Daniel. Thank you for the quick response. This definitely helps us to counter the opposition. The objection was a reaction to the CVE being there. The team asking for the software figured there was a fix as it was reported version 1.12.
CA On Wednesday, March 22, 2023 at 12:10:20 PM UTC-4 Daniel Sahlberg wrote: > onsdag 22 mars 2023 kl. 15:53:04 UTC+1 skrev F&F Technologies: > > Good day all. > > My organization is trying to use TortoiseSVN as a version control client. > In researching, from the user group, it looks as though this may not be > accepted as a vulnerability by TortoiseSVN. > > The concern is that a macro can be executed which might harm a network. It > appears that there are a number of steps to get there. > > 1. Can someone please advise if this was addressed? > > 2. If addressed, where might I find documentation on the resolution? > > 3. If not are there plans to? > > 4. If no plans requesting explanation why so I can present to organization. > > I am hoping to obtain answer by end of day Thursday as I have a meeting to > rebut objections. > > Thanks. > > https://www.cvedetails.com/cve/CVE-2019-14422/ > > > Please check r28647 of the diff script at > https://svn.osdn.net/svnroot/tortoisesvn/trunk/contrib/diff-scripts/, it > adds a protection layer by disabling macros: > > // disable all macros > objExcelApp.AutomationSecurity = 3; //msoAutomationSecurityForceDisable > > Based on the date it seems to be in reaction to the CVE. It should have > been included in the 1.13 release, it certainly is included as installed in > 1.14.5. > > Kind regards, > Daniel > > -- You received this message because you are subscribed to the Google Groups "TortoiseSVN-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to tortoisesvn-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tortoisesvn-dev/fe8a5dc0-9684-41ad-874d-a37f8d8401b5n%40googlegroups.com.