榎です
tdf-discussのMLで、次の3つの脆弱性修正についてのお知らせがありましたので、転送します。
CVE-2022-26305, CVE-2022-26306 and CVE-2022-26307
これらの脆弱性が修正されたバージョンを使うには
LibreOffice 7.2系は7.2.7に、LibreOffice 7.3系は7.3.3以降にアップデートします
詳細は転送元メールの内容を確認ください。
---------- Forwarded message ---------
From: Caolán McNamara <caolanm@redhat.com>
Date: 2022年7月25日(月) 20:18
Subject: [tdf-discuss] security related information, CVE-2022-26305,
CVE-2022-26306 and CVE-2022-26307
To: <discuss@documentfoundation.org>
tl:dr upgrade LibreOffice 7-2 to 7.2.7,
and/or upgrade LibreOffice 7-3 to 7.3.3
CVE-2022-26305 Execution of Untrusted Macros Due to Improper
Certificate Validation
Due to a poor mechanism for comparing the authors of certificates it
was possible to make a digitally signed document containing macros
incorrectly appear as if it was signed by a trusted author (if the user
had configured trusted certificates).
Fixed in 7.2.7 and 7.3.2
https://www.libreoffice.org/about-us/security/advisories/cve-2022-26305
---
LibreOffice supports the storage of passwords for web connections in
the user’s configuration database. The stored passwords are encrypted
with a single master key provided by the user. There were two problems
here:
CVE-2022-26306 Static Initialization Vector Allows to Recover Passwords
for Web Connections Without Knowing the Master Password
The same initial vector for the encryption process was used for all
encryption, leaving the password potentially vulnerable to recovery if
an attacker gained access to the users config data.
Fixed in 7.2.7 and 7.3.3
https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306
and
CVE-2022-26307 Weak Master Keys
A flaw in LibreOffice existed where master key was poorly encoded
resulting in weakening its entropy from 128 to 43 bits making the
stored passwords vulnerable to a brute force attack if an attacker has
access to the users stored config.
Fixed in 7.2.7 and 7.3.3
https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307
For CVE-2022-26306 and CVE-2022-26307 newly saved password information
is saved using a more secure mechanism. In order to deal with old
preexisting vulnerable data, if the old format is detected in the
user's config during application startup then an infobar prompts the
user to reenter your password in order to trigger replacing that old
data with the new format.
--
To unsubscribe e-mail to: discuss+unsubscribe@documentfoundation.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.documentfoundation.org/www/discuss/
Privacy Policy: https://www.documentfoundation.org/privacy
--
Shinji Enoki
shinji.enoki@gmail.com
--
Unsubscribe instructions: E-mail to discuss+unsubscribe@ja.libreoffice.org
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/ja/discuss/
Privacy Policy: https://www.documentfoundation.org/privacy
Context
- [ja-discuss] Fwd: [tdf-discuss] security related information, CVE-2022-26305, CVE-2022-26306 and CVE-2022-26307 · Shinji Enoki
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.