openoffice-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r999163 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2016-6803.html content/security/cves/CVE-2016-6804.html
Date Tue, 11 Oct 2016 00:28:11 GMT
Author: buildbot
Date: Tue Oct 11 00:28:10 2016
New Revision: 999163

Log:
Staging update by buildbot for ooo-site

Added:
    websites/staging/ooo-site/trunk/content/security/cves/CVE-2016-6803.html
    websites/staging/ooo-site/trunk/content/security/cves/CVE-2016-6804.html
Modified:
    websites/staging/ooo-site/trunk/cgi-bin/   (props changed)
    websites/staging/ooo-site/trunk/content/   (props changed)

Propchange: websites/staging/ooo-site/trunk/cgi-bin/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Oct 11 00:28:10 2016
@@ -1 +1 @@
-1764183
+1764185

Propchange: websites/staging/ooo-site/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Oct 11 00:28:10 2016
@@ -1 +1 @@
-1764183
+1764185

Added: websites/staging/ooo-site/trunk/content/security/cves/CVE-2016-6803.html
==============================================================================
--- websites/staging/ooo-site/trunk/content/security/cves/CVE-2016-6803.html (added)
+++ websites/staging/ooo-site/trunk/content/security/cves/CVE-2016-6803.html Tue Oct 11 00:28:10
2016
@@ -0,0 +1,172 @@
+<!--#include virtual="/doctype.html" -->
+<html>
+<head>
+<link href="/css/ooo.css" rel="stylesheet" type="text/css">
+
+        <title>CVE-2016-6803</title>
+        <style type="text/css"></style>
+    
+<!--#include virtual="/google-analytics.js" --> 
+<!--#include virtual="/scripts/entourage.js" -->
+</head>
+<body>
+<!--#include virtual="/brand.html" -->
+  <div id="topbara">
+    <!--#include virtual="/topnav.html" -->
+    <div id="breadcrumbsa"><a href="/">home</a>&nbsp;&raquo;&nbsp;<a
href="/security/">security</a>&nbsp;&raquo;&nbsp;<a href="/security/cves/">cves</a></div>
+  </div>
+  <div id="clear"></div>
+  
+  
+  <div id="content">
+    
+    
+    
+    <!-- These were previously defined as XHTML pages. The current wrapping
+         for the site introduces HTML5 headers and formats. This version is
+         modified to match the wrapping that is done as part of publishing
+         this page and not rely on any particular styling beyond <p>.
+         -->
+
+        <p>
+          <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6803">
+          CVE-2016-6803</a>
+        </p>
+
+        <p>
+          <a href="http://www.openoffice.org/security/cves/CVE-2016-6803.html">
+          Apache OpenOffice Advisory</a>
+        </p>
+
+        <p>
+          <strong>Windows Installer Can Enable Privileged Trojan Execution
+          </strong>
+        </p>
+
+        <p>
+          <strong>Version 1.0</strong>
+        </p>
+
+        <p>
+          Announced October 11, 2016
+        </p>
+
+        <p>
+          <strong>Description</strong>
+        </p>
+
+        <p>
+          The Apache OpenOffice installer for Winodws contained a defective
+          operation that could trigger execution of unwanted software 
+          installed by a Trojan Horse application.  The installer defect
+          is known as an "unquoted Windows search path vulnerability."
+        </p>
+        <p>
+          In the case of Apache OpenOffice installers for Windows, the PC
+          must have previously been infected by a Trojan Horse application
+          (or user) running with administrative privilege.  Any installer
+          with the unquoted search path vulnerability becomes a delayed
+          trigger for the exploit.  The exploit may already have operated
+          on the user's PC.
+        </p>
+        
+        <p>
+          <strong>Severity: Medium</strong>
+        </p>
+
+        <p>There are no known exploits of this vulnerabilty.<br />
+          A proof-of-concept demonstration exists.
+        </p>
+
+        <p>
+          <strong>Vendor: The Apache Software Foundation</strong>
+        </p>
+
+        <p>
+          <strong>Versions Affected</strong>
+        </p>
+
+        <p>
+          All Apache OpenOffice versions 4.1.2 and older are affected.<br />
+          OpenOffice.org versions are also affected.
+        </p>
+
+        <p>
+          <strong>Mitigation</strong>
+        </p>
+
+        <p>
+          Install Apache OpenOffice 4.1.3 for the latest maintenance and
+          cumulative security fixes.  Use the Apache OpenOffice 
+          <a href="https://www.openoffice.org/download/">download page</a>.
+          <br /><br />
+          If instead of a typical installation you use a custom-installation
+          option to change the location where Apache OpenOffice is installed,
+          use a location that has no spaces in its full-path name.
+        </p>
+
+        <p>
+          <strong>Defenses and Work-Arounds</strong>
+        </p>
+
+        <p>
+          If you are unable to update to 4.1.3, there are other precautions
+          that can be taken.  These precausions are also recommended as protection against
other software that may have the vulnerability.
+          <br /><br />
+          Ensure that there are no programs installed at the top-level folder
+          (usually C:\) where Windows is installed.  All are dangerous,
+          especially ones named "Program", whether "Program.exe" or some
+          other variation.
+          <br /><br />
+          If such programs are found, install or update to current
+          anti-virus/-malware software.  Perform a complete system scan.
+          The scan may provide for removal of programs where there should
+          not be any.  If that does not happen, it is necessary to remove
+          any Program.exe and others manually using administrator privilege.
+        </p>
+        
+        <p>
+           <strong>Further Information</strong>
+        </p>
+        
+        <p>
+          For additional information and assistance, consult the 
+          <a href="https://forum.openoffice.org/">Apache OpenOffice 
+          Community Forums</a>, or make requests to the 
+          <a href="mailto:users@openoffice.apache.org">users@openoffice.apache.org</a>

