From nobody Wed Mar 08 01:21:07 2023
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PWZJh2w9Sz3wv0f;
	Wed,  8 Mar 2023 01:21:08 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PWZJg65KKz4TBY;
	Wed,  8 Mar 2023 01:21:07 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1678238467;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Rnpop1sNm9me4h1YQbX77ykSCEVcg/nkSE9/UJW5Grc=;
	b=Hvfw/v5haZRhgwnjisalmyzBfxxv31Qiz2mXr5vvrZ3CXmFUHY8/o2JaP8XzPC2zt+78Yg
	L1YbG1m47bI+kjCR/Dm+EFIT+Y2wQjrpmfNYZKS10bxaLv3qCMzJEko5Brn6fecdoGuDC3
	hZYzyYjavDEv1awz+vYSbgxJwVYqbIiPqg8HrXaEPgpKOpFxv77Cz5VSBx2xOWgdgj+hUg
	MdOvbBUE3/P/it3h2Iu2Q+52KKCqc97vNVVfI+kkG6HrAlVpPntgYyYaqaKong8rmRxXgO
	Muzn+xXJiP+oJHzWD0Bfo1zXHcbWtVwHGgUXOziOw7/5EK4VON08E17Ycpk8ZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1678238467;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Rnpop1sNm9me4h1YQbX77ykSCEVcg/nkSE9/UJW5Grc=;
	b=e8LW9+k7zIS22/lnjDaOas9VZnvI7QpKR2ivmkJrpTKGJkmbJAo7hya+yYEimB8A2Yo9Yn
	OslHkeds5UU4otpL8rVI1OO3npsQ/vAQTVm96Qqu9aL3Gz3jkKGhIRJPtshqgECAEhsNRy
	XFOcajGWygtvwjJQvU75UpyrkwFx6AJP/tqra1uoy76nZgKGEpUqjSkpmTleDnI6xkX5Yp
	xw8Ex2ZbRKC2tFleovAStLOmX+wcDG+RWzktrnpL5Am42/Patxhq6nju2Y/KqBoHHIclGd
	oAEVjR0035XkIVK3qdpxOdo/JGHmL6FsurScS2YFmN/9lSWI9XJXwRxDJDbiaQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1678238467; a=rsa-sha256; cv=none;
	b=RFElFppmAkwFemjktFrq/KPhpRNZd9P+ZAzLCjsawM1zdQA/yN/SrZYPEJgcbU+NVe7bKM
	dU9bC9Yx87RrT97LaQyvlzF6sOt8XF/bbR/ZeZYueH0cYuZV5W1z4L59+fhIbGpfwr99Ho
	DCcGO2GOs2XavC2517ku2UhqZPQ3xB8u+cOT5ie1Ln9POwJWGj1kgxL3w0de9fPTSkD8z+
	KLF53cCIe45JkjuLCY3h/4bfLBZYtYNj+ddy+cMOeIiDGP5RUedf3W8Qvn+xSgiq/2E1We
	t3abpSTXSfdBhpr79O2MzAzoM3JjSKAW8uePlbSmasxWr1ViJDdk05AtGuefdw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PWZJg58t0z15bx;
	Wed,  8 Mar 2023 01:21:07 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 3281L7Sp056770;
	Wed, 8 Mar 2023 01:21:07 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 3281L7Yd056769;
	Wed, 8 Mar 2023 01:21:07 GMT
	(envelope-from git)
Date: Wed, 8 Mar 2023 01:21:07 GMT
Message-Id: <202303080121.3281L7Yd056769@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Don Lewis <truckman@FreeBSD.org>
Subject: git: 4cc9e62c14ec - main - security/vuxml: openoffice 2022 vulnerabilities
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: truckman
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 4cc9e62c14ec4daaebce7350a190a26c4c387f3f
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by truckman:

URL: https://cgit.FreeBSD.org/ports/commit/?id=4cc9e62c14ec4daaebce7350a190a26c4c387f3f

commit 4cc9e62c14ec4daaebce7350a190a26c4c387f3f
Author:     Don Lewis <truckman@FreeBSD.org>
AuthorDate: 2023-03-08 01:17:01 +0000
Commit:     Don Lewis <truckman@FreeBSD.org>
CommitDate: 2023-03-08 01:17:01 +0000

    security/vuxml: openoffice 2022 vulnerabilities
    
    Belatedly document Apache OpenOffice vulnerabilities from 2022.  The
    port was broken at the time.
---
 security/vuxml/vuln/2023.xml | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index 2b17919a9eac..62b2600e5c4f 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,37 @@
+  <vuln vid="6678211c-bd47-11ed-beb0-1c1b0d9ea7e6">
+    <topic>Apache OpenOffice -- master password vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>apache-openoffice</name>
+	<range><lt>4.1.13</lt></range>
+      </package>
+      <package>
+	<name>apache-openoffice-devel</name>
+	<range><lt>4.2.1678061694i,4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Apache Openoffice project reports:</p>
+	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-37400">
+	  <p>Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26306 - LibreOffice</p>
+	</blockquote>
+	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-37401">
+	  <p>Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2022-37400</cvename>
+      <cvename>CVE-2022-37401</cvename>
+      <url>https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.13+Release+Notes</url>
+    </references>
+    <dates>
+      <discovery>2022-02-25</discovery>
+      <entry>2023-03-08</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="f0798a6a-bbdb-11ed-ba99-080027f5fec9">
     <topic>rack -- possible DoS vulnerability in multipart MIME parsing</topic>
     <affects>