research as the discoverer of this flaw.</p>
+
+ <hr />
+
+ <p><a href="http://security.openoffice.org">Security Home</a>
+ -> <a href="http://security.openoffice.org/bulletin.html">Bulletin</a>
+ -> <a href="http://security.openoffice.org/security/cves/CVE-2013-4156.html">CVE-2013-4156</a></p>
+</body>
+</html>
+