Author: orcmid
Date: Wed Nov 4 21:30:23 2015
New Revision: 1712657
URL: http://svn.apache.org/viewvc?rev=1712657&view=rev
Log:
Upload for review by the reporter
Added:
openoffice/ooo-site/trunk/content/security/cves/CVE-2015-4551.html (with
props)
Added: openoffice/ooo-site/trunk/content/security/cves/CVE-2015-4551.html
URL:
http://svn.apache.org/viewvc/openoffice/ooo-site/trunk/content/security/cves/CVE-2015-4551.html?rev=1712657&view=auto
==============================================================================
--- openoffice/ooo-site/trunk/content/security/cves/CVE-2015-4551.html (added)
+++ openoffice/ooo-site/trunk/content/security/cves/CVE-2015-4551.html [UTF-8]
Wed Nov 4 21:30:23 2015
@@ -0,0 +1,124 @@
+
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>CVE-2015-4551</title>
+ <style type="text/css"></style>
+ </head>
+
+ <body>
+ <!-- These were previously defined as XHTML pages. The current
+ wrapping for the site introduces HTML5 headers and formats.
+ This version is modified to match the wrapping that is done as part
+ of publishing this page and not rely on any particular styling
+ beyond <p>.
+ -->
+ <p>
+ <a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-4551";>CVE-2015-4551</a>
+ </p>
+ <p>
+ <a
href="http://www.openoffice.org/security/cves/CVE-2015-4551.html";>Apache
OpenOffice Advisory</a>
+ </p>
+
+ <p style="text-align:center; font-size:largest"><strong>CVE-2015-4551:
+ TARGETED DATA DISCLOSURE</strong></p>
+
+ <p style="text-align:center; font-size:larger"><strong>Fixed in Apache
OpenOffice 4.1.2</strong></p>
+
+
+ <p>
+ <strong>Version 1.0</strong>
+ <br />
+ Announced November 4, 2015</p>
+
+ <p>
+ A vulnerability in OpenOffice settings of OpenDocument Format
+ files and templates allows silent access to files that are
+ readable from an user account, over-riding the user's default
+ configuration settings. Once these files are imported into a
+ maliciously-crafted document, the data can be silently hidden
+ in the document and possibly exported to an external party
+ without being observed.
+</p>
+
+ <p>
+ <strong>Severity: Important</strong>
+ </p>
+ <p>There are no known exploits of this vulnerabilty.<br />
+ A proof-of-concept demonstration exists.</p>
+ <p>
+ <strong>Vendor: The Apache Software Foundation</strong>
+ </p>
+
+ <p>
+ <strong>Versions Affected</strong></p>
+
+ <p>All Apache OpenOffice versions 4.1.1 and older are affected.<br />
+ OpenOffice.org versions are also affected.</p>
+
+ <p><strong>Related</strong>:
+ <a
href="https://www.openoffice.org/security/cves/CVE-2014-3575.html";>CVE-2014-3575</a>
+ and <a
href="https://www.openoffice.org/security/cves/CVE-2012-0037.html";>CVE-2012-0037</a></p>
+
+ <p>
+ <strong>Mitigation</strong>
+ </p>
+ <p>Apache OpenOffice users are urged to download and install
+ Apache OpenOffice version 4.1.2 or later.</p>
+ <p>
+ Apache OpenOffice 4.1.2 mitigates this vulnerability by ignoring
+ in-document settings that over-ride default behavior when accessing
+ data beyond the document itself. The automatic default behavior
+ is changed to make such access evident to the user, who must then
+ approve the access.
+ </p>
+ <p>
+ <strong>Nature of Attack</strong>
+ </p>
+ <p>
+ This vulnerability requires an exquisitely crafted attack to
+ locate targeted files, silently retrieve them, and then deliver
+ their data in a manner that escapes notice. Knowledge of the
+ user's system and specific configuration is generally required.
+ </p>
+ <p><strong>Precautions</strong></p>
+ <p>
+
+ <p>
+ In addition to keeping Apache OpenOffice updated, users can reduce
+ the threat of this kind of data access from ODF
+ documents. Keep documents and sensitive materials separate from
+ common, predictable locations, including on networks. Require
+ additional access permissions for access to sensitive materials
+ even when operating under the user's normal account.</p>
+
+
+ <p>
+ <strong>Further Information</strong>
+ </p>
+ <p>For additional information and assistance, consult the
+ <a href="https://forum.openoffice.org/";>Apache OpenOffice Community
Forums</a>
+ or make requests to the
+ <a
href="mailto:us...@openofffice.apache.org";>us...@openofffice.apache.org</a>
+ public mailing list.
+ </p>
+ <p>The latest information on Apache OpenOffice security bulletins
+ can be found at the <a
href="http://www.openoffice.org/security/bulletin.html";>Bulletin
+ Archive page</a>.</p>
+
+ <p><strong>Credits</strong></p>
+ <p>
+ The Apache OpenOffice security team thanks Federico "fox" Scrinzi
+ for reporting the defect and Stephan Bergmann of Red Hat for
+ analysis and a repair solution.
+ </p>
+
+ <hr />
+
+ <p>
+ <a href="http://security.openoffice.org";>Security Home</a>
+ -> <a href="http://security.openoffice.org/bulletin.html";>Bulletin</a>
+ -> <a
href="http://www.openoffice.org/security/cves/CVE-2015-4551.html";>CVE-2015-4551</a>
+ </p>
+ </body>
+</html>
Propchange: openoffice/ooo-site/trunk/content/security/cves/CVE-2015-4551.html
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: openoffice/ooo-site/trunk/content/security/cves/CVE-2015-4551.html
------------------------------------------------------------------------------
svn:mime-type = text/html;charset=UTF-8
