- libreoffice (1:6.1.5-3+rpi1+deb10u10) buster-staging; urgency=medium
++libreoffice (1:6.1.5-3+rpi1+deb10u11) buster-staging; urgency=medium
+
+ [changes introduced in 1:5.4.0-1+rpi1 by Peter Michael Green]
+ * Disable pdfium, it fails to build for armv6
+
+ [changes brought forward from 1:6.0.2-1+rpi2 by Peter Michael Green <plugwash@raspbian.org> at Fri, 27 Apr 2018 02:14:18 +0000]
+ * Disable testsuite.
+
- -- Raspbian forward porter <root@raspbian.org> Fri, 15 Sep 2023 01:32:05 +0000
++ -- Raspbian forward porter <root@raspbian.org> Fri, 05 Jan 2024 00:30:20 +0000
++
+ libreoffice (1:6.1.5-3+deb10u11) buster-security; urgency=high
+
+ * Team upload by LTS security team.
+ * Fix CVE-2023-6185: An Improper Input Validation vulnerability
+ was found in GStreamer integration of The Document
+ Foundation LibreOffice allows an attacker to execute arbitrary
+ GStreamer plugins. In affected versions the filename of the
+ embedded video is not sufficiently escaped when passed to
+ GStreamer enabling an attacker to run arbitrary
+ gstreamer plugins depending on what plugins are installed
+ on the target system.
+ * Fix CVE-2023-6186: LibreOffice supports hyperlinks.
+ In addition to the typical common protocols such as
+ http/https hyperlinks can also have target URLs that
+ can launch built-in macros or dispatch built-in
+ internal commands. In affected version of LibreOffice
+ there are scenarios where these can be executed without warning
+ if the user activates such hyperlinks. In later versions
+ the users's explicit macro execution permissions
+ for the document are now consulted if these non-typical
+ hyperlinks can be executed. The possibility to use these
+ variants of hyperlink targets for floating frames has been removed.
+ * Fix CVE-2020-12802: LibreOffice has a 'stealth mode' in which only
+ documents from locations deemed 'trusted' are allowed to
+ retrieve remote resources. This mode is not the default mode,
+ but can be enabled by users who want to disable LibreOffice's ability
+ to include remote resources within a document. A flaw existed
+ where remote graphic links loaded from docx documents were omitted
+ from this protection.
+ * Fix CVE-2020-12801: If LibreOffice has an encrypted document
+ open and crashes, that document is auto-saved encrypted.
+ On restart, LibreOffice offers to restore the document
+ and prompts for the password to decrypt it. If the recovery
+ is successful, and if the file format of the recovered document
+ was not LibreOffice's default ODF file format, then affected versions
+ of LibreOffice default that subsequent saves of the document
+ are unencrypted. This may lead to a user accidentally saving
+ a MSOffice file format document unencrypted while believing
+ it to be encrypted.
+ * Fix CVE-2020-12803: ODF documents can contain forms to be
+ filled out by the user. Similar to HTML forms, the contained
+ form data can be submitted to a URI, for example, to an external
+ web server. To create submittable forms, ODF implements the
+ XForms W3C standard, which allows data to be submitted without
+ the need for macros or other active scripting. LibreOffice allowed
+ forms to be submitted to any URI, including file: URIs, enabling
+ form submissions to overwrite local files. User-interaction
+ is required to submit the form, but to avoid the possibility
+ of malicious documents engineered to maximize the possibility of
+ inadvertent user submission this feature has now been limited to
+ http[s] URIs, removing the possibility to overwrite local files.
+
+ -- Bastien Roucariès <rouca@debian.org> Fri, 29 Dec 2023 09:39:36 +0000
libreoffice (1:6.1.5-3+deb10u10) buster-security; urgency=medium
projects / libreoffice.git / commitdiff