-
libreoffice (1:5.1.6~rc2-0ubuntu1~xenial10) xenial-security; urgency=medium
* SECURITY UPDATE: Unsafe URL assembly flaw in allowed script location check
- debian/patches/CVE-2019-9854.diff: assemble the parsed url describing a
script's location from the output of the preceding verification step.
- CVE-2019-9854
-- Marcus Tomlinson <email address hidden> Sat, 21 Sep 2019 13:44:15 +0200
-
libreoffice (1:5.1.6~rc2-0ubuntu1~xenial9) xenial-security; urgency=medium
* SECURITY UPDATE: Insufficient URL validation allowing LibreLogo script execution
- debian/patches/CVE-2019-9850_1_2.diff: decode escape codes and ban scripts
with "LibreLogo" anywhere in its path.
- CVE-2019-9850
* SECURITY UPDATE: LibreLogo global-event script execution
- debian/patches/CVE-2019-9850_1_2.diff: catch more LibreLogo script executions
by expanding check to global events.
- CVE-2019-9851
* SECURITY UPDATE: Insufficient URL encoding flaw in allowed script location check
- debian/patches/CVE-2019-9850_1_2.diff: ensure that all URLs leaving
scriptURI2StorageUri() are percent-encoded.
- CVE-2019-9852
-- Marcus Tomlinson <email address hidden> Wed, 14 Aug 2019 15:16:33 +0100
-
libreoffice (1:5.1.6~rc2-0ubuntu1~xenial8) xenial-security; urgency=medium
* SECURITY UPDATE: LibreLogo arbitrary script execution
- debian/patches/CVE-2019-9848.diff: don't allow LibreLogo to be used with
mouseover/etc dom-alike events.
- CVE-2019-9848
* SECURITY UPDATE: Remote bullet graphics retrieved in 'stealth mode'
- debian/patches/CVE-2019-9849.diff: include bullet graphics in 'stealth
mode' protection.
- CVE-2019-9849
-- Marcus Tomlinson <email address hidden> Tue, 16 Jul 2019 17:28:21 +0100
-
libreoffice (1:5.1.6~rc2-0ubuntu1~xenial7) xenial; urgency=medium
[ Ikuya Awashiro ]
* debian/patches/new-japanese-era-name.patch (LP: #1827451):
Add new Japanse era name "Reiwa" support which taken from upstream:
https://cgit.freedesktop.org/libreoffice/core/commit/?id=cacbb0faef77ae8462de9ff5c7307a6a2e28b2bb
https://cgit.freedesktop.org/libreoffice/core/commit/?id=597c5d75b8e72d429e096535334eaac7973455ef
[ Olivier Tilloy ]
* debian/patches/java.vendor-Ubuntu.patch: update to also recognize
"Private Build" as java.vendor (for custom PPA builds) (LP: #1822839)
* debian/patches/java.vendor-Ubuntu.patch: also make jvmfwk recognize
"Ubuntu" as java.vendor (LP: #1822839)
[ Rene Engelhard ]
* debian/patches/java.vendor-Debian.diff: make jvmfwk recognize "Debian"
as java.vendor as that's what is set in openjdk 11 >= 11.0.3+4-2
- see #926009 (closes: #926318) (LP: #1822839)
-- Marcus Tomlinson <email address hidden> Fri, 03 May 2019 15:40:44 +0100
-
libreoffice (1:5.1.6~rc2-0ubuntu1~xenial6) xenial-security; urgency=medium
* SECURITY UPDATE: incorrect integer data type in StgSmallStrm class
- debian/patches/CVE-2018-10119.patch: use short->sal_Int32 like in
StgDataStrm in sot/source/sdstor/stgstrms.cxx.
- CVE-2018-10119
* SECURITY UPDATE: heap-based buffer overflow in SwCTBWrapper::Read
- debian/patches/CVE-2018-10120.patch: check index before use in
sw/source/filter/ww8/ww8toolbar.cxx.
