Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0419.2 libreoffice security update 13 February 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libreoffice Publisher: Debian Operating System: Debian GNU/Linux 8 Debian GNU/Linux 9 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-6871 Original Bulletin: http://www.debian.org/security/2018/dsa-4111 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running libreoffice check for an updated version of the software for their operating system. Revision History: February 13 2018: An update has been released for Debian 8 February 12 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4111-2 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 12, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : libreoffice CVE ID : CVE-2018-6871 Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that missing restrictions in the implementation of the WEBSERVICE function in LibreOffice could result in the disclosure of arbitrary files readable by the user who opens a malformed document. For the oldstable distribution (jessie), this problem has been fixed in version 1:4.3.3-2+deb8u10 We recommend that you upgrade your libreoffice packages. For the detailed security status of libreoffice please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libreoffice Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqCAoEACgkQEMKTtsN8 Tja0gA/+Ib8qDtRzz8YnLktoEl80OfDPjr/7cxUiTxEU3UoDz9FhhIcT2kyBVM9v UC95mxedDUQmL60EVM1xYs9ACbs0CkX8NNmm4KAbSaVwsoobXZnFi/p6FJyz2KEy Sm1PJRY1BtkRv/cM5FxqF3AeoQVXaARXh/ibb6akzX801U3ZVXxfkykESygZaOgA 8XWh7JNzA6S2FRupEaGJ2xrGyqIELwE8lV63CWrxdmf3q+FIn0IbM2SpY5vF/Bpj IesRtLZ1QJ4wzL4/tHanX7fAQ+3+9T2JLAm6klFWcL83VOb5RuDMY4o0hqHVLFk+ ropJ5z6d/9+b1OoKDVUaZFmqOZfX8obKZiUpBaUFuWN9KlsGbAiShm6ILMKzqeDb 5l+2JgpabK6Uv7utkjYsapwsp403w2Ql5vf7bp8M/Rqj92NAq9DSiY2gmkIkxOwU PlSWm7whDVbY+CHPTu0SbUo3TPuLIstmZeX0U6EeTl3WQwTP8yrgGw/b86fJPBTp 6z1CP7Hwqd4FKl5ZKvBIOomiBqo4IwnokJ4XOkcsz2ijxF4+BB29CeNRZo2rYuz4 aMVHmXegIGKAzJXr356ZRw7cOqbYLHcboF176e+SfLyaeGX9BwR4IrBW8c2FMNrc 5rOJF7BpnFnuVsMA+4RmSMKYNDzV78AI8JNho/pJTHIyk2Z4RJI= =mTvw - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4111-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 11, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : libreoffice CVE ID : CVE-2018-6871 Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that missing restrictions in the implementation of the WEBSERVICE function in LibreOffice could result in the disclosure of arbitrary files readable by the user who opens a malformed document. For the stable distribution (stretch), this problem has been fixed in version 1:5.2.7-1+deb9u2. We recommend that you upgrade your libreoffice packages. For the detailed security status of libreoffice please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libreoffice Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqAUikACgkQEMKTtsN8 TjbAyg/8C7wZ/90enlE698ZzLgsRJyhgowyZKjWpwQco3P5735krH/u8O1yty9Ou x+Shn4oY52y7GAK6i2k4IQKudURPIJkSUtbMJP5oBIvoobK3Q1moymp89V7o1mhi aNsk/K6cmFlWrkQl651C/352UkjOyyH9hiRG1L+ee2XMYr6OmTHVN2s+gGH2f+Vh CN3kzH/oM7DhHfNo67OEyPGeUxGOULzVjffYzINJqOJH2YONHD5cJ6/39jXms0RZ QavLVTaKFhP041C1XOYbShnVdMz4bHPIHVq8ObL5F5uK/yk2Q7Se3g8FAm285FmX 0PHqjnBXT+MKpKhcLp4oE4va70DwLb4wGNFOmlmP87ngCsJVAmj2msxygdLFBzuP 5Ubn7C17Df5+e1aHMfc5hNP87DqjKQpT0UA+78YhX18cVr6dkL5saEzFAXEGl/6k U4VJXRFKFHm3iuqMPSegnoKdV5R/ObenP1HISlQ+wGjz/2AIQHRaHPxJo7EpXMMO ALT1ibObAhO22i+KSi707VZycX5qLIngEwN0TygR7hC4mj5Uuu+HxiWTD/tHpy9W x2OfUOhWOpNSyNcf0va9FZIrLcykItyckXv6UwnnEcApqf62C/6YnsQEsABbHxcf ll4NjUO6J+R295hRQc0DaxtXPRmIyX4OFrKT4kaLp2U2hc4OjOI= =SiwU - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWoJ3DYx+lLeg9Ub1AQiQtQ//cDyqH03hvWZqBHBYJbtOWHWNed+PtHMI w2YJfvFBEoRYNqGhpdbW1ADDftNYu8xZAaoY7pDDdG66W4sVyJrz6RsWe5987UHn cs3uuq9tUxF0lR4YsXcUHkItJn7IQmFsIvJ26C2kyE8J5cBhZTwwePNjvZaOmK7a Ax26esChFLWHnX6SXcNbNZgLPRcy1c2dCJ6VBAGDDp6BLCO7ji7mUqzsw9vCGLB2 oCTiGn3h9gqCuHhulf1AZb8r3xBp5UGX8nClCnLS5PD6D2Roq+DsDgrF7a165zso dtDknidc4BWunrXppSdtjftqtTKR9tkGPb1gI9Z9BIC/ui1GvG3RYdkiUdrbrUAK nQsdtBUrLBkZWvx3vgRF1NuxhVhq0L9O+wMVXSoVX53lMFmnt6TjQhrnT9M7/H2R LPzGKBs3Wrb9tl2EMcI7x0oAknKbI2JN+cNqgqjXGdvw//aQjA+TA4Zc/SAj4vF5 ef3ROGW953oZpeqywB1GhRYums234vKRsE119rp4Qi2vpNjKdF7KXP8+gUjHQ/Ls cw+Ai/cbD1lVl7Z6wlguYScS2wv+D9Z77orzgX/JCq4ZbX9yacpMCx1YC5E6rmOx 8te5YnSBZthRTouLvAERcBlyVOkn9n1O7z2qCzcb5J20euAkkosIbLpVDltrFEgD 6434Lkrbf5E= =LAcb -----END PGP SIGNATURE-----