Bug#494100: marked as done (openoffice.org: CVE-2008-3437 does not properly check authenticity of updates)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 7 Aug 2008 13:35:16 +0200
with message-id <20080807113516.GC15634@rene-engelhard.de>
and subject line Re: Bug#494100: openoffice.org: CVE-2008-3437 does not properly check authenticity of updates
has caused the Debian Bug report #494100,
regarding openoffice.org: CVE-2008-3437 does not properly check authenticity of updates
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
494100: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494100
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: openoffice.org: CVE-2008-3437 does not properly check authenticity of updates
• From: Nico Golde <nion@debian.org>
• Date: Thu, 7 Aug 2008 11:05:19 +0200
• Message-id: <[🔎] 20080807090519.GA10791@ngolde.de>

Package: openoffice.org
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openoffice.org.

CVE-2008-3437[0]:
| OpenOffice.org (OOo) before 2.1.0 does not properly verify the
| authenticity of updates, which allows man-in-the-middle attackers to
| execute arbitrary code via a Trojan horse update, as demonstrated by
| evilgrade and DNS cache poisoning.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3437
    http://security-tracker.debian.net/tracker/CVE-2008-3437

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpvQHTKTGDcO.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: 494100-done@bugs.debian.org
• Subject: Re: Bug#494100: openoffice.org: CVE-2008-3437 does not properly check authenticity of updates
• From: Rene Engelhard <rene@debian.org>
• Date: Thu, 7 Aug 2008 13:35:16 +0200
• Message-id: <20080807113516.GC15634@rene-engelhard.de>
• In-reply-to: <[🔎] 20080807090519.GA10791@ngolde.de>
• References: <[🔎] 20080807090519.GA10791@ngolde.de>

Nico Golde wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for openoffice.org.
> 
> CVE-2008-3437[0]:
> | OpenOffice.org (OOo) before 2.1.0 does not properly verify the
> | authenticity of updates, which allows man-in-the-middle attackers to
> | execute arbitrary code via a Trojan horse update, as demonstrated by
> | evilgrade and DNS cache poisoning.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

The vulnerability is already fixed by us not using/enabling those broken
self-update function. So we have no bug here. Closing.

Regards,

Rene

--- End Message ---