This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/openoffice-org.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new cf1d551 git-site-role commit from build_staging.sh
cf1d551 is described below
commit cf1d551857dc6e4ec3e3978426411d6f956b4c40
Author: jenkins <[email protected]>
AuthorDate: Mon Oct 11 13:52:02 2021 +0000
git-site-role commit from build_staging.sh
---
content/feed.xml | 4 +-
content/security/bulletin.html | 12 ++--
content/security/cves/CVE-2021-41830.html | 115 ++++++++++++++++++++++++++++++
content/security/cves/CVE-2021-41831.html | 113 +++++++++++++++++++++++++++++
content/security/cves/CVE-2021-41832.html | 113 +++++++++++++++++++++++++++++
5 files changed, 351 insertions(+), 6 deletions(-)
diff --git a/content/feed.xml b/content/feed.xml
index 0033a42..0a94ad9 100644
--- a/content/feed.xml
+++ b/content/feed.xml
@@ -6,8 +6,8 @@
<atom:link href="http://localhost:8820/feed.xml"; rel="self"
type="application/rss+xml" />
<description>OpenOffice.org Feed</description>
<language>en-us</language>
- <pubDate>Fri, 8 Oct 2021 20:32:23 +0000</pubDate>
- <lastBuildDate>Fri, 8 Oct 2021 20:32:23 +0000</lastBuildDate>
+ <pubDate>Mon, 11 Oct 2021 13:51:12 +0000</pubDate>
+ <lastBuildDate>Mon, 11 Oct 2021 13:51:12 +0000</lastBuildDate>
</channel>
diff --git a/content/security/bulletin.html b/content/security/bulletin.html
index 9997849..e628004 100644
--- a/content/security/bulletin.html
+++ b/content/security/bulletin.html
@@ -40,15 +40,19 @@
<h3>Fixed in Apache OpenOffice 4.1.11</h3>
<ul>
- <li><a href="cves/CVE-2021-28129.html">CVE-2021-28129</a>: DEB packaging
installed with a non-root userid and groupid</li>
- <li><a href="cves/CVE-2021-33035.html">CVE-2021-33035</a>: Buffer overflow
from a crafted DBF file</li>
- <li><a href="cves/CVE-2021-40439.html">CVE-2021-40439</a>: "Billion Laughs"
fixed in Expat >=2.4.0</li>
+ <li><a href="cves/CVE-2021-28129.html">CVE-2021-28129</a>: DEB packaging
installed with a non-root userid and groupid</li>
+ <li><a href="cves/CVE-2021-33035.html">CVE-2021-33035</a>: Buffer overflow
from a crafted DBF file</li>
+ <li><a href="cves/CVE-2021-40439.html">CVE-2021-40439</a>: "Billion
Laughs" fixed in Expat >=2.4.0</li>
+ <li><a href="cves/CVE-2021-41830.html">CVE-2021-41830</a>: #1 Content
Manipulation with Certificate Double Attack</li>
+ <li><a href="cves/CVE-2021-41830.html">CVE-2021-41830</a>: #2 Macro
Manipulation with Certificate Double Attack</li>
+ <li><a href="cves/CVE-2021-41831.html">CVE-2021-41831</a>: #3 Timestamp
Manipulation with Signature Wrapping</li>
+ <li><a href="cves/CVE-2021-41832.html">CVE-2021-41832</a>: #4 Content
Manipulation with Certificate Validation Attack</li>
</ul>
<h3>Fixed in Apache OpenOffice 4.1.10</h3>
<ul>
- <li><a href="cves/CVE-2021-30245.html">CVE-2021-30245</a>: Code execution
in Apache OpenOffice via non-http(s) schemes in Hyperlinks</li>
+ <li><a href="cves/CVE-2021-30245.html">CVE-2021-30245</a>: Code execution
in Apache OpenOffice via non-http(s) schemes in Hyperlinks</li>
</ul>
<h3>Fixed in Apache OpenOffice 4.1.8</h3>
diff --git a/content/security/cves/CVE-2021-41830.html
b/content/security/cves/CVE-2021-41830.html
new file mode 100644
index 0000000..639ab09
