Hi - We are working on releasing 4.1.10 soon do to this security report [1] which was announced today.
I’d like to credit Arrigo Marchiori and Carl Marcum for development. Ariel Constenla-Haile and Peter Kovacs for our indispensible OpenGrok setup. Matthias Seidel, Marcus Lange, Jim Jagielski, and Don Lewis for builds and testing. All The Best, Dave [1] https://positive.security/blog/url-open-rce > On Apr 15, 2021, at 12:18 PM, Dave Fisher <w...@apache.org> wrote: > > Severity: moderate > > Description: > > The project received a report that all versions of Apache OpenOffice through > 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about > 2006 and the issue is also in 4.1.9. If the link is specifically crafted this > could lead to untrusted code execution. It is always best practice to be > careful opening documents from unknown and unverified sources. The mitigation > in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is > displayed giving the user the option of continuing to open the hyperlink. > > Credit: > > Fabian Bräunlein and Lukas Euler of Positive Security > >
