You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@openoffice.apache.org by ma...@apache.org on 2023/03/24 14:40:42 UTC

[openoffice-org] branch main updated (66046972ba -> dfd872b775)

This is an automated email from the ASF dual-hosted git repository.

marcus pushed a change to branch main
in repository https://gitbox.apache.org/repos/asf/openoffice-org.git


    from 66046972ba Updated download numbers for February and March
     new c4623ee219 Adjusted the description text
     new dfd872b775 Security Bulletin for the Apache OpenOffice 4.1.14 Release

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 content/security/bulletin.html            | 8 ++++++++
 content/security/cves/CVE-2022-38745.html | 4 ++--
 content/security/cves/CVE-2022-47502.html | 6 ++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

[openoffice-org] 01/02: Adjusted the description text

Posted by ma...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

marcus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/openoffice-org.git

commit c4623ee219d2f75470d90efc356877c60b250c1c
Author: Marcus <ma...@apache.org>
AuthorDate: Fri Mar 24 15:36:28 2023 +0100

    Adjusted the description text
---
 content/security/cves/CVE-2022-38745.html | 4 ++--
 content/security/cves/CVE-2022-47502.html | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/content/security/cves/CVE-2022-38745.html b/content/security/cves/CVE-2022-38745.html
index 95b433790c..b78f2b7eac 100644
--- a/content/security/cves/CVE-2022-38745.html
+++ b/content/security/cves/CVE-2022-38745.html
@@ -22,8 +22,8 @@
       <strong>Description</strong>
     </p>
     <p>
-     It is possible to configure Apache OpenOffice so that it launches the JVM giving an empty class path,
-     that means: "load classes from the current directory". This may lead to run arbitrary Java code.
+     Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path.
+     This may lead to run arbitrary Java code from the current directory.
     </p>
     <p>
       <strong>Severity: Moderate</strong>
diff --git a/content/security/cves/CVE-2022-47502.html b/content/security/cves/CVE-2022-47502.html
index f553a67721..57d8573586 100644
--- a/content/security/cves/CVE-2022-47502.html
+++ b/content/security/cves/CVE-2022-47502.html
@@ -26,6 +26,12 @@
      MS SharePoint server. In the affected versions links could be constructed to call internal macros
      with arbitrary arguments. Which when clicked on, or activated by document events, could result in
      arbitrary script execution without warning.
+     
+     Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments.
+     Several URI Schemes are defined for this purpose.Links can be activated by clicks, or by automatic
+     document events. The execution of such links must be subject to user approval. In the affected
+     versions of OpenOffice, approval for certain links is not requested; when activated, such links could
+     therefore result in arbitrary script execution.
     </p>
     <p>
       <strong>Severity: Critical</strong>

[openoffice-org] 02/02: Security Bulletin for the Apache OpenOffice 4.1.14 Release

Posted by ma...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

marcus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/openoffice-org.git

commit dfd872b77575986c829a647052d1c30915fc6838
Author: Marcus <ma...@apache.org>
AuthorDate: Fri Mar 24 15:40:01 2023 +0100

    Security Bulletin for the Apache OpenOffice 4.1.14 Release
---
 content/security/bulletin.html | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/content/security/bulletin.html b/content/security/bulletin.html
index b68b4761f4..f16b151801 100644
--- a/content/security/bulletin.html
+++ b/content/security/bulletin.html
@@ -19,6 +19,14 @@
     subscribe to our <a href="alerts.html">security-alerts mailing list</a>.</strong>
   </p>
 
+  <h3>Fixed in Apache OpenOffice 4.1.14</h3>
+
+  <ul>
+    <li><a href="cves/CVE-2022-38745.html">CVE-2022-38745</a>: An empty class path may lead to run arbitrary Java code</li>
+    <li><a href="cves/CVE-2022-40674.html">CVE-2022-40674</a>: "Use after free" fixed in expat >= 2.4.9</li>
+    <li><a href="cves/CVE-2022-47502.html">CVE-2022-47502</a>: Macro URL arbitrary script execution without warning</li>
+  </ul>
+
   <h3>Fixed in Apache OpenOffice 4.1.13</h3>
 
   <ul>