--- /dev/null
+++ b/content/security/cves/CVE-2021-41830.html
@@ -0,0 +1,115 @@
+
+<!--#include virtual="/doctype.html" -->
+<html>
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+
+ <link href="/css/ooo.css" rel="stylesheet" type="text/css">
+
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>CVE-2021-41830</title>
+
+
+ <script src="https://www.apachecon.com/event-images/snippet.js";></script>
+ </head>
+ <body>
+ <!--#include virtual="/brand.html" -->
+ <div id="topbara">
+ <!--#include virtual="/topnav.html" -->
+ <div id="breadcrumbsa"><a href="/">home</a> » <a
href="/security/">security</a> » <a
href="/security/cves/">cves</a></div>
+ </div>
+ <div id="clear"></div>
+
+
+ <div id="content">
+
+
+ <p>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-41830";>CVE-2021-41830</a>
+ </p>
+ <p>
+ <a
href="https://www.openoffice.org/security/cves/CVE-2021-41830.html";>Apache
OpenOffice Advisory</a>
+ </p>
+ <p style="text-align:center; font-size:largest">
+ <strong>#1 Content Manipulation with Certificate Double Attack</strong>
+ <br />
+ <strong>#2 Macro Manipulation with Certificate Double Attack</strong>
+ </p>
+ <p style="text-align:center; font-size:larger">
+ <strong>Fixed in Apache OpenOffice 4.1.11</strong>
+ </p>
+ <p>
+ <strong>Description</strong>
+ </p>
+ <p>
+ It is possible for an attacker to manipulate signed documents and macros
to appear to come from a trusted source.
+ <br />
+ An attacker can use the vulnerabilities to convert an untrusted digital
signature into trusted ones
+ and change the content of the ODF document without invalidating the
signature.
+ </p>
+ <p>
+ <strong>Severity: High</strong>
+ </p>
+ <p>
+ There are no known exploits of this vulnerability.
+ <br />
+ A proof-of-concept demonstration exists.
+ </p>
+ <p>
+ Thanks to the reporter for discovering this issue.
+ </p>
+ <p>
+ <strong>Vendor: The Apache Software Foundation</strong>
+ </p>
+ <p>
+ <strong>Versions Affected</strong>
+ </p>
+ <p>
+ All Apache OpenOffice versions 4.1.10 and older are affected.
+ <br />
+ OpenOffice.org versions may also be affected.
+ </p>
+ <p>
+ <strong>Mitigation</strong>
+ </p>
+ <p>
+ Install Apache OpenOffice 4.1.11 for the latest maintenance and
cumulative security fixes.
+ Use the Apache OpenOffice <a
href="https://www.openoffice.org/download/";> download page</a>.
+ </p>
+ <p>
+ <strong>Acknowledgments</strong>
+ </p>
+ <p>
+ The Apache OpenOffice Security Team would like to thank Simon Rohlmann,
Vladislav Mladenov,
+ Christian Mainka and Jörg Schwenk, Ruhr University Bochum, Germany, for
discovering and reporting this
+ attack vector.
+ </p>
+ <p>
+ <strong>Further Information</strong>
+ </p>
+ <p>
+ This issue was also reported to LibreOffice with CVE-2021-25633.
+ </p>
+ <p>
+ For additional information and assistance, consult the
+ <a href="https://forum.openoffice.org/";>Apache OpenOffice Community
Forums</a>
+ or make requests to the
+ <a
href="mailto:[email protected]";>[email protected]</a>
+ public mailing list.
+ </p>
+ <p>
+ The latest information on Apache OpenOffice security bulletins can be
found at the
+ <a href="https://www.openoffice.org/security/bulletin.html";>Bulletin
Archive page</a>.
