This is an automated email from the ASF dual-hosted git repository. marcus pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/openoffice-org.git
commit e5ffb79a26c1395b5d11c3587fe7e0b0d4153bf2 Author: Marcus <[email protected]> AuthorDate: Mon Oct 11 15:38:50 2021 +0200 Security Bulletin for the Apache OpenOffice 4.1.11 Release --- content/security/cves/CVE-2021-41830.html | 93 +++++++++++++++++++++++++++++++ content/security/cves/CVE-2021-41831.html | 91 ++++++++++++++++++++++++++++++ content/security/cves/CVE-2021-41832.html | 91 ++++++++++++++++++++++++++++++ 3 files changed, 275 insertions(+) diff --git a/content/security/cves/CVE-2021-41830.html b/content/security/cves/CVE-2021-41830.html new file mode 100644 index 0000000..839c00e --- /dev/null +++ b/content/security/cves/CVE-2021-41830.html @@ -0,0 +1,93 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> +<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <title>CVE-2021-41830</title> + </head> + + <body> + <p> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-41830";>CVE-2021-41830</a> + </p> + <p> + <a href="https://www.openoffice.org/security/cves/CVE-2021-41830.html";>Apache OpenOffice Advisory</a> + </p> + <p style="text-align:center; font-size:largest"> + <strong>#1 Content Manipulation with Certificate Double Attack</strong> + <br /> + <strong>#2 Macro Manipulation with Certificate Double Attack</strong> + </p> + <p style="text-align:center; font-size:larger"> + <strong>Fixed in Apache OpenOffice 4.1.11</strong> + </p> + <p> + <strong>Description</strong> + </p> + <p> + It is possible for an attacker to manipulate signed documents and macros to appear to come from a trusted source. + <br /> + An attacker can use the vulnerabilities to convert an untrusted digital signature into trusted ones + and change the content of the ODF document without invalidating the signature. + </p> + <p> + <strong>Severity: High</strong> + </p> + <p> + There are no known exploits of this vulnerability. + <br /> + A proof-of-concept demonstration exists. + </p> + <p> + Thanks to the reporter for discovering this issue. + </p> + <p> + <strong>Vendor: The Apache Software Foundation</strong> + </p> + <p> + <strong>Versions Affected</strong> + </p> + <p> + All Apache OpenOffice versions 4.1.10 and older are affected. + <br /> + OpenOffice.org versions may also be affected. + </p> + <p> + <strong>Mitigation</strong> + </p> + <p> + Install Apache OpenOffice 4.1.11 for the latest maintenance and cumulative security fixes. + Use the Apache OpenOffice <a href="https://www.openoffice.org/download/";> download page</a>. + </p> + <p> + <strong>Acknowledgments</strong> + </p> + <p> + The Apache OpenOffice Security Team would like to thank Simon Rohlmann, Vladislav Mladenov, + Christian Mainka and Jörg Schwenk, Ruhr University Bochum, Germany, for discovering and reporting this + attack vector. + </p> + <p> + <strong>Further Information</strong> + </p> + <p> + This issue was also reported to LibreOffice with CVE-2021-25633. + </p> + <p> + For additional information and assistance, consult the + <a href="https://forum.openoffice.org/";>Apache OpenOffice Community Forums</a> + or make requests to the + <a href="mailto:[email protected]";>[email protected]</a> + public mailing list. + </p> + <p> + The latest information on Apache OpenOffice security bulletins can be found at the + <a href="https://www.openoffice.org/security/bulletin.html";>Bulletin Archive page</a>. + </p> + <hr /> + <p> + <a href="https://security.openoffice.org";>Security Home</a>-> + <a href="https://www.openoffice.org/security/bulletin.html";>Bulletin</a>-> + <a href="https://www.openoffice.org/security/cves/CVE-2021-41830.html";>CVE-2021-41830</a> + </p> + </body> +</html> diff --git a/content/security/cves/CVE-2021-41831.html b/content/security/cves/CVE-2021-41831.html new file mode 100644 index 0000000..36f8655 --- /dev/null +++ b/content/security/cves/CVE-2021-41831.html @@ -0,0 +1,91 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> +<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <title>CVE-2021-41831</title> + </head> + + <body> + <p> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-41831";>CVE-2021-41831</a> + </p> + <p> + <a href="https://www.openoffice.org/security/cves/CVE-2021-41831.html";>Apache OpenOffice Advisory</a> + </p> + <p style="text-align:center; font-size:largest"> + <strong>#3 Timestamp Manipulation with Signature Wrapping</strong> + </p> + <p style="text-align:center; font-size:larger"> + <strong>Fixed in Apache OpenOffice 4.1.11</strong> + </p> + <p> + <strong>Description</strong> + </p> + <p> + It is possible for an attacker to manipulate the timestamp of signed documents. + <br /> + An attacker can use the vulnerability to convert an untrusted digital signature into trusted ones + and allows the time stamp of the signature to be changed arbitrarily. + </p> + <p> + <strong>Severity: