A security update for LibreOffice has been released for Debian GNU/Linux versions 9 and 10, known as the Extended LTS (Long Term Support). The update is identified as ELA-1460-1 and includes patched packages for LibreOffice with specific versions for each Debian release: 1:6.1.5-3+deb9u7 for Debian 9 (Stretch) and 1:6.1.5-3+deb10u16 for Debian 10 (Buster).
This update addresses multiple vulnerabilities, notably:
1. CVE-2025-1080: This vulnerability relates to LibreOffice's support for Office URI Schemes, which allow integration with Microsoft SharePoint servers. A new scheme, 'vnd.libreoffice.command', was introduced, but it was found that a malicious link could trigger internal macros with arbitrary arguments when accessed through a browser.
2. CVE-2025-2866: This flaw involves improper verification of cryptographic signatures, specifically affecting PDF documents. The vulnerability may allow for PDF signature spoofing, where invalid signatures are incorrectly validated as legitimate due to flaws in the verification process for adbe.pkcs7.sha1 signatures.
It is highly recommended for users of Debian 9 and 10 to update their LibreOffice installations to mitigate these security risks. Keeping software updated is crucial for maintaining system security and protecting sensitive data from potential exploits.
Extension:
In light of these vulnerabilities, users should also consider implementing additional security measures, such as regular system audits and monitoring for unusual activity. Organizations utilizing LibreOffice should educate their employees on safe browsing practices and the potential risks associated with clicking on unknown links, particularly those that may use the new URI scheme. Furthermore, staying informed about upcoming security updates and patches can help ensure that systems remain secure against emerging threats. It may also be worthwhile to explore alternative office productivity suites that prioritize security if vulnerabilities in LibreOffice continue to be a concern
This update addresses multiple vulnerabilities, notably:
1. CVE-2025-1080: This vulnerability relates to LibreOffice's support for Office URI Schemes, which allow integration with Microsoft SharePoint servers. A new scheme, 'vnd.libreoffice.command', was introduced, but it was found that a malicious link could trigger internal macros with arbitrary arguments when accessed through a browser.
2. CVE-2025-2866: This flaw involves improper verification of cryptographic signatures, specifically affecting PDF documents. The vulnerability may allow for PDF signature spoofing, where invalid signatures are incorrectly validated as legitimate due to flaws in the verification process for adbe.pkcs7.sha1 signatures.
It is highly recommended for users of Debian 9 and 10 to update their LibreOffice installations to mitigate these security risks. Keeping software updated is crucial for maintaining system security and protecting sensitive data from potential exploits.
Extension:
In light of these vulnerabilities, users should also consider implementing additional security measures, such as regular system audits and monitoring for unusual activity. Organizations utilizing LibreOffice should educate their employees on safe browsing practices and the potential risks associated with clicking on unknown links, particularly those that may use the new URI scheme. Furthermore, staying informed about upcoming security updates and patches can help ensure that systems remain secure against emerging threats. It may also be worthwhile to explore alternative office productivity suites that prioritize security if vulnerabilities in LibreOffice continue to be a concern
LibreOffice security update for Debian 9 and 10 ELTS
Updated LibreOffice packages are available for both Debian GNU/Linux 9 and 10 Extended LTS:
ELA-1460-1 libreoffice security updateLibreOffice security update for Debian 9 and 10 ELTS @ Linux Compatible