- CVE-2018-10120
* SECURITY UPDATE: information disclosure vulnerability via SMB link
- debian/patches/CVE-2018-10583.patch: set Referer on link
mediadescriptor in sw/source/filter/xml/xmltexti.cxx.
- CVE-2018-10583
* SECURITY UPDATE: Directory traversal flaw in script execution
- debian/patches/CVE-2018-16858.patch: keep pyuno script processing
below base uri in scripting/source/pyprov/pythonscript.py.
- CVE-2018-16858
-- Marc Deslauriers <email address hidden> Mon, 28 Jan 2019 11:59:02 -0500
-
libreoffice (1:5.1.6~rc2-0ubuntu1~xenial4) xenial; urgency=medium
* debian/libreoffice-mysql-connector.triggers.in,
debian/libreoffice-wiki-publisher.triggers.in:
- removed, file path triggers do not need to be activated explicitly
* debian/libreoffice-common.triggers.in: switch to -noawait trigger
(LP: #1780996)
-- Olivier Tilloy <email address hidden> Fri, 03 Aug 2018 13:00:22 +0200
-
libreoffice (1:5.1.6~rc2-0ubuntu1~xenial3) xenial-security; urgency=medium
[ Marc Deslauriers ]
* SECURITY UPDATE: remote arbitrary file disclosure vulnerability using
WEBSERVICE
- debian/patches/CVE-2018-6871-1.patch: limit WEBSERVICE to http[s]
protocols.
- debian/patches/CVE-2018-6871-2.patch: better handle ScDde formulas
with missing dde-link entries.
- debian/patches/CVE-2018-6871-3.patch: handle ocWebservice similarly
to ocDde.
- debian/patches/CVE-2018-6871-4.patch: CheckLinkFormulaNeedingCheck()
for .xls and .xlsx formula cells.
- debian/patches/CVE-2018-6871-5.patch: CheckLinkFormulaNeedingCheck()
for conditional format expressions
- debian/patches/CVE-2018-6871-6.patch: CheckLinkFormulaNeedingCheck()
for named expressions
- debian/patches/CVE-2018-6871-7.patch: fix for DDE link update via
Function Wizard
- CVE-2018-6871
* SECURITY UPDATE: use-after-free in SwRootFrame
- debian/patches/layout-footnote-use-after-free.diff: fix layout
footnote use-after-free in SwRootFrame.
- No CVE number.
-- Olivier Tilloy <email address hidden> Sat, 17 Feb 2018 22:55:08 +0100
-
libreoffice (1:5.1.6~rc2-0ubuntu1~xenial2) xenial-security; urgency=medium
* SECURITY UPDATE: out-of-bounds write in ReadEnhWMF function
- debian/patches/CVE-2016-10327.patch: add check to
vcl/source/filter/wmf/enhwmf.cxx.
- CVE-2016-10327
* SECURITY UPDATE: out-of-bounds write in tools::Polygon::Insert function
- debian/patches/CVE-2017-7870.patch: check if ImplSplit succeeded in
tools/inc/poly.h, tools/source/generic/poly.cxx.
