Wheezy update of libreoffice #2 (CVE-2016-1513)

To: Debian LTS <debian-lts@lists.debian.org>
Cc: team@security.debian.org
Subject: Wheezy update of libreoffice #2 (CVE-2016-1513)
From: Rene Engelhard <rene@debian.org>
Date: Thu, 4 Aug 2016 06:43:36 +0200
Message-id: <[🔎] 20160804044336.GA25820@rene-engelhard.de>

[ CC'ing team@security so that they know nothing supported is affected by
it. ]

Hi,

apparently Apache knew it since October 2015, tested with "current" LibreOffices
but they said they didn't test with old, so didn't inform LO *at all* until
this came up last Thursday again confirming that old LOs *are* affected..

See also http://www.openoffice.org/security/cves/CVE-2016-1513.html

The fix already went into (later) 4.2 and 4.3 versions.

so: 

wheezy: affected
jessie: 4.3.3 - unaffected, AFAICS [1]
stretch/sid: "of course" unaffected

A (untested, except that the patch applies) source package is - as last time -
available on http://people.debian.org/~rene/libreoffice/wheezy

Own-imposed LibreOffice embargo ends today. (I knew it only since last
Thursday, too when we wrote about the other issue but of course couldn't
write it beforehand to something public..)

Regards,

Rene

[1]
(jessie)rene@frodo ..reOffice/libreoffice/libreoffice-4.3.3 % patch -p1 --dry-run < ~/index.html\?id=fd64d444b730f6cb7216dac8f6e3f94b97d7ab60 
checking file tools/source/generic/poly2.cxx
Reversed (or previously applied) patch detected!  Assume -R? [n] 
Apply anyway? [n] 
Skipping patch.
4 out of 4 hunks ignored
checking file vcl/source/gdi/metaact.cxx
Reversed (or previously applied) patch detected!  Assume -R? [n] Apply anyway? [n] Skipping patch.
1 out of 1 hunk ignored

Reply to:

Follow-Ups:
- Re: Wheezy update of libreoffice #2 (CVE-2016-1513)
  - From: Rene Engelhard <rene@debian.org>

Prev by Date: [no subject]
Next by Date: Re: Wheezy update of collectd?
Previous by thread: [no subject]
Next by thread: Re: Wheezy update of libreoffice #2 (CVE-2016-1513)
Index(es):
- Date
- Thread