+ </p>
+ <hr />
+ <p>
+ <a href="https://security.openoffice.org";>Security Home</a>->
+ <a
href="https://www.openoffice.org/security/bulletin.html";>Bulletin</a>->
+ <a
href="https://www.openoffice.org/security/cves/CVE-2021-41830.html";>CVE-2021-41830</a>
+ </p>
+
+
+ </div>
+ <!--#include virtual="/footer.html" -->
+ </body>
+</html>
diff --git a/content/security/cves/CVE-2021-41831.html
b/content/security/cves/CVE-2021-41831.html
new file mode 100644
index 0000000..6bfb04f
--- /dev/null
+++ b/content/security/cves/CVE-2021-41831.html
@@ -0,0 +1,113 @@
+
+<!--#include virtual="/doctype.html" -->
+<html>
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+
+ <link href="/css/ooo.css" rel="stylesheet" type="text/css">
+
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>CVE-2021-41831</title>
+
+
+ <script src="https://www.apachecon.com/event-images/snippet.js";></script>
+ </head>
+ <body>
+ <!--#include virtual="/brand.html" -->
+ <div id="topbara">
+ <!--#include virtual="/topnav.html" -->
+ <div id="breadcrumbsa"><a href="/">home</a> » <a
href="/security/">security</a> » <a
href="/security/cves/">cves</a></div>
+ </div>
+ <div id="clear"></div>
+
+
+ <div id="content">
+
+
+ <p>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-41831";>CVE-2021-41831</a>
+ </p>
+ <p>
+ <a
href="https://www.openoffice.org/security/cves/CVE-2021-41831.html";>Apache
OpenOffice Advisory</a>
+ </p>
+ <p style="text-align:center; font-size:largest">
+ <strong>#3 Timestamp Manipulation with Signature Wrapping</strong>
+ </p>
+ <p style="text-align:center; font-size:larger">
+ <strong>Fixed in Apache OpenOffice 4.1.11</strong>
+ </p>
+ <p>
+ <strong>Description</strong>
+ </p>
+ <p>
+ It is possible for an attacker to manipulate the timestamp of signed
documents.
+ <br />
+ An attacker can use the vulnerability to convert an untrusted digital
signature into trusted ones
+ and allows the time stamp of the signature to be changed arbitrarily.
+ </p>
+ <p>
+ <strong>Severity: Moderate</strong>
+ </p>
+ <p>
+ There are no known exploits of this vulnerability.
+ <br />
+ A proof-of-concept demonstration exists.
+ </p>
+ <p>
+ Thanks to the reporter for discovering this issue.
+ </p>
+ <p>
+ <strong>Vendor: The Apache Software Foundation</strong>
+ </p>
+ <p>
+ <strong>Versions Affected</strong>
+ </p>
+ <p>
+ All Apache OpenOffice versions 4.1.10 and older are affected.
+ <br />
+ OpenOffice.org versions may also be affected.
+ </p>
+ <p>
+ <strong>Mitigation</strong>
+ </p>
+ <p>
+ Install Apache OpenOffice 4.1.11 for the latest maintenance and
cumulative security fixes.
+ Use the Apache OpenOffice <a
href="https://www.openoffice.org/download/";> download page</a>.
+ </p>
+ <p>
+ <strong>Acknowledgments</strong>
+ </p>
+ <p>
+ The Apache OpenOffice Security Team would like to thank Simon Rohlmann,
Vladislav Mladenov,
+ Christian Mainka and Jörg Schwenk, Ruhr University Bochum, Germany, for
discovering and reporting this
+ attack vector.
+ </p>
+ <p>
+ <strong>Further Information</strong>
+ </p>
+ <p>
+ This issue was also reported to LibreOffice with CVE-2021-25634.
+ </p>
+ <p>
+ For additional information and assistance, consult the
+ <a href="https://forum.openoffice.org/";>Apache OpenOffice Community
Forums</a>
+ or make requests to the
+ <a
href="mailto:[email protected]";>[email protected]</a>
+ public mailing list.
+ </p>
+ <p>
+ The latest information on Apache OpenOffice security bulletins can be
found at the
+ <a href="https://www.openoffice.org/security/bulletin.html";>Bulletin
Archive page</a>.
