This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/openoffice-org.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 407ce4c7f git-site-role commit from build_staging.sh
407ce4c7f is described below
commit 407ce4c7f36884c0a0bb63c28a5664f16c017339
Author: jenkins <[email protected]>
AuthorDate: Sun Aug 7 15:18:40 2022 +0000
git-site-role commit from build_staging.sh
---
content/feed.xml | 4 +-
content/security/cves/CVE-2022-37400.html | 112 ++++++++++++++++++++++++++++++
content/security/cves/CVE-2022-37401.html | 111 +++++++++++++++++++++++++++++
3 files changed, 225 insertions(+), 2 deletions(-)
diff --git a/content/feed.xml b/content/feed.xml
index 2d5670593..c36fdda2e 100644
--- a/content/feed.xml
+++ b/content/feed.xml
@@ -6,8 +6,8 @@
<atom:link href="http://localhost:8820/feed.xml"; rel="self"
type="application/rss+xml" />
<description>OpenOffice.org Feed</description>
<language>en-us</language>
- <pubDate>Thu, 4 Aug 2022 18:56:25 +0000</pubDate>
- <lastBuildDate>Thu, 4 Aug 2022 18:56:25 +0000</lastBuildDate>
+ <pubDate>Sun, 7 Aug 2022 15:17:51 +0000</pubDate>
+ <lastBuildDate>Sun, 7 Aug 2022 15:17:51 +0000</lastBuildDate>
</channel>
diff --git a/content/security/cves/CVE-2022-37400.html
b/content/security/cves/CVE-2022-37400.html
new file mode 100644
index 000000000..3d3df2a7f
--- /dev/null
+++ b/content/security/cves/CVE-2022-37400.html
@@ -0,0 +1,112 @@
+
+<!--#include virtual="/doctype.html" -->
+<html>
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+
+ <link href="/css/ooo.css" rel="stylesheet" type="text/css">
+
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>CVE-2022-37400</title>
+
+
+ <script src="https://www.apachecon.com/event-images/snippet.js";></script>
+ </head>
+ <body>
+ <!--#include virtual="/brand.html" -->
+ <div id="topbara">
+ <!--#include virtual="/topnav.html" -->
+ <div id="breadcrumbsa"><a href="/">home</a> » <a
href="/security/">security</a> » <a
href="/security/cves/">cves</a></div>
+ </div>
+ <div id="clear"></div>
+
+
+ <div id="content">
+
+
+ <p>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-37400";>CVE-2022-37400</a>
+ </p>
+ <p>
+ <a
href="https://www.openoffice.org/security/cves/CVE-2022-37400.html";>Apache
OpenOffice Advisory</a>
+ </p>
+ <p style="text-align:center; font-size:largest">
+ <strong>Static Initialization Vector Allows to Recover Passwords for Web
Connections Without Knowing
+ the Master Password</strong>
+ </p>
+ <p style="text-align:center; font-size:larger">
+ <strong>Fixed in Apache OpenOffice 4.1.13</strong>
+ </p>
+ <p>
+ <strong>Description</strong>
+ </p>
+ <p>
+ Apache OpenOffice supports the storage of passwords for web connections
in the user's configuration
+ database. The stored passwords are encrypted with a single master key
provided by the user. A flaw in
+ OpenOffice existed where the required initialization vector for
encryption was always the same which
+ weakens the security of the encryption making them vulnerable if an
attacker has access to the user's
+ configuration data.
+ </p>
+ <p>
+ <strong>Severity: Moderate</strong>
+ </p>
+ <p>
+ There are no known exploits of this vulnerability.
+ <br />
+ A proof-of-concept demonstration exists.
+ </p>
+ <p>
+ Thanks to the reporter for discovering this issue.
+ </p>
+ <p>
+ <strong>Vendor: The Apache Software Foundation</strong>
+ </p>
+ <p>
+ <strong>Versions Affected</strong>
+ </p>
+ <p>
+ All Apache OpenOffice versions 4.1.12 and older are affected.
+ <br />
+ OpenOffice.org versions may also be affected.
+ </p>
+ <p>
+ <strong>Mitigation</strong>
+ </p>
+ <p>
+ Install Apache OpenOffice 4.1.13 for the latest maintenance and
cumulative security fixes.
+ Use the Apache OpenOffice <a
href="https://www.openoffice.org/download/";> download page</a>.
+ </p>
+ <p>
+ <strong>Acknowledgments</strong>
+ </p>
+ <p>
+ The Apache OpenOffice Security Team would like to thank Selma Jabour,
OpenSource Security GmbH,
+ Germany on behalf of the German Federal Office for Information Security,
for discovering and
+ reporting this attack vector
+ </p>
+ <p>
+ <strong>Further Information</strong>
+ </p>
+ <p>
+ For additional information and assistance, consult the
+ <a href="https://forum.openoffice.org/";>Apache OpenOffice Community
Forums</a>
+ or make requests to the
+ <a
href="mailto:[email protected]";>[email protected]</a>
+ public mailing list.
