Bug#494100: openoffice.org: CVE-2008-3437 does not properly check authenticity of updates

To: submit@bugs.debian.org
Subject: Bug#494100: openoffice.org: CVE-2008-3437 does not properly check authenticity of updates
From: Nico Golde <nion@debian.org>
Date: Thu, 7 Aug 2008 11:05:19 +0200
Message-id: <[🔎] 20080807090519.GA10791@ngolde.de>
Reply-to: Nico Golde <nion@debian.org>, 494100@bugs.debian.org

Package: openoffice.org
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openoffice.org.

CVE-2008-3437[0]:
| OpenOffice.org (OOo) before 2.1.0 does not properly verify the
| authenticity of updates, which allows man-in-the-middle attackers to
| execute arbitrary code via a Trojan horse update, as demonstrated by
| evilgrade and DNS cache poisoning.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3437
    http://security-tracker.debian.net/tracker/CVE-2008-3437

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpUKkfbw1bYF.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#494100: marked as done (openoffice.org: CVE-2008-3437 does not properly check authenticity of updates)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#486810: openoffice.org: menu text ureadable until swept by the mouse cursor
Next by Date: Bug#494100: marked as done (openoffice.org: CVE-2008-3437 does not properly check authenticity of updates)
Previous by thread: ./packages/openofficeorg/3.0/experimental r1209: update GSIs; changelog fix; regenerate control
Next by thread: Bug#494100: marked as done (openoffice.org: CVE-2008-3437 does not properly check authenticity of updates)
Index(es):
- Date
- Thread