This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/openoffice-org.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 4e4ec62b1f git-site-role commit from build_staging.sh
4e4ec62b1f is described below
commit 4e4ec62b1f507d2ccf5bd6d6af14a4a60fccf5a4
Author: jenkins <[email protected]>
AuthorDate: Thu Dec 28 13:54:50 2023 +0000
git-site-role commit from build_staging.sh
---
content/feed.xml | 4 +-
content/security/bulletin.html | 9 +++
content/security/cves/CVE-2012-5639.html | 108 ++++++++++++++++++++++++++++
content/security/cves/CVE-2022-43680.html | 107 ++++++++++++++++++++++++++++
content/security/cves/CVE-2023-1183.html | 111 +++++++++++++++++++++++++++++
content/security/cves/CVE-2023-47804.html | 113 ++++++++++++++++++++++++++++++
6 files changed, 450 insertions(+), 2 deletions(-)
diff --git a/content/feed.xml b/content/feed.xml
index e5f6902ca1..65a4785ca5 100644
--- a/content/feed.xml
+++ b/content/feed.xml
@@ -6,8 +6,8 @@
<atom:link href="http://localhost:8820/feed.xml"; rel="self"
type="application/rss+xml" />
<description>OpenOffice.org Feed</description>
<language>en-us</language>
- <pubDate>Thu, 28 Dec 2023 09:28:31 +0000</pubDate>
- <lastBuildDate>Thu, 28 Dec 2023 09:28:31 +0000</lastBuildDate>
+ <pubDate>Thu, 28 Dec 2023 13:48:40 +0000</pubDate>
+ <lastBuildDate>Thu, 28 Dec 2023 13:48:40 +0000</lastBuildDate>
</channel>
diff --git a/content/security/bulletin.html b/content/security/bulletin.html
index c9de32a00b..627c87062b 100644
--- a/content/security/bulletin.html
+++ b/content/security/bulletin.html
@@ -38,6 +38,15 @@
subscribe to our <a href="alerts.html">security-alerts mailing
list</a>.</strong>
</p>
+ <h3>Fixed in Apache OpenOffice 4.1.15</h3>
+
+ <ul>
+ <li><a href="cves/CVE-2012-5639.html">CVE-2012-5639</a>: Loading internal
/ external resource without warning.</li>
+ <li><a href="cves/CVE-2022-43680.html">CVE-2022-43680</a>: "Use after
free" fixed in expat >= 2.4.9</li>
+ <li><a href="cves/CVE-2023-1183.html">CVE-2023-1183</a>: Arbitrary file
write in Base</li>
+ <li><a href="cves/CVE-2023-47804.html">CVE-2023-47804</a>: Macro URL
arbitrary script execution</li>
+ </ul>
+
<h3>Fixed in Apache OpenOffice 4.1.14</h3>
<ul>
diff --git a/content/security/cves/CVE-2012-5639.html
b/content/security/cves/CVE-2012-5639.html
new file mode 100644
index 0000000000..cc4f71e9cb
--- /dev/null
+++ b/content/security/cves/CVE-2012-5639.html
@@ -0,0 +1,108 @@
+
+
+<!--#include virtual="/doctype.html" -->
+<html>
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+
+ <link href="/css/ooo.css" rel="stylesheet" type="text/css">
+
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>CVE-2012-5639</title>
+
+
+ <script src="https://www.apachecon.com/event-images/snippet.js";></script>
+ </head>
+ <body>
+ <!--#include virtual="/brand.html" -->
+ <div id="topbara">
+ <!--#include virtual="/topnav.html" -->
+ <div id="breadcrumbsa"><a href="/">home</a> » <a
href="/security/">security</a> » <a
href="/security/cves/">cves</a></div>
+ </div>
+ <div id="clear"></div>
+
+
+ <div id="content">
+
+
+ <p>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-5639";>CVE-2012-5639</a>
+ </p>
+ <p>
+ <a
href="https://www.openoffice.org/security/cves/CVE-2012-5639.html";>Apache
OpenOffice Advisory</a>
+ </p>
+ <p style="text-align:center; font-size:largest">
+ <strong>Loading internal / external resources without warning</strong>
+ </p>
+ <p style="text-align:center; font-size:larger">
+ <strong>Fixed in Apache OpenOffice 4.1.15</strong>
+ </p>
+ <p>
+ <strong>Description</strong>
+ </p>
+ <p>
+ In Apache OpenOffice and LibreOffice embedded content will be opened
automatically without
+ that a warning is shown.
+ </p>
+ <p>
+ <strong>Severity: Moderate</strong>
+ </p>
+ <p>
+ There are no known exploits of this vulnerability.
+ <br />
+ A proof-of-concept demonstration exists.
