Author: buildbot
Date: Fri Jun 21 12:09:06 2013
New Revision: 866797
Log:
Staging update by buildbot for ooo-site
Added:
websites/staging/ooo-site/trunk/content/security/cves/CVE-2013-1571.html
Modified:
websites/staging/ooo-site/trunk/cgi-bin/ (props changed)
websites/staging/ooo-site/trunk/content/ (props changed)
websites/staging/ooo-site/trunk/content/security/bulletin.html
Propchange: websites/staging/ooo-site/trunk/cgi-bin/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Fri Jun 21 12:09:06 2013
@@ -1 +1 @@
-1495196
+1495404
Propchange: websites/staging/ooo-site/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Fri Jun 21 12:09:06 2013
@@ -1 +1 @@
-1495196
+1495404
Modified: websites/staging/ooo-site/trunk/content/security/bulletin.html
==============================================================================
--- websites/staging/ooo-site/trunk/content/security/bulletin.html (original)
+++ websites/staging/ooo-site/trunk/content/security/bulletin.html Fri Jun 21
12:09:06 2013
@@ -36,6 +36,7 @@
<h3>Fixed in Apache OpenOffice 3.4.1</h3>
<ul>
<li><a href="cves/CVE-2012-2665.html">CVE-2012-2665</a>: Manifest-processing
errors in Apache OpenOffice 3.4.0</li>
+<li><a href="cves/CVE-2012-2665.html">CVE-2013-1571</a>: Frame Injection
Vulnerability in SDK JavaDoc</li>
</ul>
<h3>Fixed in Apache OpenOffice 3.4.0</h3>
Added: websites/staging/ooo-site/trunk/content/security/cves/CVE-2013-1571.html
==============================================================================
--- websites/staging/ooo-site/trunk/content/security/cves/CVE-2013-1571.html
(added)
+++ websites/staging/ooo-site/trunk/content/security/cves/CVE-2013-1571.html
Fri Jun 21 12:09:06 2013
@@ -0,0 +1,100 @@
+<!--#include virtual="/doctype.html" -->
+<html>
+<head>
+<link href="/css/ooo.css" rel="stylesheet" type="text/css">
+
+ <title> CVE-2013-1571</title>
+ <style type="text/css"></style>
+
+<!--#include virtual="/google-analytics.js" -->
+</head>
+<body>
+<!--#include virtual="/brand.html" -->
+ <div id="topbara">
+ <!--#include virtual="/topnav.html" -->
+ <div id="breadcrumbsa"><a href="/">home</a> » <a
href="/security/">security</a> » <a
href="/security/cves/">cves</a></div>
+ </div>
+ <div id="clear"></div>
+
+
+ <div id="content">
+
+
+
+ <h2><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1571";>CVE-2013-1571</a></h2>
+
+ <h3>
+ Frame Injection Vulnerability in SDK JavaDoc
+ </h3>
+
+ <ul>
+
+ <h4>Severity: Medium</h4>
+
+ <h4>Vendor: The Apache Software Foundation</h4>
+
+ <h4>Versions Affected:</h4>
+ <ul>
+ <li>Apache OpenOffice 3.4.1 SDK, on all
platforms.</li>
+ <li>Earlier versions may be also
affected.</li>
+ </ul>
+
+
+<h4>Description:</h4>
+<p>
+As reported on June 18th there is a <a
href="http://www.kb.cert.org/vuls/id/225657";>vulnerability in JavaDoc</a>
generated by Java 5, Java 6 and Java 7 before update 22. Generated
+ JavaDoc files could be suceptible to HTML frame injection attacks. Our
investigation indicated that the UDK 3.2.7 Java API Reference in the Apache
OpenOffice SDK contains
+ a vulnerable HTML file.</p>
+
+<p>Note: Ordinary installs of OpenOffice are not impacted by this
vulnerability. Only installs of the OpenOffice SDK, typically only installed
by software developers writing
+ extensions, are impacted</p>
+
+ <h4>Mitigation</h4>
+ <p>SDK users should update their installations by replacing
/docs/java/ref/index.html with this
+ <a
href="http://www.apache.org/dyn/aoo-closer.cgi/incubator/ooo/3.4.1/source/cve-2013-1571.zip";>patched
version</a>.
+ Download, unzip and follow the instructions in the enclosed README
file.</p>
+
+ <p>Users with earlier versions of the SDK (pre 3.4.1) should <a
href="http://www.download.openoffice.org/download/other.html#tested-sdk";>upgrade
to the current version</a> and then apply the patch. Alternative, they can
download and run
+ Oracle's <a
href="http://www.oracle.com/technetwork/java/javase/downloads/java-doc-updater-tool-1955731.html";>Java
API Documentation Updater Tool</a> to repair
+ the vulnerabilities in place.</p>
+
+
+<h4>Verifying the Integrity of Downloaded Files</h4>
+
+<p>
+We have provided <a
href="http://www.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.md5";>MD5</a>
and <a
href="http://www.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.sha256";>SHA256</a>
hashes of these patches,
+ as well as a <a
href="http://www.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.asc";>GPG/PGP
detached digital signature</a>, for those who wish to verify the
+ integrity of this file.
+<p>
+The MD5 and SHA256 hashes can be verified using Unix tools like md5sum or
sha256sum.
+<p>
+The PGP signatures can be verified using PGP or GPG. First download the <a
href="http://www.apache.org/dist/incubator/ooo/KEYS";>KEYS</a> file, as well as
the asc signature file for the particular patch from above. Make sure you get
these files from the main distribution directory, rather than from a mirror.
Then verify the signatures as follows:
+<p>
+<code>
+% pgpk -a KEYS <br>
+% pgpv cve-2013-1571.zip.asc <br>
+</code>
+<em>or</em>
+<br>
+<code>
+% pgp -ka KEYS <br>
+% pgp cve-2013-1571.zip.asc <br>
+</code>
+<em>or</em>
+<br>
+<code>
+% gpg --import KEYS <br>
+% gpg --verify cve-2013-1571.zip.asc <br>
+</code>
+
+
+
+ <hr />
+
+ <p><a href="http://security.openoffice.org";>Security Home</a> -> <a
href="http://security.openoffice.org/bulletin.html";>Bulletin</a> ->
+ <a
href="http://security.openoffice.org/security/cves/CVE-2013-1571.html";>CVE-2013-1571</a></p>
+
+ </div>
+<!--#include virtual="/footer.html" -->
+</body>
+</html>
