This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/openoffice-org.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 6d661388c7 git-site-role commit from build_staging.sh
6d661388c7 is described below
commit 6d661388c79434429454f40f3979063c35064e9c
Author: jenkins <[email protected]>
AuthorDate: Fri Mar 24 14:53:32 2023 +0000
git-site-role commit from build_staging.sh
---
content/feed.xml | 4 ++--
content/security/bulletin.html | 8 ++++++++
content/security/cves/CVE-2022-38745.html | 4 ++--
content/security/cves/CVE-2022-47502.html | 9 +++++----
4 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/content/feed.xml b/content/feed.xml
index e42f3d16fe..4118fad351 100644
--- a/content/feed.xml
+++ b/content/feed.xml
@@ -6,8 +6,8 @@
<atom:link href="http://localhost:8820/feed.xml"; rel="self"
type="application/rss+xml" />
<description>OpenOffice.org Feed</description>
<language>en-us</language>
- <pubDate>Wed, 22 Mar 2023 18:22:30 +0000</pubDate>
- <lastBuildDate>Wed, 22 Mar 2023 18:22:30 +0000</lastBuildDate>
+ <pubDate>Fri, 24 Mar 2023 14:52:30 +0000</pubDate>
+ <lastBuildDate>Fri, 24 Mar 2023 14:52:30 +0000</lastBuildDate>
</channel>
diff --git a/content/security/bulletin.html b/content/security/bulletin.html
index 38c0d9cb3c..b1442e941e 100644
--- a/content/security/bulletin.html
+++ b/content/security/bulletin.html
@@ -37,6 +37,14 @@
subscribe to our <a href="alerts.html">security-alerts mailing
list</a>.</strong>
</p>
+ <h3>Fixed in Apache OpenOffice 4.1.14</h3>
+
+ <ul>
+ <li><a href="cves/CVE-2022-38745.html">CVE-2022-38745</a>: An empty class
path may lead to run arbitrary Java code</li>
+ <li><a href="cves/CVE-2022-40674.html">CVE-2022-40674</a>: "Use after
free" fixed in expat >= 2.4.9</li>
+ <li><a href="cves/CVE-2022-47502.html">CVE-2022-47502</a>: Macro URL
arbitrary script execution without warning</li>
+ </ul>
+
<h3>Fixed in Apache OpenOffice 4.1.13</h3>
<ul>
diff --git a/content/security/cves/CVE-2022-38745.html
b/content/security/cves/CVE-2022-38745.html
index 25ae75a281..1bfe15c484 100644
--- a/content/security/cves/CVE-2022-38745.html
+++ b/content/security/cves/CVE-2022-38745.html
@@ -40,8 +40,8 @@
<strong>Description</strong>
</p>
<p>
- It is possible to configure Apache OpenOffice so that it launches the JVM
giving an empty class path,
- that means: "load classes from the current directory". This may lead to
run arbitrary Java code.
+ Apache OpenOffice versions before 4.1.14 may be configured to add an
empty entry to the Java class path.
+ This may lead to run arbitrary Java code from the current directory.
</p>
<p>
<strong>Severity: Moderate</strong>
diff --git a/content/security/cves/CVE-2022-47502.html
b/content/security/cves/CVE-2022-47502.html
index 7748308595..45a2eadf93 100644
--- a/content/security/cves/CVE-2022-47502.html
+++ b/content/security/cves/CVE-2022-47502.html
@@ -40,10 +40,11 @@
<strong>Description</strong>
</p>
<p>
- Apache OpenOffice supports Office URI Schemes to enable browser
integration of Apache OpenOffice with
- MS SharePoint server. In the affected versions links could be constructed
to call internal macros
- with arbitrary arguments. Which when clicked on, or activated by document
events, could result in
- arbitrary script execution without warning.
+ Apache OpenOffice documents can contain links that call internal macros
with arbitrary arguments.
+ Several URI Schemes are defined for this purpose.Links can be activated
by clicks, or by automatic
+ document events. The execution of such links must be subject to user
approval. In the affected
+ versions of OpenOffice, approval for certain links is not requested; when
activated, such links could
+ therefore result in arbitrary script execution.
</p>
<p>
<strong>Severity: Critical</strong>
