This weekend, The Document Foundation launched LibreOffice 6.2.6. The most up-to-date version at the moment is v6.3 of the suite, but the company usually makes at least two versions available to us: the newest one that includes the latest functions and the previous one that has received several maintenance updates and is more stable. Version 6.2.6 is now recommended for use on production teams, especially considering that they have fixed some important security flaws.
Actually, the "new" version has fixed several security flaws, but there are three of them that are more important than the rest, so much so that Canonical has published it on their official security news page. According to the company that runs Mark Shuttleworth, the bugs affect Ubuntu 19.04, Ubuntu 18.04 and Ubuntu 16.04, or what is the same, all versions supported in their natural life cycle.
LibreOffice 6.2.6 is already the recommended version for production teams
In the Canonical post details we read that "Various security flaws" have been fixed in LibreOffice. More concretely, three security flaws that practically share description:
- CVE-20199850 y CVE-2019-9851- LibreOffice was found to mishandle LibreLogo scripts. If a user were tricked into opening a specially crafted document, a remote attacker could cause LibreOffice to execute arbitrary code.
- CVE-2019-9852- LibreOfficce was found to mishandle scripts in document files. If a user were tricked into opening a specially crafted document, a remote attacker could possibly execute arbitrary code.
The patches to apply are libreoffice-core - 1: 6.2.6-0ubuntu0.19.04.1 on Ubuntu 19.04, libreoffice-core - 1: 6.0.7-0ubuntu0.18.04.9 on Ubuntu 18.04 and libreoffice-core - 1 : 5.1.6 ~ rc2-0ubuntu1 ~ xenial9 on Ubuntu 16.04. The updates are already available in the official repositories.
In the LibreOffice 6.2.6 release notes, The Document Foundation told us that it was “the sixth minor release in the LibreOffice 6.2 family, aimed at users in production environments. All LibreOffice 6.1.x and 6.2.x users should update immediately to improve security, since the software includes both security patches and some fixes from the last months". Now, after the publication of Canonical, we already know why they emphasized that we should update immediately for our security.