Post Syndicated from jake original https://lwn.net/Articles/957219/

A new release
for any project with a fix for a 12-year old CVE is going to stand
out pretty
obviously; a recent release has a fix of that nature, but the trail of CVE-2012-5639 is
rather elusive. The Apache
OpenOffice project made its 4.1.15
release with fixes for four CVEs, including one for
CVE-2012-5639 (“Loading internal / external resources without
warning”), on December 22. But nearly everything about that CVE
seems rather murky, and it is difficult to get a clear picture of what,
exactly, was done in OpenOffice to address the problem.