Author: robweir
Date: Fri Jun 21 12:07:46 2013
New Revision: 1495404
URL: http://svn.apache.org/r1495404
Log: (empty)
Added:
openoffice/ooo-site/trunk/content/security/cves/CVE-2013-1571.html
Modified:
openoffice/ooo-site/trunk/content/security/bulletin.html
Modified: openoffice/ooo-site/trunk/content/security/bulletin.html
URL:
http://svn.apache.org/viewvc/openoffice/ooo-site/trunk/content/security/bulletin.html?rev=1495404&r1=1495403&r2=1495404&view=diff
==============================================================================
--- openoffice/ooo-site/trunk/content/security/bulletin.html (original)
+++ openoffice/ooo-site/trunk/content/security/bulletin.html Fri Jun 21
12:07:46 2013
@@ -23,6 +23,7 @@
<h3>Fixed in Apache OpenOffice 3.4.1</h3>
<ul>
<li><a href="cves/CVE-2012-2665.html">CVE-2012-2665</a>: Manifest-processing
errors in Apache OpenOffice 3.4.0</li>
+<li><a href="cves/CVE-2012-2665.html">CVE-2013-1571</a>: Frame Injection
Vulnerability in SDK JavaDoc</li>
</ul>
<h3>Fixed in Apache OpenOffice 3.4.0</h3>
Added: openoffice/ooo-site/trunk/content/security/cves/CVE-2013-1571.html
URL:
http://svn.apache.org/viewvc/openoffice/ooo-site/trunk/content/security/cves/CVE-2013-1571.html?rev=1495404&view=auto
==============================================================================
--- openoffice/ooo-site/trunk/content/security/cves/CVE-2013-1571.html (added)
+++ openoffice/ooo-site/trunk/content/security/cves/CVE-2013-1571.html Fri Jun
21 12:07:46 2013
@@ -0,0 +1,83 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
+
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head profile="http://www.w3.org/2005/10/profile";>
+ <title> CVE-2013-1571</title>
+ <style type="text/css"></style>
+</head>
+
+<body>
+ <h2><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1571";>CVE-2013-1571</a></h2>
+
+ <h3>
+ Frame Injection Vulnerability in SDK JavaDoc
+ </h3>
+
+ <ul>
+
+ <h4>Severity: Medium</h4>
+
+ <h4>Vendor: The Apache Software Foundation</h4>
+
+ <h4>Versions Affected:</h4>
+ <ul>
+ <li>Apache OpenOffice 3.4.1 SDK, on all
platforms.</li>
+ <li>Earlier versions may be also
affected.</li>
+ </ul>
+
+
+<h4>Description:</h4>
+<p>
+As reported on June 18th there is a <a
href="http://www.kb.cert.org/vuls/id/225657";>vulnerability in JavaDoc</a>
generated by Java 5, Java 6 and Java 7 before update 22. Generated
+ JavaDoc files could be suceptible to HTML frame injection attacks. Our
investigation indicated that the UDK 3.2.7 Java API Reference in the Apache
OpenOffice SDK contains
+ a vulnerable HTML file.</p>
+
+<p>Note: Ordinary installs of OpenOffice are not impacted by this
vulnerability. Only installs of the OpenOffice SDK, typically only installed
by software developers writing
+ extensions, are impacted</p>
+
+ <h4>Mitigation</h4>
+ <p>SDK users should update their installations by replacing
/docs/java/ref/index.html with this
+ <a
href="http://www.apache.org/dyn/aoo-closer.cgi/incubator/ooo/3.4.1/source/cve-2013-1571.zip";>patched
version</a>.
+ Download, unzip and follow the instructions in the enclosed README
file.</p>
+
+ <p>Users with earlier versions of the SDK (pre 3.4.1) should <a
href="http://www.download.openoffice.org/download/other.html#tested-sdk";>upgrade
to the current version</a> and then apply the patch. Alternative, they can
download and run
+ Oracle's <a
href="http://www.oracle.com/technetwork/java/javase/downloads/java-doc-updater-tool-1955731.html";>Java
API Documentation Updater Tool</a> to repair
+ the vulnerabilities in place.</p>
+
+
+<h4>Verifying the Integrity of Downloaded Files</h4>
+
+<p>
+We have provided <a
href="http://www.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.md5";>MD5</a>
and <a
href="http://www.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.sha256";>SHA256</a>
hashes of these patches,
+ as well as a <a
href="http://www.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.asc";>GPG/PGP
detached digital signature</a>, for those who wish to verify the
+ integrity of this file.
+<p>
+The MD5 and SHA256 hashes can be verified using Unix tools like md5sum or
sha256sum.
+<p>
+The PGP signatures can be verified using PGP or GPG. First download the <a
href="http://www.apache.org/dist/incubator/ooo/KEYS";>KEYS</a> file, as well as
the asc signature file for the particular patch from above. Make sure you get
these files from the main distribution directory, rather than from a mirror.
Then verify the signatures as follows:
+<p>
+<code>
+% pgpk -a KEYS <br>
+% pgpv cve-2013-1571.zip.asc <br>
+</code>
+<em>or</em>
+<br>
+<code>
+% pgp -ka KEYS <br>
+% pgp cve-2013-1571.zip.asc <br>
+</code>
+<em>or</em>
+<br>
+<code>
+% gpg --import KEYS <br>
+% gpg --verify cve-2013-1571.zip.asc <br>
+</code>
+
+
+
+ <hr />
+
+ <p><a href="http://security.openoffice.org";>Security Home</a> -> <a
href="http://security.openoffice.org/bulletin.html";>Bulletin</a> ->
+ <a
href="http://security.openoffice.org/security/cves/CVE-2013-1571.html";>CVE-2013-1571</a></p>
+</body>
+</html>
