The Document Foundation announced today the release and general availability of the LibreOffice 7.2.4 and LibreOffice 7.1.8 updates that address an important security vulnerability.
Released a month earlier than expected, LibreOffice 7.2.4 is now available for download along with LibreOffice 7.1.8, an unplanned release in the LibreOffice 7.1 series of the popular, free and open-source office suite, which reached end of life on November 30th, 2021.
Both releases include a fix for a buffer heap overflow vulnerability, namely CVE-2021-43527, which is a remote code execution flaw discovered in the way Mozilla’s NSS (Network Security Services) component verifies certificates.
The issue affects email clients and PDF viewers that use NSS for verifying signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12, such as LibreOffice, Evolution, Evince, and Mozilla Thunderbird, and it could allow an attacker posing as an SSL/TLS server to send a malicious certificate to obtain sensitive information.
“All LibreOffice users are recommended to update their installation. Both new version include the fixed NSS 3.73.0 cryptographic library, to solve CVE-2021-43527,” reads the release announcement.
Users of the LibreOffice 7.2 and 7.1 office suite series, as well as users of the Mozilla Thunderbird, Evolution, and Evince apps, and other apps that use the NSS component are urged to update their installations as soon as possible to the latest versions of these software.
You can download LibreOffice 7.2.4 and 7.1.8 right now from the official website as DEB or RPM binaries for Debian/Ubuntu-based or Red Hat-based distributions.
If you have LibreOffice installed from the software repositories of your GNU/Linux distribution, it is highly recommended that you update your installations from there rather than installing the binaries provided by The Document Foundation.
The NSS component could be used by other applications, so make sure that you keep your installations up to date at all times to avoid security threats or system instability.
Last updated 8 hours ago