You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openoffice.apache.org by ro...@apache.org on 2013/06/21 14:07:46 UTC
svn commit: r1495404 - in /openoffice/ooo-site/trunk/content/security: bulletin.html cves/CVE-2013-1571.html

Author: robweir
Date: Fri Jun 21 12:07:46 2013
New Revision: 1495404

URL: http://svn.apache.org/r1495404
Log: (empty)

Added:
    openoffice/ooo-site/trunk/content/security/cves/CVE-2013-1571.html
Modified:
    openoffice/ooo-site/trunk/content/security/bulletin.html

Modified: openoffice/ooo-site/trunk/content/security/bulletin.html
URL: http://svn.apache.org/viewvc/openoffice/ooo-site/trunk/content/security/bulletin.html?rev=1495404&r1=1495403&r2=1495404&view=diff
==============================================================================
--- openoffice/ooo-site/trunk/content/security/bulletin.html (original)
+++ openoffice/ooo-site/trunk/content/security/bulletin.html Fri Jun 21 12:07:46 2013
@@ -23,6 +23,7 @@
  <h3>Fixed in Apache OpenOffice 3.4.1</h3>
 <ul>
 <li><a href="cves/CVE-2012-2665.html">CVE-2012-2665</a>: Manifest-processing errors in Apache OpenOffice 3.4.0</li>
+<li><a href="cves/CVE-2012-2665.html">CVE-2013-1571</a>: Frame Injection Vulnerability in SDK JavaDoc</li>
 </ul>
 
   <h3>Fixed in Apache OpenOffice 3.4.0</h3>

Added: openoffice/ooo-site/trunk/content/security/cves/CVE-2013-1571.html
URL: http://svn.apache.org/viewvc/openoffice/ooo-site/trunk/content/security/cves/CVE-2013-1571.html?rev=1495404&view=auto
==============================================================================
--- openoffice/ooo-site/trunk/content/security/cves/CVE-2013-1571.html (added)
+++ openoffice/ooo-site/trunk/content/security/cves/CVE-2013-1571.html Fri Jun 21 12:07:46 2013
@@ -0,0 +1,83 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head profile="http://www.w3.org/2005/10/profile">
+  <title> CVE-2013-1571</title>
+  <style type="text/css"></style>
+</head>
+
+<body>
+  <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1571">CVE-2013-1571</a></h2>
+
+  <h3>
+  Frame Injection Vulnerability in SDK JavaDoc
+  </h3>
+
+    <ul>   
+    
+        <h4>Severity: Medium</h4>
+
+        <h4>Vendor: The Apache Software Foundation</h4>
+        
+        <h4>Versions Affected:</h4>
+                                 <ul>
+                                     <li>Apache OpenOffice 3.4.1 SDK, on all platforms.</li>
+                                     <li>Earlier versions may be also affected.</li>
+                                 </ul>
+            
+
+<h4>Description:</h4>
+<p>
+As reported on June 18th there is a <a href="http://www.kb.cert.org/vuls/id/225657">vulnerability in JavaDoc</a> generated by Java 5, Java 6 and Java 7 before update 22.  Generated
+        JavaDoc files could be suceptible to HTML frame injection attacks. Our investigation indicated that the UDK 3.2.7 Java API Reference in the Apache OpenOffice SDK contains 
+        a vulnerable HTML file.</p>
+
+<p>Note:  Ordinary installs of OpenOffice are not impacted by this vulnerability.  Only installs of the OpenOffice SDK, typically only installed by software developers writing
+        extensions, are impacted</p>
+
+        <h4>Mitigation</h4>
+        <p>SDK users should update their installations by replacing /docs/java/ref/index.html with this 
+        <a href="http://www.apache.org/dyn/aoo-closer.cgi/incubator/ooo/3.4.1/source/cve-2013-1571.zip">patched version</a>.  
+        Download, unzip and follow the  instructions in the enclosed README file.</p>
+
+        <p>Users with earlier versions of the SDK (pre 3.4.1) should <a href="http://www.download.openoffice.org/download/other.html#tested-sdk">upgrade to the current version</a> and then apply the patch.  Alternative, they can download and run
+        Oracle's <a href="http://www.oracle.com/technetwork/java/javase/downloads/java-doc-updater-tool-1955731.html">Java API Documentation Updater Tool</a> to repair
+        the vulnerabilities in place.</p>
+
+
+<h4>Verifying the Integrity of Downloaded Files</h4>
+
+<p>
+We have provided <a href="http://www.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.md5">MD5</a> and <a href="http://www.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.sha256">SHA256</a> hashes of these patches, 
+        as well as a <a href="http://www.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.asc">GPG/PGP detached digital signature</a>, for those who wish to verify the 
+        integrity of this file.
+<p>
+The MD5 and SHA256 hashes can be verified using Unix tools like md5sum or sha256sum.
+<p>
+The PGP signatures can be verified using PGP or GPG. First download the <a href="http://www.apache.org/dist/incubator/ooo/KEYS">KEYS</a> file, as well as the asc signature file for the particular patch from above. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures as follows:
+<p>
+<code>
+% pgpk -a KEYS <br>
+% pgpv cve-2013-1571.zip.asc <br>
+</code>
+<em>or</em>
+<br>
+<code>
+% pgp -ka KEYS <br>
+% pgp cve-2013-1571.zip.asc <br>
+</code>
+<em>or</em>
+<br>
+<code>
+% gpg --import KEYS <br>
+% gpg --verify cve-2013-1571.zip.asc <br>
+</code>
+
+
+
+  <hr />
+
+  <p><a href="http://security.openoffice.org">Security Home</a> -&gt; <a href="http://security.openoffice.org/bulletin.html">Bulletin</a> -&gt; 
+  <a href="http://security.openoffice.org/security/cves/CVE-2013-1571.html">CVE-2013-1571</a></p>
+</body>
+</html>