+ </p>
+ <p>
+ Thanks to the reporter for discovering this issue.
+ </p>
+ <p>
+ <strong>Vendor: The Apache Software Foundation</strong>
+ </p>
+ <p>
+ <strong>Versions Affected</strong>
+ </p>
+ <p>
+ All Apache OpenOffice versions 4.1.14 and older are affected.
+ <br />
+ OpenOffice.org versions may also be affected.
+ </p>
+ <p>
+ <strong>Mitigation</strong>
+ </p>
+ <p>
+ Install Apache OpenOffice 4.1.15 for the latest maintenance and
cumulative security fixes.
+ Use the Apache OpenOffice <a
href="https://www.openoffice.org/download/";> download page</a>.
+ </p>
+ <p>
+ <strong>Acknowledgments</strong>
+ </p>
+ <p>
+ The Apache OpenOffice Security Team would like to thank Timo Warns and
+ Joachim Mammele for discovering and reporting this attack vector.
+ </p>
+ <p>
+ <strong>Further Information</strong>
+ </p>
+ <p>
+ For additional information and assistance, consult the
+ <a href="https://forum.openoffice.org/";>Apache OpenOffice Community
Forums</a>
+ or make requests to the
+ <a
href="mailto:[email protected]";>[email protected]</a>
+ public mailing list.
+ </p>
+ <p>
+ The latest information on Apache OpenOffice security bulletins can be
found at the
+ <a href="https://www.openoffice.org/security/bulletin.html";>Bulletin
Archive page</a>.
+ </p>
+ <hr />
+ <p>
+ <a href="https://security.openoffice.org";>Security Home</a>->
+ <a
href="https://www.openoffice.org/security/bulletin.html";>Bulletin</a>->
+ <a
href="https://www.openoffice.org/security/cves/CVE-2022-47502.html";>CVE-2012-5639</a>
+ </p>
+
+
+ </div>
+ <!--#include virtual="/footer.html" -->
+ </body>
+</html>
diff --git a/content/security/cves/CVE-2022-43680.html
b/content/security/cves/CVE-2022-43680.html
new file mode 100644
index 0000000000..0c275dc715
--- /dev/null
+++ b/content/security/cves/CVE-2022-43680.html
@@ -0,0 +1,107 @@
+
+
+<!--#include virtual="/doctype.html" -->
+<html>
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+
+ <link href="/css/ooo.css" rel="stylesheet" type="text/css">
+
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>CVE-2022-43680</title>
+
+
+ <script src="https://www.apachecon.com/event-images/snippet.js";></script>
+ </head>
+ <body>
+ <!--#include virtual="/brand.html" -->
+ <div id="topbara">
+ <!--#include virtual="/topnav.html" -->
+ <div id="breadcrumbsa"><a href="/">home</a> » <a
href="/security/">security</a> » <a
href="/security/cves/">cves</a></div>
+ </div>
+ <div id="clear"></div>
+
+
+ <div id="content">
+
+
+ <p>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-43680";>CVE-2022-43680</a>
+ </p>
+ <p>
+ <a
href="https://www.openoffice.org/security/cves/CVE-2022-43680.html";>Apache
OpenOffice Advisory</a>
+ </p>
+ <p style="text-align:center; font-size:largest">
+ <strong>Use-after free" fixed in expat >= 2.4.9</strong>
+ </p>
+ <p style="text-align:center; font-size:larger">
+ <strong>Fixed in Apache OpenOffice 4.1.15</strong>
+ </p>
+ <p>
+ <strong>Description</strong>
+ </p>
+ <p>
+ In libexpat through 2.4.9, there is a use-after free caused by overeager
destruction of a shared DTD
+ in XML_ExternalEntityParserCreate in out-of-memory situations.
+ </p>
+ <p>
+ <strong>Severity: Moderate</strong>
+ </p>
+ <p>
+ There are no known exploits of this vulnerability.
+ <br />
+ A proof-of-concept demonstration does not exist.
+ </p>
+ <p>
+ Thanks to the reporter for discovering this issue.
+ </p>
+ <p>
+ <strong>Vendor: The Apache Software Foundation</strong>
+ </p>
+ <p>
+ <strong>Versions Affected</strong>
+ </p>
+ <p>
+ All Apache OpenOffice versions 4.1.14 and older are affected.
+ <br />
+ OpenOffice.org versions may also be affected.
+ </p>
+ <p>
+ <strong>Mitigation</strong>
+ </p>
+ <p>
+ Install Apache OpenOffice 4.1.15 for the latest maintenance and
cumulative security fixes.
+ Use the Apache OpenOffice <a
href="https://www.openoffice.org/download/";> download page</a>.
