From nobody Wed Mar 08 01:21:07 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PWZJh2w9Sz3wv0f; Wed, 8 Mar 2023 01:21:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PWZJg65KKz4TBY; Wed, 8 Mar 2023 01:21:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1678238467; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Rnpop1sNm9me4h1YQbX77ykSCEVcg/nkSE9/UJW5Grc=; b=Hvfw/v5haZRhgwnjisalmyzBfxxv31Qiz2mXr5vvrZ3CXmFUHY8/o2JaP8XzPC2zt+78Yg L1YbG1m47bI+kjCR/Dm+EFIT+Y2wQjrpmfNYZKS10bxaLv3qCMzJEko5Brn6fecdoGuDC3 hZYzyYjavDEv1awz+vYSbgxJwVYqbIiPqg8HrXaEPgpKOpFxv77Cz5VSBx2xOWgdgj+hUg MdOvbBUE3/P/it3h2Iu2Q+52KKCqc97vNVVfI+kkG6HrAlVpPntgYyYaqaKong8rmRxXgO Muzn+xXJiP+oJHzWD0Bfo1zXHcbWtVwHGgUXOziOw7/5EK4VON08E17Ycpk8ZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1678238467; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Rnpop1sNm9me4h1YQbX77ykSCEVcg/nkSE9/UJW5Grc=; b=e8LW9+k7zIS22/lnjDaOas9VZnvI7QpKR2ivmkJrpTKGJkmbJAo7hya+yYEimB8A2Yo9Yn OslHkeds5UU4otpL8rVI1OO3npsQ/vAQTVm96Qqu9aL3Gz3jkKGhIRJPtshqgECAEhsNRy XFOcajGWygtvwjJQvU75UpyrkwFx6AJP/tqra1uoy76nZgKGEpUqjSkpmTleDnI6xkX5Yp xw8Ex2ZbRKC2tFleovAStLOmX+wcDG+RWzktrnpL5Am42/Patxhq6nju2Y/KqBoHHIclGd oAEVjR0035XkIVK3qdpxOdo/JGHmL6FsurScS2YFmN/9lSWI9XJXwRxDJDbiaQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1678238467; a=rsa-sha256; cv=none; b=RFElFppmAkwFemjktFrq/KPhpRNZd9P+ZAzLCjsawM1zdQA/yN/SrZYPEJgcbU+NVe7bKM dU9bC9Yx87RrT97LaQyvlzF6sOt8XF/bbR/ZeZYueH0cYuZV5W1z4L59+fhIbGpfwr99Ho DCcGO2GOs2XavC2517ku2UhqZPQ3xB8u+cOT5ie1Ln9POwJWGj1kgxL3w0de9fPTSkD8z+ KLF53cCIe45JkjuLCY3h/4bfLBZYtYNj+ddy+cMOeIiDGP5RUedf3W8Qvn+xSgiq/2E1We t3abpSTXSfdBhpr79O2MzAzoM3JjSKAW8uePlbSmasxWr1ViJDdk05AtGuefdw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PWZJg58t0z15bx; Wed, 8 Mar 2023 01:21:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 3281L7Sp056770; Wed, 8 Mar 2023 01:21:07 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 3281L7Yd056769; Wed, 8 Mar 2023 01:21:07 GMT (envelope-from git) Date: Wed, 8 Mar 2023 01:21:07 GMT Message-Id: <202303080121.3281L7Yd056769@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Don Lewis Subject: git: 4cc9e62c14ec - main - security/vuxml: openoffice 2022 vulnerabilities List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: truckman X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 4cc9e62c14ec4daaebce7350a190a26c4c387f3f Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by truckman: URL: https://cgit.FreeBSD.org/ports/commit/?id=4cc9e62c14ec4daaebce7350a190a26c4c387f3f commit 4cc9e62c14ec4daaebce7350a190a26c4c387f3f Author: Don Lewis AuthorDate: 2023-03-08 01:17:01 +0000 Commit: Don Lewis CommitDate: 2023-03-08 01:17:01 +0000 security/vuxml: openoffice 2022 vulnerabilities Belatedly document Apache OpenOffice vulnerabilities from 2022. The port was broken at the time. --- security/vuxml/vuln/2023.xml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 2b17919a9eac..62b2600e5c4f 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,37 @@ + + Apache OpenOffice -- master password vulnerabilities + + + apache-openoffice + 4.1.13 + + + apache-openoffice-devel + 4.2.1678061694i,4 + + + + +

The Apache Openoffice project reports:

+
+

Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26306 - LibreOffice

+
+
+

Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice

+
+ +
+ + CVE-2022-37400 + CVE-2022-37401 + https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.13+Release+Notes + + + 2022-02-25 + 2023-03-08 + +
+ rack -- possible DoS vulnerability in multipart MIME parsing