+          public mailing list. Defects not involving suspected security 
+          vulnerabilities can be reported with a normal issue via 
+          <a href="http://www.openoffice.org/qa/issue_handling/pre_submission.html">Bugzilla</a>.
+        </p>
+
+        <p>
+          The latest information on Apache OpenOffice security bulletins can 
+          be found at the 
+          <a href="http://www.openoffice.org/security/bulletin.html">
+          Bulletin Archive page</a>.
+        </p>
+
+        <p>
+          <strong>Credits</strong>
+        </p>
+
+        <p>
+          The Apache OpenOffice project acknowledges the reporting and
+          analysis for CVE-2016-6803 by Cyril Vallicari.
+        </p>
+
+        <hr />
+
+        <p>
+          <a href="http://www.openoffice.org/security/">Security Home</a>
+          -&gt; <a href="http://www.openoffice.org/security/bulletin.html">
+          Bulletin</a>
+          -&gt; <a href="http://www.openoffice.org/security/cves/CVE-2016-1513.html">
+          CVE-2016-1513</a>
+        </p>
+
+    
+  </div>
+<!--#include virtual="/footer.html" -->
+</body>
+</html>

Added: websites/staging/ooo-site/trunk/content/security/cves/CVE-2016-6804.html
==============================================================================
--- websites/staging/ooo-site/trunk/content/security/cves/CVE-2016-6804.html (added)
+++ websites/staging/ooo-site/trunk/content/security/cves/CVE-2016-6804.html Tue Oct 11 00:28:10
2016
@@ -0,0 +1,165 @@
+<!--#include virtual="/doctype.html" -->
+<html>
+<head>
+<link href="/css/ooo.css" rel="stylesheet" type="text/css">
+
+        <title>CVE-2016-6804</title>
+        <style type="text/css"></style>
+    
+<!--#include virtual="/google-analytics.js" --> 
+<!--#include virtual="/scripts/entourage.js" -->
+</head>
+<body>
+<!--#include virtual="/brand.html" -->
+  <div id="topbara">
+    <!--#include virtual="/topnav.html" -->
+    <div id="breadcrumbsa"><a href="/">home</a>&nbsp;&raquo;&nbsp;<a
href="/security/">security</a>&nbsp;&raquo;&nbsp;<a href="/security/cves/">cves</a></div>
+  </div>
+  <div id="clear"></div>
+  
+  
+  <div id="content">
+    
+    
+    
+    <!-- These were previously defined as XHTML pages. The current wrapping
+         for the site introduces HTML5 headers and formats. This version is
+         modified to match the wrapping that is done as part of publishing
+         this page and not rely on any particular styling beyond <p>.
+         -->
+
+        <p>
+          <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6804">
+          CVE-2016-6804</a>
+        </p>
+
+        <p>
+          <a href="http://www.openoffice.org/security/cves/CVE-2016-6804.html">
+          Apache OpenOffice Advisory</a>
+        </p>
+
+        <p>
+          <strong>Windows Installer Execution of Arbitrary Code with 
+              Elevated Privileges
+          </strong>
+        </p>
+
+        <p>
+          <strong>Version 1.0</strong>
+        </p>
+
+        <p>
+          Announced October 11, 2016
+        </p>
+
+        <p>
+          <strong>Description</strong>
+        </p>
+
+        <p>
+          The Apache OpenOffice installer for Winodws contained a defective
+          operation that allows execution of arbitrary code with elevated
+          privileges.
+        </p>
+        <p>The location in which the installer is run may have been 
+            previously poisoned by a file that impersonates a dynamic-link
+            library that the installer depends upon.  The counterfeit is
