Author: pescetti
Date: Sun Apr 26 15:55:33 2015
New Revision: 1676119
URL: http://svn.apache.org/r1676119
Log:
Put the CVE-2015-1774 announcement online.
Added:
openoffice/ooo-site/trunk/content/security/cves/CVE-2015-1774.html
Modified:
openoffice/ooo-site/trunk/content/security/bulletin.html
Modified: openoffice/ooo-site/trunk/content/security/bulletin.html
URL:
http://svn.apache.org/viewvc/openoffice/ooo-site/trunk/content/security/bulletin.html?rev=1676119&r1=1676118&r2=1676119&view=diff
==============================================================================
--- openoffice/ooo-site/trunk/content/security/bulletin.html (original)
+++ openoffice/ooo-site/trunk/content/security/bulletin.html Sun Apr 26
15:55:33 2015
@@ -19,6 +19,11 @@
<p><strong>If you want to stay up to date on Apache OpenOffice security
announcements, please subscribe to our <a href="alerts.html">security-alerts
mailing list</a>.</strong></p>
+ <h3>Current for Apache OpenOffice 4.1.1 (workaround available)</h3>
+<ul>
+<li><a href="cves/CVE-2015-1774.html">CVE-2015-1774</a>: OpenOffice HWP Filter
Remote Execution and DoS Vulnerability</li>
+</ul>
+
<h3>Fixed in Apache OpenOffice 4.1.1</h3>
<ul>
<li><a href="cves/CVE-2014-3575.html">CVE-2014-3575</a>: Targeted Data
Exposure Using Creafted OLE Objects in Apache OpenOffice</li>
Added: openoffice/ooo-site/trunk/content/security/cves/CVE-2015-1774.html
URL:
http://svn.apache.org/viewvc/openoffice/ooo-site/trunk/content/security/cves/CVE-2015-1774.html?rev=1676119&view=auto
==============================================================================
--- openoffice/ooo-site/trunk/content/security/cves/CVE-2015-1774.html (added)
+++ openoffice/ooo-site/trunk/content/security/cves/CVE-2015-1774.html Sun Apr
26 15:55:33 2015
@@ -0,0 +1,53 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head profile="http://www.w3.org/2005/10/profile";>
+ <title>CVE-2014-3575</title>
+ <style type="text/css"></style>
+</head>
+
+<body>
+ <h2><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1774";>CVE-2015-1774</a></h2>
+
+ <h3>OpenOffice HWP Filter Remote Code Execution and Denial of
Service</h3>
+
+ <ul>
+ <h4>Severity: Important</h4>
+ <h4>Vendor: The Apache Software Foundation</h4>
+ <h4>Versions Affected:</h4>
+ <ul>
+ <li>Apache OpenOffice 4.1.1 and older.</li>
+ </ul>
+
+ <h4>Description</h4>
+ <p>A vulnerability in OpenOffice's HWP filter allows attackers to cause
a
+denial of service (memory corruption and application crash) or possibly
+execution of arbitrary code by preparing specially crafted documents in
+the HWP document format.</p>
+
+ <h4>Mitigation</h4>
+ <p>Apache OpenOffice users are advised to remove the problematic
library in
+the "program" folder of their OpenOffice installation. On Windows it is
+named "hwp.dll", on Mac it is named "libhwp.dylib" (step-by-step instructions:
go to the Applications folder in Finder;
+right click on OpenOffice.app; click on "Show Package Contents"; then search
for the file "libhwp.dylib" with Finder's search function, or
+Look for it in the folder "Contents/MacOS"; then delete the file) and on Linux
it is
+named "libhwp.so". Alternatively the library can be renamed to anything
+else e.g. "hwp_renamed.dll".
+This mitigation will drop support for documents created in "Hangul
+Word Processor" versions from 1997 or older. Users of such documents are
+advised to convert their documents to other document formats such as
+OpenDocument before doing so.</p>
+
+ <h4>Further information</h4>
+ <p>Apache OpenOffice aims to fix the vulnerability in version 4.1.2,
not released yet.</p>
+
+ <h4>Credits</h4>
+ <p>Thanks to an anonymous contributor working with VeriSign iDefense
Labs.</p>
+
+ <hr />
+
+ <p><a href="http://security.openoffice.org";>Security Home</a>
+ -> <a
href="http://security.openoffice.org/bulletin.html";>Bulletin</a>
+ -> <a
href="http://security.openoffice.org/security/cves/CVE-2014-3575.html";>CVE-2014-3575</a></p>
+</body>
+</html>
+