- CVE-2017-7870
-- Marc Deslauriers <email address hidden> Fri, 28 Apr 2017 09:51:22 -0400
-
libreoffice (1:5.1.6~rc2-0ubuntu1~xenial1) xenial; urgency=medium
* new upstream rc
libreoffice (1:5.1.5~rc2-0ubuntu1~xenial1) xenial; urgency=medium
* new upstream rc
libreoffice (1:5.1.4-0ubuntu1~xenial1) xenial; urgency=medium
* new upstream rc
libreoffice (1:5.1.3-0ubuntu1) xenial; urgency=medium
* new upstream bugfix release
* fix crash with nullptr SdrObjList (LP: #1569500)
* fix crash with ScCsvGrid living beyond VCL shutdown (LP: #1566050)
* fix crash with non-empty BlendFrameCache in late VCL shutdown (LP: #1560328)
-- Bjoern Michaelsen <email address hidden> Wed, 19 Oct 2016 17:16:59 +0200
-
libreoffice (1:5.1.4-0ubuntu1) xenial-security; urgency=medium
* SECURITY UPDATE: Denial of service and possible arbitrary code execution
via a crafted RTF file
- CVE-2016-4324
* new upstream rc
-- Bjoern Michaelsen <email address hidden> Wed, 15 Jun 2016 17:19:25 +0200
-
libreoffice (1:5.1.3-0ubuntu1) xenial; urgency=medium
* new upstream bugfix release
* fix crash with nullptr SdrObjList (LP: #1569500)
* fix crash with ScCsvGrid living beyond VCL shutdown (LP: #1566050)
* fix crash with non-empty BlendFrameCache in late VCL shutdown (LP: #1560328)
-- Bjoern Michaelsen <email address hidden> Thu, 12 May 2016 11:35:38 +0200
-
libreoffice (1:5.1.2-0ubuntu1) xenial; urgency=medium
* new upstream bugfix release
* remove xmloff patch again for better upstream fix
-- Bjoern Michaelsen <email address hidden> Tue, 05 Apr 2016 14:29:17 +0200
-
libreoffice (1:5.1.1-0ubuntu3) xenial; urgency=medium
* Fix build failure in xmloff.
-- Matthias Klose <email address hidden> Thu, 31 Mar 2016 18:33:49 +0200
-
libreoffice (1:5.1.1-0ubuntu2) xenial; urgency=medium
* libreoffice-subsequentcheckbase: Depend on default-jdk.
-- Matthias Klose <email address hidden> Thu, 31 Mar 2016 17:17:30 +0200
-
libreoffice (1:5.1.1-0ubuntu1) xenial; urgency=medium
* upstream released an rc3 = final
* allow libreoffice-style-elementary as alternative for -breeze in libreoffice-gtk (LP: #1483914)
* fix File>Templates>Manage executes wrong action in unity (LP: #1559135)
-- Bjoern Michaelsen <email address hidden> Fri, 18 Mar 2016 15:19:35 +0100
-
libreoffice (1:5.1.1~rc2-0ubuntu1) xenial; urgency=medium
* new upstream rc
* update patches, remove upstreamed ones
* reenable unity-default-breeze, which wasnt reenabled on 5.1 yet (LP: #1506544)
* update Ubuntu palette, add main colors to standard palette (LP: #753627)
-- Bjoern Michaelsen <email address hidden> Mon, 29 Feb 2016 13:54:54 +0100
-
libreoffice (1:5.1.0-0ubuntu1) xenial; urgency=medium
* finalize version, rc3 = 5.1.0
* depend on libreoffice-sdbc-hsqldb from libreoffice-subsequentcheckbase for
autopkgtests
* add libreoffice-style-elementary from upstream (LP: #1483914)
* continue building libreoffice-gtk3, but dont default-deploy (yet)
* use system ucpp instead of bundling (LP: #1524638)
* add google drive bits (LP: #1389936)
* update indic fonts package names (LP: #958345)
-- Bjoern Michaelsen <email address hidden> Sun, 21 Feb 2016 15:23:45 +0100
-
libreoffice (1:5.1.0~rc3-0ubuntu2) xenial; urgency=medium
* update autopkgtest runner patch, removing unhelpful build system deps for
out-of-tree integration testing
-- Bjoern Michaelsen <email address hidden> Wed, 10 Feb 2016 18:30:45 +0100
-
libreoffice (1:5.1.0~rc3-0ubuntu1) xenial; urgency=medium
* bump to rc3
* backport fix for ppc64el ftbfs
libreoffice (1:5.1.0~rc2-0ubuntu2) xenial; urgency=medium
* use system mwaw, libwp*, lpsolve
libreoffice (1:5.1.0~rc2-0ubuntu1) xenial; urgency=medium
* bump to rc2 and enable l10n
libreoffice (1:5.1.0~rc1-1) experimental; urgency=medium
* New upstream release candidate
- doesn't link evoab2 to gtk2 anymore (closes: #807640)
* debian/patches/disable-npapi-plugin-support.diff: as name says,
