incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Vulnerability fixed in LibreOffice
Date Mon, 10 Oct 2011 23:20:30 GMT
Michael,

When will the real CVE-2011-2713, 
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2713>,
stand up and provide whatever clarity there is to be had about the
specific nature of the defect and the kind of exploit it was
vulnerable to until fixed in LO 3.4.3?

Until it is possible to comprehend CVE-2011-2713, it is difficult
to square the higher-level report that credits the original 
reporter while that reporter has a different appraisal
at <https://bugzilla.redhat.com/show_bug.cgi?id=725668>.

It would be helpful all around were that cleared up enough so that
users of earlier versions can make a responsible assessment and
determine whether they have an at-risk circumstance or not.

Absent that, the best advice that can be offered from Apache AOOo
is what I provided to the question that brought the TDF announcement
to our attention,
<http://mail-archives.apache.org/mod_mbox/incubator-ooo-dev/201110.mbox/%3c023001cc8480$77253830$656fa890$@apache.org%3e>.

How can you help us to get this flat and proceed on a fact-based 
course of action and clear-cut, verifiable information that users 
can rely on with regard to their exposure related to the CVE?

 - Dennis

-----Original Message-----
From: Michael Meeks [mailto:michael.meeks@suse.com] 
Sent: Monday, October 10, 2011 13:41
To: ooo-dev@incubator.apache.org
Subject: Re: Vulnerability fixed in LibreOffice

[ ... ]

	Potentially you confuse the issue that was found with the rather
broader scope of the fix that was applied for it.

[ ... ]


Mime
View raw message