Summary: | <app-office/libreoffice-4.2.3: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Frank Krömmelbein <kroemmelbein> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | office, pacho, scarabeus |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Frank Krömmelbein
2014-03-18 07:13:33 UTC
LibreOffice 4.2.3 This is the fourth release from the 4.2 branch of LibreOffice which contains new features and program enhancements. It is the first bugfix release, and remains targeted for early adopters and private power users--for conservative requirements, we refer you to LibreOffice 4.1.5 from the previous series. Here's a blog post about 4.2.3 release: http://blog.documentfoundation.org/2014/04/10/libreoffice-4-2-3-is-now-available-for-download/ Please note that this release "adds a security fix for the Heartbleed Bug (CVE-2014-0160)". As much as I'm tempted to use this bug for a nice fast stabilization, what was done (according to #libreoffice-dev irc response) was updating the bundled openssl version. http://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-4-2-3&id=32680faf1f0f5bbc1f1235ba724a8cd6230c3d15 Since we build with --with_system_libs we don't use that version but link to system openssl instead. [Scarabeus should better confirm that before we do any action based on this bug, he knows the LO build system way better than I do.] I'll do the bump anyway, but I doubt we have a security issue. Not affected by the CVE. Also I bumped it on Saturday iirc -> closing as fixed. Since it links to system library, the bug is invalid |