+ </p>
+ <hr />
+ <p>
+ <a href="https://security.openoffice.org";>Security Home</a>->
+ <a
href="https://www.openoffice.org/security/bulletin.html";>Bulletin</a>->
+ <a
href="https://www.openoffice.org/security/cves/CVE-2021-41831.html";>CVE-2021-41831</a>
+ </p>
+
+
+ </div>
+ <!--#include virtual="/footer.html" -->
+ </body>
+</html>
diff --git a/content/security/cves/CVE-2021-41832.html
b/content/security/cves/CVE-2021-41832.html
new file mode 100644
index 0000000..027821a
--- /dev/null
+++ b/content/security/cves/CVE-2021-41832.html
@@ -0,0 +1,113 @@
+
+<!--#include virtual="/doctype.html" -->
+<html>
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+
+ <link href="/css/ooo.css" rel="stylesheet" type="text/css">
+
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>CVE-2021-41832</title>
+
+
+ <script src="https://www.apachecon.com/event-images/snippet.js";></script>
+ </head>
+ <body>
+ <!--#include virtual="/brand.html" -->
+ <div id="topbara">
+ <!--#include virtual="/topnav.html" -->
+ <div id="breadcrumbsa"><a href="/">home</a> » <a
href="/security/">security</a> » <a
href="/security/cves/">cves</a></div>
+ </div>
+ <div id="clear"></div>
+
+
+ <div id="content">
+
+
+ <p>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-41832";>CVE-2021-41832</a>
+ </p>
+ <p>
+ <a
href="https://www.openoffice.org/security/cves/CVE-2021-41832.html";>Apache
OpenOffice Advisory</a>
+ </p>
+ <p style="text-align:center; font-size:largest">
+ <strong>#4 Content Manipulation with Certificate Validation
Attack</strong>
+ </p>
+ <p style="text-align:center; font-size:larger">
+ <strong>Fixed in Apache OpenOffice 4.1.11</strong>
+ </p>
+ <p>
+ <strong>Description</strong>
+ </p>
+ <p>
+ It is possible for an attacker to manipulate documents to appear to be
signed by a trusted source.
+ <br />
+ An attacker can use the vulnerability to convert an untrusted digital
signature into trusted ones
+ and change the content of the ODF document without invalidating the
signature.
+ </p>
+ <p>
+ <strong>Severity: Moderate</strong>
+ </p>
+ <p>
+ There are no known exploits of this vulnerability.
+ <br />
+ A proof-of-concept demonstration exists.
+ </p>
+ <p>
+ Thanks to the reporter for discovering this issue.
+ </p>
+ <p>
+ <strong>Vendor: The Apache Software Foundation</strong>
+ </p>
+ <p>
+ <strong>Versions Affected</strong>
+ </p>
+ <p>
+ All Apache OpenOffice versions 4.1.10 and older are affected.
+ <br />
+ OpenOffice.org versions may also be affected.
+ </p>
+ <p>
+ <strong>Mitigation</strong>
+ </p>
+ <p>
+ Install Apache OpenOffice 4.1.11 for the latest maintenance and
cumulative security fixes.
+ Use the Apache OpenOffice <a
href="https://www.openoffice.org/download/";> download page</a>.
+ </p>
+ <p>
+ <strong>Acknowledgments</strong>
+ </p>
+ <p>
+ The Apache OpenOffice Security Team would like to thank Simon Rohlmann,
Vladislav Mladenov,
+ Christian Mainka and Jörg Schwenk, Ruhr University Bochum, Germany, for
discovering and reporting this
+ attack vector.
+ </p>
+ <p>
+ <strong>Further Information</strong>
+ </p>
+ <p>
+ This issue was also reported to LibreOffice with CVE-2021-25635.
+ </p>
+ <p>
+ For additional information and assistance, consult the
+ <a href="https://forum.openoffice.org/";>Apache OpenOffice Community
Forums</a>
+ or make requests to the
+ <a
href="mailto:[email protected]";>[email protected]</a>
+ public mailing list.
+ </p>
+ <p>
+ The latest information on Apache OpenOffice security bulletins can be
found at the
+ <a href="https://www.openoffice.org/security/bulletin.html";>Bulletin
Archive page</a>.
+ </p>
+ <hr />
+ <p>
+ <a href="https://security.openoffice.org";>Security Home</a>->
+ <a
href="https://www.openoffice.org/security/bulletin.html";>Bulletin</a>->
+ <a
href="https://www.openoffice.org/security/cves/CVE-2021-41832.html";>CVE-2021-41832</a>
+ </p>
+
+
+ </div>
+ <!--#include virtual="/footer.html" -->
+ </body>
+</html>
