You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@openoffice.apache.org by bu...@apache.org on 2016/03/29 01:23:17 UTC

[Issue 126896] New: bundled curl version 7.19.7 has many vulnerabilities

https://bz.apache.org/ooo/show_bug.cgi?id=126896

          Issue ID: 126896
        Issue Type: DEFECT
           Summary: bundled curl version 7.19.7 has many vulnerabilities
           Product: Build Tools
           Version: 4.2.0-dev
          Hardware: All
                OS: All
            Status: CONFIRMED
          Severity: Normal
          Priority: P5 (lowest)
         Component: external prerequisites
          Assignee: issues@openoffice.apache.org
          Reporter: truckman@apache.org

Created attachment 85374
  --> https://bz.apache.org/ooo/attachment.cgi?id=85374&action=edit
patch to ugprade bundled curl to version 7.48.0

The curl-7.19.7 software bundled with Openoffice has these security
vulnerabilities:

    CVE-2010-0734
    CVE-2011-2192
    CVE-2013-2174
    CVE-2014-3143
    CVE-2014-3144
    CVE-2014-3145
    CVE-2014-3148
    CVE-2014-8150
    CVE-2015-3153
    CVE-2016-0755

The attached patch upgrades curl to version 7.48.0 which has no
publicly disclosed vulnerabilities at this time.

This version of curl appears to require no patches to integrate it
with OpenOffice.

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126896] bundled curl version 7.19.7 has many vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126896

Andrea Pescetti <pe...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |4.2.0
                 CC|                            |pescetti@apache.org

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126896] bundled curl version 7.19.7 has many vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126896

oooforum <oo...@free.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |oooforum@free.fr
         Issue Type|DEFECT                      |PATCH

--- Comment #1 from oooforum <oo...@free.fr> ---
Set status as PATCH

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126896] bundled curl version 7.19.7 has many vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126896

Don Lewis <tr...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #85374|0                           |1
        is obsolete|                            |

--- Comment #2 from Don Lewis <tr...@apache.org> ---
Created attachment 85615
  --> https://bz.apache.org/ooo/attachment.cgi?id=85615&action=edit
patch to ugprade bundled curl to version 7.49.1

The latest version of curl is now 7.49.1.

Update LICENSE info (copyright date and contributor info).

This has been tested on FreeBSD, CentOS, and Windows by doing:
  File->Open and specifying an ftp URL.

Note: We have a tarball of the old version of curl checked into svn under
ext_sources.  Should this be removed and the new version checked in?

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126896] bundled curl version 7.19.7 has many vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126896

--- Comment #4 from SVN Robot <sv...@dev.null.org> ---
"truckman" committed SVN revision 1754469 into trunk:
#i126896#:  bundled curl version 7.19.7 has many vulnerabilities

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126896] bundled curl version 7.19.7 has many vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126896

Don Lewis <tr...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|CONFIRMED                   |RESOLVED

--- Comment #5 from Don Lewis <tr...@apache.org> ---
Patch to upgrade to curl 7.49.1 committed.

-- 
You are receiving this mail because:
You are the assignee for the issue.

[Issue 126896] bundled curl version 7.19.7 has many vulnerabilities

Posted by bu...@apache.org.

https://bz.apache.org/ooo/show_bug.cgi?id=126896

--- Comment #3 from Don Lewis <tr...@apache.org> ---
Curl did need a patch for Windows to produce a library with the name that we
expect.

-- 
You are receiving this mail because:
You are the assignee for the issue.