You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openoffice.apache.org by bu...@apache.org on 2012/03/22 13:27:58 UTC
svn commit: r809570 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/
content/security/alerts.html content/security/bulletin.html
content/security/cves/CVE-2012-0037-src.txt
content/security/cves/CVE-2012-0037.html
Author: buildbot
Date: Thu Mar 22 12:27:58 2012
New Revision: 809570
Log:
Staging update by buildbot for openofficeorg
Added:
websites/staging/ooo-site/trunk/content/security/cves/CVE-2012-0037-src.txt
websites/staging/ooo-site/trunk/content/security/cves/CVE-2012-0037.html
Modified:
websites/staging/ooo-site/trunk/cgi-bin/ (props changed)
websites/staging/ooo-site/trunk/content/ (props changed)
websites/staging/ooo-site/trunk/content/security/alerts.html
websites/staging/ooo-site/trunk/content/security/bulletin.html
Propchange: websites/staging/ooo-site/trunk/cgi-bin/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Thu Mar 22 12:27:58 2012
@@ -1 +1 @@
-1303619
+1303750
Propchange: websites/staging/ooo-site/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Thu Mar 22 12:27:58 2012
@@ -1 +1 @@
-1303619
+1303750
Modified: websites/staging/ooo-site/trunk/content/security/alerts.html
==============================================================================
--- websites/staging/ooo-site/trunk/content/security/alerts.html (original)
+++ websites/staging/ooo-site/trunk/content/security/alerts.html Thu Mar 22 12:27:58 2012
@@ -30,36 +30,26 @@
<h2>OpenOffice.org Security Alerts</h2>
<p>The OpenOffice.org Security Team publishes details of security
- vulnerabilities in our <a href=
- "//security/bulletin.html">Security
+ vulnerabilities in our <a href="http://security.openoffice.org/security/bulletin.html">Security
Bulletin</a>.</p>
- <p>We also publish these alerts via a dedicated mailing list
- <em>alerts@security.openoffice.org</em>. This mailing list is not used for
- any other purpose. The archives of the mailing list can be <a href=
- "http://security.openoffice.org/servlets/SummarizeList?listName=alerts">
- browsed online</a>.</p>
+ <p>We also publish these alerts via the project's announcement list, <em>ooo-announce</em>.</p>
<p>If you would like to subscribe to the list, please send a blank email to
<a href=
- "mailto:alerts-subscribe@security.openoffice.org">alerts-subscribe@security.openoffice.org</a>.
+ "mailto:ooo-announce-subscribe@incubator.apache.org">ooo-announce-subscribe@incubator.apache.org</a>.
You will be sent an email from instructions how to confirm your
subscription. Once you have confirmed your subscription, you will receive
- any future emails from alerts@security.openoffice.org until you
+ any future emails from ooo-announce until you
unsubscribe.</p>
<p>Please note that the mailing list is fully automated, so if you use
spam-filtering software, please make sure it will accept emails from
- <em>alerts-help@security.openoffice.org</em> and
- <em>alerts@security.openoffice.org</em> <u>before</u> you try and
+ <em>ooo-announce@incubator.apache.org</em> <u>before</u> you try and
subscribe.</p>
- <p>For further information about the Security Team, please see <a href=
- "//security/faq.html">our FAQ</a>.</p>
- <hr />
- <a href="//security/">Security Home</a> ->
- <a href="//security/alerts.html">Security
- Alerts</a>
+ <a href="http://security.openoffice.org">Security Home</a> ->
+ <a href="http://security.openofice.org/alerts.html">Security Alerts</a>
</div>
Modified: websites/staging/ooo-site/trunk/content/security/bulletin.html
==============================================================================
--- websites/staging/ooo-site/trunk/content/security/bulletin.html (original)
+++ websites/staging/ooo-site/trunk/content/security/bulletin.html Thu Mar 22 12:27:58 2012
@@ -31,6 +31,12 @@
<p><strong>If you want to stay up to date on OpenOffice.org security announcements, please subscribe to our <a href="alerts.html">security-alerts mailing list</a>.</strong></p>
+ <h3>Patches for OpenOffice.org 3.3</h3>
+
+ <ul>
+ <li><a href="cves/CVE-2012-0037.html">CVE-2012-0037</a>: OpenOffice.org data leakage vulnerability</li>
+ </ul>
+
<h3>Fixed in OpenOffice.org 3.3</h3>
<ul>
@@ -212,8 +218,8 @@
</ul>
<hr />
- <p><a href="//security/">Security Home</a> ->
- <a href="//security/bulletin.html">Bulletin</a></p>
+ <p><a href="http://security.openoffice.org/">Security Home</a> ->
+ <a href="http://security.openoffice.org/bulletin.html">Bulletin</a></p>
</div>
Added: websites/staging/ooo-site/trunk/content/security/cves/CVE-2012-0037-src.txt
==============================================================================
--- websites/staging/ooo-site/trunk/content/security/cves/CVE-2012-0037-src.txt (added)
+++ websites/staging/ooo-site/trunk/content/security/cves/CVE-2012-0037-src.txt Thu Mar 22 12:27:58 2012
@@ -0,0 +1,23 @@
+This patch was created from pre-release code from Apache OpenOffice 3.4.
+
+If you already have an build tree based on OpenOffice.org, the minimal set of changes to patch this vulnerability
+can be found as the diff from r1230438 in our Subversion repository:
+
+https://svn.apache.org/repos/asf/incubator/ooo/trunk
+
+To create the patched library as a drop-in replacement for its OpenOffice.org 3.3 counterpart apply the change above into the Apache OpenOffice initial code import (r1162288).
