[ CC'ing team@security so that they know nothing supported is affected by it. ]
Hi, apparently Apache knew it since October 2015, tested with "current" LibreOffices but they said they didn't test with old, so didn't inform LO *at all* until this came up last Thursday again confirming that old LOs *are* affected.. See also http://www.openoffice.org/security/cves/CVE-2016-1513.html The fix already went into (later) 4.2 and 4.3 versions. so: wheezy: affected jessie: 4.3.3 - unaffected, AFAICS [1] stretch/sid: "of course" unaffected A (untested, except that the patch applies) source package is - as last time - available on http://people.debian.org/~rene/libreoffice/wheezy Own-imposed LibreOffice embargo ends today. (I knew it only since last Thursday, too when we wrote about the other issue but of course couldn't write it beforehand to something public..) Regards, Rene [1] (jessie)rene@frodo ..reOffice/libreoffice/libreoffice-4.3.3 % patch -p1 --dry-run < ~/index.html\?id=fd64d444b730f6cb7216dac8f6e3f94b97d7ab60 checking file tools/source/generic/poly2.cxx Reversed (or previously applied) patch detected! Assume -R? [n] Apply anyway? [n] Skipping patch. 4 out of 4 hunks ignored checking file vcl/source/gdi/metaact.cxx Reversed (or previously applied) patch detected! Assume -R? [n] Apply anyway? [n] Skipping patch. 1 out of 1 hunk ignored