+            operated instead because of a search path defect in the 
+            installer.  The counterfeit will be operated under the
+            administrative privileges of the OpenOffice installer,
+            compromising the users's PC.
+        </p>
+        
+        <p>
+          <strong>Severity: Medium</strong>
+        </p>
+
+        <p>There are no known exploits of this vulnerabilty.<br />
+          A proof-of-concept demonstration exists.
+        </p>
+
+        <p>
+          <strong>Vendor: The Apache Software Foundation</strong>
+        </p>
+
+        <p>
+          <strong>Versions Affected</strong>
+        </p>
+
+        <p>
+          All Apache OpenOffice versions 4.1.2 and older are affected.<br />
+          OpenOffice.org versions are also affected.
+        </p>
+
+        <p>
+          <strong>Mitigation</strong>
+        </p>
+
+        <p>
+          Install Apache OpenOffice 4.1.3 for the latest maintenance and
+          cumulative security fixes.  Use the Apache OpenOffice 
+          <a href="https://www.openoffice.org/download/">download page</a>.
+        </p>
+
+        <p>
+          <strong>Defenses and Work-Arounds</strong>
+        </p>
+
+        <p>
+          If you are unable to update to 4.1.3, there are other precautions
+          that can be taken.  These precausions are also recommended as protection against
other software that may have the vulnerability.
+          <br /><br />
+          When executing .exe installers, ensure that the installer is in a file folder that
has no other files but the installer .exe file.
+          <br /><br />
+          If an installer proposes a folder to extract the setup files
+          into before the actual install, choose the name of a folder that is not in use.
 Delete such a folder of setup files after the installation completes successfully.  To reinstall
without 
+          downloading again, preserve the installer .exe on private 
+          removable storage.
+        </p>
+        
+        <p>
+           <strong>Further Information</strong>
+        </p>
+        
+        <p>
+          For additional information and assistance, consult the 
+          <a href="https://forum.openoffice.org/">Apache OpenOffice 
+          Community Forums</a>, or make requests to the 
+          <a href="mailto:users@openoffice.apache.org">users@openoffice.apache.org</a>

+          public mailing list. Defects not involving suspected security 
+          vulnerabilities can be reported with a normal issue via 
+          <a href="http://www.openoffice.org/qa/issue_handling/pre_submission.html">Bugzilla</a>.
+        </p>
+
+        <p>
+          The latest information on Apache OpenOffice security bulletins can 
+          be found at the 
+          <a href="http://www.openoffice.org/security/bulletin.html">
+          Bulletin Archive page</a>.
+        </p>
+
+        <p>
+          <strong>Credits</strong>
+        </p>
+
+        <p>
+          The Apache OpenOffice project acknowledges the reporting and
+          analysis for CVE-2016-6804 by Stephen Kanthek and by Himanshu
+          Mehta.
+        </p>
+
+        <hr />
+
+        <p>
+          <a href="http://www.openoffice.org/security/">Security Home</a>
+          -&gt; <a href="http://www.openoffice.org/security/bulletin.html">
+          Bulletin</a>
+          -&gt; <a href="http://www.openoffice.org/security/cves/CVE-2016-1513.html">
+          CVE-2016-1513</a>
+        </p>
+
+    
+  </div>
+<!--#include virtual="/footer.html" -->
+</body>
+</html>



Mime
View raw message