Re: How to check that CVE-2018-6871 is fixed?

2018-02-20 Thread Chris Sherlock
Sorry to be a pain here, but it appears that the canonical CVE identifier is now CVE-2018-6872 as CVE-2018-1055 has been rejected and points to CVE-2018-6872: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1055 Our security advisory list still points to CVE-2018-1055. Should this be

Re: How to check that CVE-2018-6871 is fixed?

2018-02-11 Thread Rene Engelhard
On Mon, Feb 12, 2018 at 12:32:39AM +1100, Chris Sherlock wrote: >CVE-2018-1055 is the CVE we have listed on our security advisories page.  >[1]https://www.libreoffice.org/about-us/security/advisories/ Which is my point, but Paul used "the other one". Regards, Rene

Re: How to check that CVE-2018-6871 is fixed?

2018-02-11 Thread Chris Sherlock
CVE-2018-1055 is the CVE we have listed on our security advisories page. https://www.libreoffice.org/about-us/security/advisories/ > On 11 Feb 2018, at 8:34 pm, Rene Engelhard wrote: > > On Sat, Feb 10, 2018 at

Re: How to check that CVE-2018-6871 is fixed?

2018-02-11 Thread Rene Engelhard
On Sat, Feb 10, 2018 at 12:07:38PM +0100, Paul Menzel wrote: > Maybe it’s my English, but “through 6.0.1” sounds to me like, that > version is affected. The vulnerability description page [2] says, that > LibreOffice 6.0.1 is not affected. I'd more guess it's that irresponsible disclosure guys

Re: How to check that CVE-2018-6871 is fixed?

2018-02-10 Thread Chris Sherlock
Sorry, I should also note that we have a security advisories page: https://www.libreoffice.org/about-us/security/advisories/ This one is fixed in LibreOffice 5.4.5/6.0.1 Chris > On 11 Feb 2018, at 6:22 pm, Chris Sherlock

Re: How to check that CVE-2018-6871 is fixed?

2018-02-10 Thread Chris Sherlock
Fixed in commit: https://cgit.freedesktop.org/libreoffice/core/commit/?id=34bbe8f858fd992c784586b839c0f1dc8a218b4a > authorCaolán McNamara 2018-01-10 14:27:35 >

How to check that CVE-2018-6871 is fixed?

2018-02-10 Thread Paul Menzel
Dear LibreOffice folks, So according to CVE-2018-6871, “LibreOffice through 6.0.1 allows remote attackers to read arbitrary files via =WEBSERVICE calls in a document, which use the COM.MICROSOFT.WEBSERVICE function.”. Maybe it’s my English, but “through 6.0.1” sounds to me like, that version