Your message dated Thu, 7 Aug 2008 13:35:16 +0200 with message-id <20080807113516.GC15634@rene-engelhard.de> and subject line Re: Bug#494100: openoffice.org: CVE-2008-3437 does not properly check authenticity of updates has caused the Debian Bug report #494100, regarding openoffice.org: CVE-2008-3437 does not properly check authenticity of updates to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 494100: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494100 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: openoffice.org: CVE-2008-3437 does not properly check authenticity of updates
- From: Nico Golde <nion@debian.org>
- Date: Thu, 7 Aug 2008 11:05:19 +0200
- Message-id: <[🔎] 20080807090519.GA10791@ngolde.de>
Package: openoffice.org Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for openoffice.org. CVE-2008-3437[0]: | OpenOffice.org (OOo) before 2.1.0 does not properly verify the | authenticity of updates, which allows man-in-the-middle attackers to | execute arbitrary code via a Trojan horse update, as demonstrated by | evilgrade and DNS cache poisoning. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3437 http://security-tracker.debian.net/tracker/CVE-2008-3437 -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.Attachment: pgpvQHTKTGDcO.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 494100-done@bugs.debian.org
- Subject: Re: Bug#494100: openoffice.org: CVE-2008-3437 does not properly check authenticity of updates
- From: Rene Engelhard <rene@debian.org>
- Date: Thu, 7 Aug 2008 13:35:16 +0200
- Message-id: <20080807113516.GC15634@rene-engelhard.de>
- In-reply-to: <[🔎] 20080807090519.GA10791@ngolde.de>
- References: <[🔎] 20080807090519.GA10791@ngolde.de>
Nico Golde wrote: > the following CVE (Common Vulnerabilities & Exposures) id was > published for openoffice.org. > > CVE-2008-3437[0]: > | OpenOffice.org (OOo) before 2.1.0 does not properly verify the > | authenticity of updates, which allows man-in-the-middle attackers to > | execute arbitrary code via a Trojan horse update, as demonstrated by > | evilgrade and DNS cache poisoning. > > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry. The vulnerability is already fixed by us not using/enabling those broken self-update function. So we have no bug here. Closing. Regards, Rene
--- End Message ---