+ </p>
+ <p>
+ <strong>Acknowledgments</strong>
+ </p>
+ <p>
+ n/a
+ </p>
+ <p>
+ <strong>Further Information</strong>
+ </p>
+ <p>
+ For additional information and assistance, consult the
+ <a href="https://forum.openoffice.org/";>Apache OpenOffice Community
Forums</a>
+ or make requests to the
+ <a
href="mailto:[email protected]";>[email protected]</a>
+ public mailing list.
+ </p>
+ <p>
+ The latest information on Apache OpenOffice security bulletins can be
found at the
+ <a href="https://www.openoffice.org/security/bulletin.html";>Bulletin
Archive page</a>.
+ </p>
+ <hr />
+ <p>
+ <a href="https://security.openoffice.org";>Security Home</a>->
+ <a
href="https://www.openoffice.org/security/bulletin.html";>Bulletin</a>->
+ <a
href="https://www.openoffice.org/security/cves/CVE-2022-43680.html";>CVE-2022-43680</a>
+ </p>
+
+
+ </div>
+ <!--#include virtual="/footer.html" -->
+ </body>
+</html>
diff --git a/content/security/cves/CVE-2023-1183.html
b/content/security/cves/CVE-2023-1183.html
new file mode 100644
index 0000000000..3df6eaef33
--- /dev/null
+++ b/content/security/cves/CVE-2023-1183.html
@@ -0,0 +1,111 @@
+
+
+<!--#include virtual="/doctype.html" -->
+<html>
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+
+ <link href="/css/ooo.css" rel="stylesheet" type="text/css">
+
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>CVE-2023-1183</title>
+
+
+ <script src="https://www.apachecon.com/event-images/snippet.js";></script>
+ </head>
+ <body>
+ <!--#include virtual="/brand.html" -->
+ <div id="topbara">
+ <!--#include virtual="/topnav.html" -->
+ <div id="breadcrumbsa"><a href="/">home</a> » <a
href="/security/">security</a> » <a
href="/security/cves/">cves</a></div>
+ </div>
+ <div id="clear"></div>
+
+
+ <div id="content">
+
+
+ <p>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-1183";>CVE-2023-1183</a>
+ </p>
+ <p>
+ <a
href="https://www.openoffice.org/security/cves/CVE-2023-1183.html";>Apache
OpenOffice Advisory</a>
+ </p>
+ <p style="text-align:center; font-size:largest">
+ <strong>Arbitrary file write in Apache OpenOffice Base</strong>
+ </p>
+ <p style="text-align:center; font-size:larger">
+ <strong>Fixed in Apache OpenOffice 4.1.15</strong>
+ </p>
+ <p>
+ <strong>Description</strong>
+ </p>
+ <p>
+ An attacker can craft an OBD containing a "database/script" file with a
SCRIPT command where
+ the contents of the file could be written to a new file whose location
was determined by the
+ attacker.
+ </p>
+ <p>
+ <strong>Severity: Moderate</strong>
+ </p>
+ <p>
+ There are no known exploits of this vulnerability.
+ <br />
+ A proof-of-concept demonstration exists.
+ </p>
+ <p>
+ Thanks to the reporter for discovering this issue.
+ </p>
+ <p>
+ <strong>Vendor: The Apache Software Foundation</strong>
+ </p>
+ <p>
+ <strong>Versions Affected</strong>
+ </p>
+ <p>
+ All Apache OpenOffice versions 4.1.14 and older are affected.
+ <br />
+ OpenOffice.org versions may also be affected.
+ </p>
+ <p>
+ <strong>Mitigation</strong>
+ </p>
+ <p>
+ Install Apache OpenOffice 4.1.15 for the latest maintenance and
cumulative security fixes.
+ Use the Apache OpenOffice <a
href="https://www.openoffice.org/download/";> download page</a>.
+ </p>
+ <p>
+ <strong>Acknowledgments</strong>
+ </p>
+ <p>
+ The Apache OpenOffice Security Team would like to thank Gregor Kopf of
Secfault Security
+ GmbH (Germany) for discovering and reporting this attack vector and Fred
Toussi for kindly
+ providing a solution to this issue within HSQLDB.
+
+ </p>
+ <p>
+ <strong>Further Information</strong>
+ </p>
+ <p>
+ For additional information and assistance, consult the
+ <a href="https://forum.openoffice.org/";>Apache OpenOffice Community
Forums</a>
+ or make requests to the
+ <a
href="mailto:[email protected]";>[email protected]</a>
+ public mailing list.
+ </p>
+ <p>
+ The latest information on Apache OpenOffice security bulletins can be
found at the
+ <a href="https://www.openoffice.org/security/bulletin.html";>Bulletin
Archive page</a>.