Moderate</strong> + </p> + <p> + There are no known exploits of this vulnerability. + <br /> + A proof-of-concept demonstration exists. + </p> + <p> + Thanks to the reporter for discovering this issue. + </p> + <p> + <strong>Vendor: The Apache Software Foundation</strong> + </p> + <p> + <strong>Versions Affected</strong> + </p> + <p> + All Apache OpenOffice versions 4.1.10 and older are affected. + <br /> + OpenOffice.org versions may also be affected. + </p> + <p> + <strong>Mitigation</strong> + </p> + <p> + Install Apache OpenOffice 4.1.11 for the latest maintenance and cumulative security fixes. + Use the Apache OpenOffice <a href="https://www.openoffice.org/download/";> download page</a>. + </p> + <p> + <strong>Acknowledgments</strong> + </p> + <p> + The Apache OpenOffice Security Team would like to thank Simon Rohlmann, Vladislav Mladenov, + Christian Mainka and Jörg Schwenk, Ruhr University Bochum, Germany, for discovering and reporting this + attack vector. + </p> + <p> + <strong>Further Information</strong> + </p> + <p> + This issue was also reported to LibreOffice with CVE-2021-25634. + </p> + <p> + For additional information and assistance, consult the + <a href="https://forum.openoffice.org/";>Apache OpenOffice Community Forums</a> + or make requests to the + <a href="mailto:[email protected]";>[email protected]</a> + public mailing list. + </p> + <p> + The latest information on Apache OpenOffice security bulletins can be found at the + <a href="https://www.openoffice.org/security/bulletin.html";>Bulletin Archive page</a>. + </p> + <hr /> + <p> + <a href="https://security.openoffice.org";>Security Home</a>-> + <a href="https://www.openoffice.org/security/bulletin.html";>Bulletin</a>-> + <a href="https://www.openoffice.org/security/cves/CVE-2021-41831.html";>CVE-2021-41831</a> + </p> + </body> +</html> diff --git a/content/security/cves/CVE-2021-41832.html b/content/security/cves/CVE-2021-41832.html new file mode 100644 index 0000000..042577d --- /dev/null +++ b/content/security/cves/CVE-2021-41832.html @@ -0,0 +1,91 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> +<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <title>CVE-2021-41832</title> + </head> + + <body> + <p> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-41832";>CVE-2021-41832</a> + </p> + <p> + <a href="https://www.openoffice.org/security/cves/CVE-2021-41832.html";>Apache OpenOffice Advisory</a> + </p> + <p style="text-align:center; font-size:largest"> + <strong>#4 Content Manipulation with Certificate Validation Attack</strong> + </p> + <p style="text-align:center; font-size:larger"> + <strong>Fixed in Apache OpenOffice 4.1.11</strong> + </p> + <p> + <strong>Description</strong> + </p> + <p> + It is possible for an attacker to manipulate documents to appear to be signed by a trusted source. + <br /> + An attacker can use the vulnerability to convert an untrusted digital signature into trusted ones + and change the content of the ODF document without invalidating the signature. + </p> + <p> + <strong>Severity: Moderate</strong> + </p> + <p> + There are no known exploits of this vulnerability. + <br /> + A proof-of-concept demonstration exists. + </p> + <p> + Thanks to the reporter for discovering this issue. + </p> + <p> + <strong>Vendor: The Apache Software Foundation</strong> + </p> + <p> + <strong>Versions Affected</strong> + </p> + <p> + All Apache OpenOffice versions 4.1.10 and older are affected. + <br /> + OpenOffice.org versions may also be affected. + </p> + <p> + <strong>Mitigation</strong> + </p> + <p> + Install Apache OpenOffice 4.1.11 for the latest maintenance and cumulative security fixes. + Use the Apache OpenOffice <a href="https://www.openoffice.org/download/";> download page</a>. + </p> + <p> + <strong>Acknowledgments</strong> + </p> + <p> + The Apache OpenOffice Security Team would like to thank Simon Rohlmann, Vladislav Mladenov, + Christian Mainka and Jörg Schwenk, Ruhr University Bochum, Germany, for discovering and reporting this + attack vector. + </p> + <p> + <strong>Further Information</strong> + </p> + <p> + This issue was also reported to LibreOffice with CVE-2021-25635. + </p> + <p> + For additional information and assistance, consult the + <a href="https://forum.openoffice.org/";>Apache OpenOffice Community Forums</a> + or make requests to the + <a href="mailto:[email protected]";>[email protected]</a> + public mailing list. + </p> + <p> + The latest information on Apache OpenOffice security bulletins can be found at the + <a href="https://www.openoffice.org/security/bulletin.html";>Bulletin Archive page</a>. + </p> + <hr /> + <p> + <a href="https://security.openoffice.org";>Security Home</a>-> + <a href="https://www.openoffice.org/security/bulletin.html";>Bulletin</a>-> + <a href="https://www.openoffice.org/security/cves/CVE-2021-41832.html";>CVE-2021-41832</a> + </p> + </body> +</html>
