<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Sorry, I should also note that we have a security advisories page:<div class=""><br class=""></div><div class=""><a href="https://www.libreoffice.org/about-us/security/advisories/" class="">https://www.libreoffice.org/about-us/security/advisories/</a></div><div class=""><br class=""></div><div class="">This one is fixed in LibreOffice 5.4.5/6.0.1</div><div class=""><br class=""></div><div class="">Chris<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 11 Feb 2018, at 6:22 pm, Chris Sherlock <<a href="mailto:chris.sherlock79@gmail.com" class="">chris.sherlock79@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Fixed in commit:<div class=""><br class=""></div><div class=""><a href="https://cgit.freedesktop.org/libreoffice/core/commit/?id=34bbe8f858fd992c784586b839c0f1dc8a218b4a" class="">https://cgit.freedesktop.org/libreoffice/core/commit/?id=34bbe8f858fd992c784586b839c0f1dc8a218b4a</a></div><div class=""><br class=""></div><div class=""><br class=""><blockquote type="cite" class="">author<span class="Apple-tab-span" style="white-space:pre"> </span>Caolán McNamara <<a href="mailto:caolanm@redhat.com" class="">caolanm@redhat.com</a>><span class="Apple-tab-span" style="white-space:pre">        </span>2018-01-10 14:27:35 +0000<br class="">committer<span class="Apple-tab-span" style="white-space:pre">     </span>Caolán McNamara <<a href="mailto:caolanm@redhat.com" class="">caolanm@redhat.com</a>><span class="Apple-tab-span" style="white-space:pre">        </span>2018-01-11 21:28:06 +0100<br class="">commit<span class="Apple-tab-span" style="white-space:pre">        </span>34bbe8f858fd992c784586b839c0f1dc8a218b4a (patch)<br class="">tree<span class="Apple-tab-span" style="white-space:pre">      </span>a66fb5e4361698bf1e3e275427f766e7492310e0<br class="">parent<span class="Apple-tab-span" style="white-space:pre"> </span>dddb683300a0ce0fd713c924ebd9e005df60fea9 (diff)<br class="">limit WEBSERVICE to http[s] protocols<br class=""><div class="">and like excel...</div><div class=""><br class=""></div><div class="">'For protocols that aren’t supported, such as ftp:// or file://, WEBSERVICE</div><div class="">returns the #VALUE! error value.'</div><div class=""><br class=""></div><div class="">Change-Id: I0e9c6fd3426fad56a199eafac48de9b0f23914b3</div><div class="">Reviewed-on: <a href="https://gerrit.libreoffice.org/47709" class="">https://gerrit.libreoffice.org/47709</a></div><div class="">Tested-by: Jenkins <<a href="mailto:ci@libreoffice.org" class="">ci@libreoffice.org</a>></div><div class="">Reviewed-by: Caolán McNamara <<a href="mailto:caolanm@redhat.com" class="">caolanm@redhat.com</a>></div><div class="">Tested-by: Caolán McNamara <<a href="mailto:caolanm@redhat.com" class="">caolanm@redhat.com</a>></div></blockquote><div class=""><br class=""></div>Chris<br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On 10 Feb 2018, at 10:07 pm, Paul Menzel <<a href="mailto:pmenzel+libreoffice@molgen.mpg.de" class="">pmenzel+libreoffice@molgen.mpg.de</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Dear LibreOffice folks,<br class=""><br class=""><br class="">So according to CVE-2018-6871, “LibreOffice through 6.0.1 allows remote<br class="">attackers to read arbitrary files via =WEBSERVICE calls in a document,<br class="">which use the COM.MICROSOFT.WEBSERVICE function.”.<br class=""><br class="">Maybe it’s my English, but “through 6.0.1” sounds to me like, that<br class="">version is affected. The vulnerability description page [2] says, that LibreOffice 6.0.1 is not affected.<br class=""><br class=""><blockquote type="cite" class="">100% success rate, absolutely silent, affect LibreOffice prior to<br class="">5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS<br class="">etc.) and may be embedded in almost all formats supporting by LO.<br class=""></blockquote><br class="">I was searching the bug tracker [3] for *CVE-2018-6871* and got no result, and the git commit log also doesn’t mention it. Neither do the release notes [4][5].<br class=""><br class="">So, how can I find out, in what version that vulnerability was fixed?<br class=""><br class=""><br class="">Kind regards,<br class=""><br class="">Paul<br class=""><br class=""><br class="">[1] <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871" class="">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871</a><br class="">[2] <a href="https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure" class="">https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure</a><br class="">[3] <a href="https://bugs.documentfoundation.org/" class="">https://bugs.documentfoundation.org/</a><br class="">[4] <a href="https://blog.documentfoundation.org/blog/2018/02/09/early-availability-libreoffice-5-4-5-libreoffice-6-0-1/" class="">https://blog.documentfoundation.org/blog/2018/02/09/early-availability-libreoffice-5-4-5-libreoffice-6-0-1/</a><br class="">[5] <a href="https://wiki.documentfoundation.org/Releases/6.0.1/RC1" class="">https://wiki.documentfoundation.org/Releases/6.0.1/RC1</a><br class="">_______________________________________________<br class="">LibreOffice mailing list<br class=""><a href="mailto:LibreOffice@lists.freedesktop.org" class="">LibreOffice@lists.freedesktop.org</a><br class=""><a href="https://lists.freedesktop.org/mailman/listinfo/libreoffice" class="">https://lists.freedesktop.org/mailman/listinfo/libreoffice</a><br class=""></div></div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></div></body></html>