the only serious usecase is the doomed Flash anyway and it's
causes a link against gtk2 in -core (closes: #807601)
libreoffice (1:5.1.0~beta1-0ubuntu1) xenial; urgency=medium
* new upstream prerelease
libreoffice (1:5.1.0~beta2-1) experimental; urgency=medium
* New upstream beta release
- fixes crash when selecting the border style in some window managers
(closes: #801504)
* debian/patches/disable-flaky-tests.diff:
- disable also libreofficekit_tiledrendering as it SIGSEGVs after OK
(but lloconv works) with merged libs
- remove checkBookmarks disabling, should work now according to
upstream
* debian/patches/poms.diff: add "official" upstream poms
* debian/rules:
- fix up .desktop (closes: #804669), remove (D|d)ev and version from
Icon= and Exec=
- re-enable checks
- add sparc64 to OOO_ARCHS
- re-enable avahi
- install the AppData files now that they are installed upstream and
uptodate (closes: #734524)
* debian/scripts/get_ttf_version.pl, debian/rules: drop fontforge B-D-I;
use pure perl for determining the version; taken from upstreams win
installer
* debian/ure.poms, debian/rules: also install ures unoloader.jar into maven
* debian/libreoffice-officebean.poms, debian/rules: also install
officebean.jar into maven
* debian/*.pom.in, debian/rules: remove own poms and create final poms
with version from upstreams one
libreoffice (1:5.1.0~alpha1-4ubuntu4) xenial; urgency=medium
* add all build deps for report builder
libreoffice (1:5.1.0~alpha1-4ubuntu3) xenial; urgency=medium
* revert move of liblpsolve when --with-system-lpsolve, is already done
upstream
libreoffice (1:5.1.0~alpha1-4) experimental; urgency=medium
* debian/rules:
- work around the experimental buildds' resolver bug installing
experimental packages per default where they shouldn't and add
firebird-dev (>= 3.0) Build-Conflicts:
libreoffice (1:5.1.0~alpha1-3) experimental; urgency=medium
* debian/control{.sdk}.in, debian/rules, debian/libreoffice-dev-doc.links:
- stop moving the SDK docs into libreoffice-devs /usr/share/doc (and move
the stuff installed into /usr/share/doc/libreoffice/sdk in libreoffice-dev
to /usr/share/doc/libreoffice-dev, too) and conflict against
libreoffice-dev / libreoffice-dev-doc (<= 1:5.0.3~rc1-2) where needed
(closes: #803272, #803306)
* debian/control.ure.in:
- also break libreoffice-common in ure in addition to Replaces:
(closes: #801552, #803565) and make it << 1:4.5.0 which was meant...
libreoffice (1:5.1.0~alpha1-2) experimental; urgency=medium
* debian/patches/fix-xmlparse-with-icu55.diff: backport fix from
master fixing l10ntools' XML parsing with ICU 55
* debian/patches/icu-56.diff: prepare for ICU 56; fix FTBFS with new
charmaps; backported from master
* debian/rules:
- recommend -gtk3 again in gnome as (even in Alpha1)
Save As.. works (at least for me...) - closes: #681180
- remove l10ntools build hack again, now obsolete
libreoffice (1:5.1.0~alpha1-1) experimental; urgency=medium
* New upstream alpha release
- uses HttpURLConnection etc. of the JDK instead of commons httpclient
in the Wiki Publisher (closes: #800992)
* debian/patches/series, debian/patches/disable-tiledrendering-test.diff:
remove again, we need the functionality for liblibreofficekitgtk.so
* debian/rules, debian/vars.mips64*:
- add mips64{el,} architecture stuff which is now added upstream
* debian/uno-libs3.symbols: update
* debian/control.lokit.in:
- suggest libgtk-3-dev instead of libgtk2.0-dev
- suggest gir-1.2-lokdocview-0.1
* debian/control*in, debian/rules:
- remove upstream gone kdeab and gnome-vfs, gconf options
* debian/control*.in, debian/rules:
- package the LOKDocView introspection stuff into gir1.2-lokdocview-0.1
- move liblibreofficekitgtk.so into -gtk3 as it's for Gtk3 now
* debian/rules:
- gtk3 is on per default now (closes: #799399). Keep -gnome depending on
-gtk as gtk3 crashes e.g. on "Save as..."