+ </p>
+ <p>
+ The latest information on Apache OpenOffice security bulletins can be
found at the
+ <a href="https://www.openoffice.org/security/bulletin.html";>Bulletin
Archive page</a>.
+ </p>
+ <hr />
+ <p>
+ <a href="https://security.openoffice.org";>Security Home</a>->
+ <a
href="https://www.openoffice.org/security/bulletin.html";>Bulletin</a>->
+ <a
href="https://www.openoffice.org/security/cves/CVE-2022-37400.html";>CVE-2022-37400</a>
+ </p>
+
+
+ </div>
+ <!--#include virtual="/footer.html" -->
+ </body>
+</html>
diff --git a/content/security/cves/CVE-2022-37401.html
b/content/security/cves/CVE-2022-37401.html
new file mode 100644
index 000000000..beedb92dd
--- /dev/null
+++ b/content/security/cves/CVE-2022-37401.html
@@ -0,0 +1,111 @@
+
+<!--#include virtual="/doctype.html" -->
+<html>
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+
+ <link href="/css/ooo.css" rel="stylesheet" type="text/css">
+
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>CVE-2022-37401</title>
+
+
+ <script src="https://www.apachecon.com/event-images/snippet.js";></script>
+ </head>
+ <body>
+ <!--#include virtual="/brand.html" -->
+ <div id="topbara">
+ <!--#include virtual="/topnav.html" -->
+ <div id="breadcrumbsa"><a href="/">home</a> » <a
href="/security/">security</a> » <a
href="/security/cves/">cves</a></div>
+ </div>
+ <div id="clear"></div>
+
+
+ <div id="content">
+
+
+ <p>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-37401";>CVE-2022-37401</a>
+ </p>
+ <p>
+ <a
href="https://www.openoffice.org/security/cves/CVE-2022-37401.html";>Apache
OpenOffice Advisory</a>
+ </p>
+ <p style="text-align:center; font-size:largest">
+ <strong>Weak Master Keys</strong>
+ </p>
+ <p style="text-align:center; font-size:larger">
+ <strong>Fixed in Apache OpenOffice 4.1.13</strong>
+ </p>
+ <p>
+ <strong>Description</strong>
+ </p>
+ <p>
+ Apache OpenOffice supports the storage of passwords for web connections
in the user's configuration
+ database. The stored passwords are encrypted with a single master key
provided by the user. A flaw in
+ OpenOffice existed where master key was poorly encoded resulting in
weakening its entropy from 128 to
+ 43 bits making the stored passwords vulnerable to a brute force attack if
an attacker has access to the
+ users stored config.
+ </p>
+ <p>
+ <strong>Severity: Moderate</strong>
+ </p>
+ <p>
+ There are no known exploits of this vulnerability.
+ <br />
+ A proof-of-concept demonstration exists.
+ </p>
+ <p>
+ Thanks to the reporter for discovering this issue.
+ </p>
+ <p>
+ <strong>Vendor: The Apache Software Foundation</strong>
+ </p>
+ <p>
+ <strong>Versions Affected</strong>
+ </p>
+ <p>
+ All Apache OpenOffice versions 4.1.12 and older are affected.
+ <br />
+ OpenOffice.org versions may also be affected.
+ </p>
+ <p>
+ <strong>Mitigation</strong>
+ </p>
+ <p>
+ Install Apache OpenOffice 4.1.13 for the latest maintenance and
cumulative security fixes.
+ Use the Apache OpenOffice <a
href="https://www.openoffice.org/download/";> download page</a>.
+ </p>
+ <p>
+ <strong>Acknowledgments</strong>
+ </p>
+ <p>
+ The Apache OpenOffice Security Team would like to thank Selma Jabour,
OpenSource Security GmbH,
+ Germany on behalf of the German Federal Office for Information Security,
for discovering and
+ reporting this attack vector
+ </p>
+ <p>
+ <strong>Further Information</strong>
+ </p>
+ <p>
+ For additional information and assistance, consult the
+ <a href="https://forum.openoffice.org/";>Apache OpenOffice Community
Forums</a>
+ or make requests to the
+ <a
href="mailto:[email protected]";>[email protected]</a>
+ public mailing list.
+ </p>
+ <p>
+ The latest information on Apache OpenOffice security bulletins can be
found at the
+ <a href="https://www.openoffice.org/security/bulletin.html";>Bulletin
Archive page</a>.
+ </p>
+ <hr />
+ <p>
+ <a href="https://security.openoffice.org";>Security Home</a>->
+ <a
href="https://www.openoffice.org/security/bulletin.html";>Bulletin</a>->
+ <a
href="https://www.openoffice.org/security/cves/CVE-2022-37401.html";>CVE-2022-37401</a>
+ </p>
+
+
+ </div>
+ <!--#include virtual="/footer.html" -->
+ </body>
+</html>