+ </p>
+ <hr />
+ <p>
+ <a href="https://security.openoffice.org";>Security Home</a>->
+ <a
href="https://www.openoffice.org/security/bulletin.html";>Bulletin</a>->
+ <a
href="https://www.openoffice.org/security/cves/CVE-2023-1183.html";>2023-1183</a>
+ </p>
+
+
+ </div>
+ <!--#include virtual="/footer.html" -->
+ </body>
+</html>
diff --git a/content/security/cves/CVE-2023-47804.html
b/content/security/cves/CVE-2023-47804.html
new file mode 100644
index 0000000000..ba7a509464
--- /dev/null
+++ b/content/security/cves/CVE-2023-47804.html
@@ -0,0 +1,113 @@
+
+
+<!--#include virtual="/doctype.html" -->
+<html>
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+
+ <link href="/css/ooo.css" rel="stylesheet" type="text/css">
+
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>CVE-2023-47804</title>
+
+
+ <script src="https://www.apachecon.com/event-images/snippet.js";></script>
+ </head>
+ <body>
+ <!--#include virtual="/brand.html" -->
+ <div id="topbara">
+ <!--#include virtual="/topnav.html" -->
+ <div id="breadcrumbsa"><a href="/">home</a> » <a
href="/security/">security</a> » <a
href="/security/cves/">cves</a></div>
+ </div>
+ <div id="clear"></div>
+
+
+ <div id="content">
+
+
+ <p>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-47804";>CVE-2023-47804</a>
+ </p>
+ <p>
+ <a
href="https://www.openoffice.org/security/cves/CVE-2023-47804.html";>Apache
OpenOffice Advisory</a>
+ </p>
+ <p style="text-align:center; font-size:largest">
+ <strong>Macro URL arbitrary script execution</strong>
+ </p>
+ <p style="text-align:center; font-size:larger">
+ <strong>Fixed in Apache OpenOffice 4.1.15</strong>
+ </p>
+ <p>
+ <strong>Description</strong>
+ </p>
+ <p>
+ Apache OpenOffice documents can contain links that call internal macros
with arbitrary
+ arguments. Several URI Schemes are defined for this purpose. Links can be
activated by
+ clicks, or by automatic document events. The execution of such links must
be subject to
+ user approval. In the affected versions of Apache OpenOffice, approval
for certain links
+ is not requested; when activated, such links could therefore result in
arbitrary script
+ execution. This is a corner case of
+ <a
href="https://www.openoffice.org/security/cves/CVE-2022-47502.html";>2022-47502</a>.
+ </p>
+ <p>
+ <strong>Severity: Moderate</strong>
+ </p>
+ <p>
+ There are no known exploits of this vulnerability.
+ <br />
+ A proof-of-concept demonstration exists.
+ </p>
+ <p>
+ Thanks to the reporter for discovering this issue.
+ </p>
+ <p>
+ <strong>Vendor: The Apache Software Foundation</strong>
+ </p>
+ <p>
+ <strong>Versions Affected</strong>
+ </p>
+ <p>
+ All Apache OpenOffice versions 4.1.14 and older are affected.
+ <br />
+ OpenOffice.org versions may also be affected.
+ </p>
+ <p>
+ <strong>Mitigation</strong>
+ </p>
+ <p>
+ Install Apache OpenOffice 4.1.15 for the latest maintenance and
cumulative security fixes.
+ Use the Apache OpenOffice <a
href="https://www.openoffice.org/download/";> download page</a>.
+ </p>
+ <p>
+ <strong>Acknowledgments</strong>
+ </p>
+ <p>
+ The Apache OpenOffice Security Team would like to thank Amel BOUZIANE-
LEBLOND (aka Icare
+ Bug Bounty Hunter) for discovering and reporting this attack vector.
+ </p>
+ <p>
+ <strong>Further Information</strong>
+ </p>
+ <p>
+ For additional information and assistance, consult the
+ <a href="https://forum.openoffice.org/";>Apache OpenOffice Community
Forums</a>
+ or make requests to the
+ <a
href="mailto:[email protected]";>[email protected]</a>
+ public mailing list.
+ </p>
+ <p>
+ The latest information on Apache OpenOffice security bulletins can be
found at the
+ <a href="https://www.openoffice.org/security/bulletin.html";>Bulletin
Archive page</a>.
+ </p>
+ <hr />
+ <p>
+ <a href="https://security.openoffice.org";>Security Home</a>->
+ <a
href="https://www.openoffice.org/security/bulletin.html";>Bulletin</a>->
+ <a
href="https://www.openoffice.org/security/cves/CVE-2023-47804.html";>2023-47804</a>
+ </p>
+
+
+ </div>
+ <!--#include virtual="/footer.html" -->
+ </body>
+</html>