+
+Alternatively, if you do not already have a build tree to patch, you can checkout a current 3.4 dev snapshot build.
+By using a current dev snapshot you ensure greater stability of the build.
+
+A list of current dev snapshots are listed here:
+
+https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+3.4+Unofficial+Developer+Snapshots
+
+For example, at the time of this note, the current dev snapshot is based on r1299571.
+
+The Building Guide is here: http://wiki.services.openoffice.org/wiki/Documentation/Building_Guide
+
+Questions on building the patch can be sent to our public dev list at ooo-dev@incubator.apache.org
+
+
Added: websites/staging/ooo-site/trunk/content/security/cves/CVE-2012-0037.html
==============================================================================
--- websites/staging/ooo-site/trunk/content/security/cves/CVE-2012-0037.html (added)
+++ websites/staging/ooo-site/trunk/content/security/cves/CVE-2012-0037.html Thu Mar 22 12:27:58 2012
@@ -0,0 +1,114 @@
+<!--#include virtual="/doctype.html" -->
+<html>
+<head>
+<link href="/css/ooo.css" rel="stylesheet" type="text/css">
+
+
+ <title>CVE-2012-0037</title>
+ <style type="text/css"></style>
+
+</head>
+<body>
+<!--#include virtual="/brand.html" -->
+ <div id="topbara">
+ <!--#include virtual="/topnav.html" -->
+ <div id="breadcrumbsa"><a href="/">home</a> » <a href="/security/">security</a> » <a href="/security/cves/">cves</a></div>
+ </div>
+ <div id="clear"></div>
+
+
+ <div id="content">
+
+
+
+ <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0037">CVE-2012-0037</a></h2>
+
+ <h3>
+ OpenOffice.org data leakage vulnerability
+ </h3>
+
+ <ul>
+
+ <h4>Severity: Important</h4>
+
+ <h4>Vendor: The Apache Software Foundation</h4>
+
+ <h4>Versions Affected:</h4>
+ <ul>
+ <li>OpenOffice.org 3.3 and 3.4 Beta, on all platforms.</li>
+ <li>Earlier versions may be also affected.</li>
+ </ul>
+
+
+<h4>Description:</h4>
+<p>
+Description: An XML External Entity (XXE) attack is possible in the above versions of OpenOffice.org. This vulnerability exploits the way in
+which external entities are processed in certain XML components of ODF documents. By crafting an external entity to refer to other local file system
+resources, an attacker would be able to inject contents of other locally- accessible files into the ODF document, without the user's knowledge or permission. Data leakage then becomes possible when that document is later distributed to other parties.</p>
+
+ <h4>Mitigation</h4>
+ <p>OpenOffice.org 3.3.0 and 3.4 beta users can patch their installation with the following patches. Download, unzip and follow the instructions in the enclosed readme.pdf file.</p>
+
+ <ul>
+ <li><a href="http://www.apache.org/dyn/closer.cgi/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-win.zip">For Windows installs</a>
+(<a href="http://www.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-win.zip.md5">MD5</a>)
+(<a href="http://www.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-win.zip.sha1">SHA1</a>)</li>
+
+ <li><a href="http://www.apache.org/dyn/closer.cgi/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-mac.zip">For MacOS installs</a>
+(<a href="http://www.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-mac.zip.md5">MD5</a>)
+(<a href="http://www.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-mac.zip.sha1">SHA1</a>)</li></li>
+ <li>Linux and other platforms should consult their distro or OS vendor for patch instructions.</li>
+ </ul>
+
+ <p>This vulnerability is also fixed in Apache OpenOffice 3.4 dev snapshots since March 1st, 2012.</p>
+
+
+<h4>Verifying the Integrity of Downloaded Files</h4>
+
+<p>
+We have provided MD5 and SHA1 hashes of these patches, as well as a detached digital signature, for those who wish to verify the integrity of these files.
+<p>
+The MD5 and SHA1 hashes can be verified using Unix tools like sha1, sha1sum or md5sum.
+<p>
+The PGP signatures can be verified using PGP or GPG. First download the <a href="http://www.apache.org/dist/incubator/ooo/KEYS">KEYS</a> file, as well as the asc signature file for the particular patch from above. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures as follows:
+<p>
+<code>
+% pgpk -a KEYS <br>
+% pgpv CVE-2012-0037-{win|mac}.zip.asc <br>
+</code>
+<em>or</em>
+<br>
+<code>
+% pgp -ka KEYS <br>
+% pgp CVE-2012-0037-{win|mac}.zip.asc <br>
+</code>
+<em>or</em>
+<br>
+<code>
+% gpg --import KEYS <br>
+% gpg --verify CVE-2012-0037-{win|mac}.zip.asc <br>
+</code>
+
+
+
+
+ <h4>Source and Building</h4>
+ <p>Information on obtaining the source code for this patch, and for porting it or adapting it to OpenOffice.org
+ derivatives can be found <a href="CVE-2012-0037-src.txt">here</a>.</p>
+
+ <h4>Credit:</h4>
+ <p>
+ The Apache OpenOffice project acknowledges and thanks the discoverer of this issue, Timothy D. Morgan of Virtual Security Research, LLC.
+ </p>
+
+ <hr />
+
+ <p><a href="http://security.openoffice.org">Security Home</a> -> <a href="http://security.openoffice.org/bulletin.html">Bulletin</a> ->
+ <a href="http://security.openoffice.org/security/cves/CVE-2012-0037.html">CVE-2012-0037</a></p>
+
+ </div>
+
+<!--#include virtual="/footer.html" -->
+
+</body>
+</html>