ALT-BU-2022-5087-1
Branch sisyphus update bulletin.
Package LibreOffice-still updated to version 7.2.7.2-alt1 for branch sisyphus in task 300735.
Closed vulnerabilities
BDU:2022-04770
Уязвимость пакета офисных программ LibreOffice, связанная с недостаточно стойким шифрованием данных, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
BDU:2022-04771
Уязвимость пакета офисных программ LibreOffice, связанная с неправильным подтверждением подлинности сертификата, позволяющая нарушителю выполнить произвольный код
BDU:2022-04785
Уязвимость базы данных конфигураций пользователя пакета офисных программ LibreOffice, позволяющая нарушителю раскрыть защищаемую информацию
Modified: 2024-11-21
CVE-2022-26305
An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the macro was actually signed with the certificate. An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.
- [debian-lts-announce] 20230326 [SECURITY] [DLA 3368-1] libreoffice security update
- [debian-lts-announce] 20230326 [SECURITY] [DLA 3368-1] libreoffice security update
- https://www.libreoffice.org/about-us/security/advisories/cve-2022-26305
- https://www.libreoffice.org/about-us/security/advisories/cve-2022-26305
Modified: 2024-11-21
CVE-2022-26306
LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.
- [oss-security] 20220812 CVE-2022-37400: Apache OpenOffice Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password
- [oss-security] 20220812 CVE-2022-37400: Apache OpenOffice Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password
- [debian-lts-announce] 20230326 [SECURITY] [DLA 3368-1] libreoffice security update
- [debian-lts-announce] 20230326 [SECURITY] [DLA 3368-1] libreoffice security update
- https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306
- https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306
Modified: 2024-11-21
CVE-2022-26307
LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.3.
- [oss-security] 20220812 CVE-2022-37401: Apache OpenOffice Weak Master Keys
- [oss-security] 20220812 CVE-2022-37401: Apache OpenOffice Weak Master Keys
- [debian-lts-announce] 20230326 [SECURITY] [DLA 3368-1] libreoffice security update
- [debian-lts-announce] 20230326 [SECURITY] [DLA 3368-1] libreoffice security update
- https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307
- https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307
Closed vulnerabilities
Modified: 2024-11-21
CVE-2022-1348
A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.
- [oss-security] 20220525 Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file
- [oss-security] 20220525 Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file
- [oss-security] 20220525 Re: Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file
- [oss-security] 20220525 Re: Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file
- [oss-security] 20220525 Re: Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file
- [oss-security] 20220525 Re: Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-1348
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-1348
- FEDORA-2022-ff0188b37c
- FEDORA-2022-ff0188b37c
- FEDORA-2022-87c0f05204
- FEDORA-2022-87c0f05204
Closed vulnerabilities
Modified: 2024-11-21
CVE-2021-45940
libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (4 bytes) in __bpf_object__open (called from bpf_object__open_mem and bpf-object-fuzzer.c).
Modified: 2024-11-21
CVE-2021-45941
libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8 bytes) in __bpf_object__open (called from bpf_object__open_mem and bpf-object-fuzzer.c).