- disable the tests for now
- also disable the wiki publisher on gcj builds; uses Java 6+ stuff; make
-wiki-publisher depend on >= Java 6
* debian/rules: prepare for .ddebs: disable manual -dbg build if building
ddebs; use dh_strip --ddeb-migration to create .ddebs
* debian/libreoffice-core.bug-script.in: dpkg -l -gtk -gtk3 and -kde to list
installed VCLplugs
* merge from Ubuntu:
- add am and gug locales
-- Bjoern Michaelsen <email address hidden> Thu, 04 Feb 2016 14:49:53 +0100
-
libreoffice (1:5.0.2-0ubuntu8) xenial; urgency=medium
* uno-libs: Create the libuno_* symlinks in the multiarch libdir.
-- Matthias Klose <email address hidden> Thu, 04 Feb 2016 21:45:36 +0100
-
libreoffice (1:5.0.2-0ubuntu7) xenial; urgency=high
* Rebuild against libpoppler57/s390x.
-- Dimitri John Ledkov <email address hidden> Wed, 09 Dec 2015 00:33:27 +0000
-
libreoffice (1:5.0.2-0ubuntu6) xenial; urgency=medium
* No-change rebuild for new poppler
-- Iain Lane <email address hidden> Thu, 03 Dec 2015 12:31:03 +0000
-
libreoffice (1:5.0.2-0ubuntu5) xenial; urgency=medium
* No-change rebuild against libglew1.13.
-- Steve Langasek <email address hidden> Thu, 12 Nov 2015 03:21:58 +0000
-
libreoffice (1:5.0.2-0ubuntu4) xenial; urgency=medium
* disable collada, gltf and coinmp on xenial
* switch to breeze theme by default (lp: #1506544)
libreoffice (1:5.0.2-0ubuntu3) wily; urgency=medium
* fall back to SYSTEM_GCC_VERSION, when SYSTEM_GCJ_VERSION is empty
* substitute xfonts-mathml with fonts-stix (lp: #1487148)
* cherry-pick from Debian:
- readd conflicts against openoffice-unbundled to libreoffice-common.
openoffice*-debian-menus contains /usr/bin/soffice
* fix gug language description (thanks Rene)
* add build version for "About LibreOffice"
* create profile defaulting to human style on unity (lp: #1508177)
* reenable Ubuntu palette
* handle integral translations
-- Bjoern Michaelsen <email address hidden> Tue, 27 Oct 2015 01:05:39 +0100
-
libreoffice (1:5.0.2-0ubuntu2) xenial; urgency=medium
* No-change rebuild for python3 defaults change.
-- Matthias Klose <email address hidden> Fri, 23 Oct 2015 15:04:41 +0000
-
libreoffice (1:5.0.2-0ubuntu1) wily; urgency=medium
* new upstream release
* removed upstreamed patches
* cherry-picks from Debian:
- update shlibs.override
- bump gtk+ requirements
- move liblibreofficekitgtk.so to -gtk
-- Bjoern Michaelsen <email address hidden> Thu, 01 Oct 2015 00:49:31 +0200
