Date: Thu, 15 Apr 2021 20:10:04 -0700 From: Cy Schubert <Cy.Schubert@cschubert.com> To: freebsd-ports@freebsd.org, freebsd-office@freebsd.org Subject: CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in H (fwd) Message-ID: <202104160310.13G3A4cF029949@slippy.cwsent.com>
next in thread | raw e-mail | index | archive | help
Hi, This looks significant. Considering the age of the bug it probably affects Libreoffice too. Original announcement below. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org The need of the many outweighs the greed of the few. ------- Forwarded Message Date: Thu, 15 Apr 2021 12:23:05 -0700 From: Dave Fisher <wave@apache.org> To: announce@apache.org Subject: CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) sc hemes in Hyperlinks Severity: moderate Description: The project received a report that all versions of Apache OpenOffice through 4. 1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 a nd the issue is also in 4.1.9. If the link is specifically crafted this could l ead to untrusted code execution. It is always best practice to be careful openi ng documents from unknown and unverified sources. The mitigation in Apache Open Office 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink. Credit: Fabian Bräunlein and Lukas Euler of Positive Security ------- End of Forwarded Message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202104160310.13G3A4cF029949>