On 03/26/2007 11:12 AM, Per wrote: > ==== > Up to now, no patched version of OpenOffice has been released. Users of > OpenOffice are therefore advised to refrain from opening any documents > that are not explicitly from trustworthy sources. > ==== > > > > Check this out... copied from OOo:s homepage... > > > OpenOffice.org Security > > Several security vulnerabilities <http://www.openoffice.org/security> > have been reported > <http://www.computing.co.uk/vnunet/news/2186206/trio-security-holes-found-open> > > on in the media in the last week, where users' PCs could be open to > attack if they opened certain documents or websites. > > These issues are fully addressed in the forthcoming OpenOffice.org 2.2. > The latest Release Candidate (RC) of 2.2 - including the security fixes > - is available for download now. RCs are produced to allow the widest > possible testing of a release immediately prior to the final release, > and barring last-minute surprises, 2.2 will be identical to the RC. > > So, if you have a reason to believe that your usage of OpenOffice.org > puts you at risk from the new vulnerabilities, or if you would like to > help us with the final testing of 2.2, please download and use the RC now. > > If you do find problems with the RC, please report them to us. You will > be playing a vital role in helping us ensure the ongoing quality of > OpenOffice.org. > > * OpenOffice.org 2.2 RC 4 <http://download.openoffice.org/680/> > * QA Project > <http://qa.openoffice.org/issue_handling/pre_submission.html> > > > > Best regards.. > > > // Per
Well I'm certainly confused... or OOo is, or Debian is, or Ubuntu is. Example: http://www.openoffice.org/security/CVE-2007-2.html [CVE-2007-0002 - WordPerfect Import Vulnerability] States: <quote> 2. Affected releases All versions in the 2.x line prior to OpenOffice.org 2.2. Versions in the 1.x line are not affected. 3. Symptoms There are no predictable symptoms that would indicate the described issue has been exploited. 4. Relief/Workaround There is no workaround. See "Resolution" below. 5. Resolution This issue is addressed in the following releases: OpenOffice.org 2.2 </quote> And makes no mention of 2.1 etc. But the problem specifically relates to libwpd before 0.8.9. Just the other day I received a patch *resolving* that issue: <quote> =========================================================== Ubuntu Security Notice USN-437-1 March 19, 2007 libwpd vulnerability CVE-2007-0002 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: libwpd8c2 0.8.2-2ubuntu0.1 Ubuntu 6.06 LTS: libwpd8c2a 0.8.4-2ubuntu0.1 Ubuntu 6.10: libwpd8c2a 0.8.6-1ubuntu0.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Sean Larsson of iDefense Labs discovered that libwpd was vulnerable to integer overflows. If a user were tricked into opening a specially crafted WordPerfect document with an application that used libwpd, an attacker could execute arbitrary code with user privileges. Updated packages for Ubuntu 5.10: Source archives: </quote> As did NIST: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0002 <quote> Solution This vulnerability has been addressed by the vendor through a product update: http://sourceforge.net/projects/libwpd/ </quote> Debian claims that 0002, 0238 & 0239 have been fixed: http://www.debian.org/security/2007/dsa-127 http://www.openoffice.org/security/CVE-2007-0238 also shows State resolved and: <quote> 4. Relief/Workaround There is no workaround. See "Resolution" below. 5. Resolution This issue is addressed in the following releases: OpenOffice.org 1.1.5 Patch, OpenOffice.org 2.2 </quote> Same as 0002. So as I said... I'm confused. (wouldn't be the first time). --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
