incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: Vulnerability fixed in LibreOffice
Date Wed, 05 Oct 2011 21:00:28 GMT

On Oct 5, 2011, at 1:21 PM, Dennis E. Hamilton wrote:

> [bcc: ooo-security@i.a.o, tdf-security@l.df.o]
> 
> That information concerning an ApacheOOo representative on 
> securityteam@openoffice.org is apparently inaccurate.  Or 
> else there is a breakdown in the vulnerability being 
> communicated to ApacheOOo.

Rather unfortunate as that seemed to be one area of co-operation.

IMHO - It would make sense for someone to either immediately shutdown securityteam@openoffice.org
or make it forward to ooo-security@i.a.o.

If INFRA-3898 were completed we might have a chance until then ...

Regards,
Dave


> 
> However, since the patch has been made, the CVE and supporting
> details should now be available somewhere public.  Also, the
> report refers to "some additional security patches and fixes"
> without mention of any CVEs.  It would be good to know what 
> that is about.
> 
> The LibreOffice 3.4.3 Release Notes provide no clue:
> < http://wiki.documentfoundation.org/Releases/3.4.3_info_about_fixes>.
> 
> I did find two CVEs here:
> < http://www.libreoffice.org/advisories/>
> 
> The CVE list has not been updated yet:
> < http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2713>
> 
> I trust this is the last time that either of our projects learn about 
> something like this in a press release.
> 
> 
> - Dennis
> 
> -----Original Message-----
> From: Simon Phipps [mailto:simon@webmink.com] 
> Sent: Wednesday, October 05, 2011 12:49
> To: ooo-dev@incubator.apache.org
> Subject: Re: Vulnerability fixed in LibreOffice
> 
> I've investigated and I am informed by one of the LO developers:
>> The initial report was sent to securityteam@openoffice.org on
>> 25-07-2011, the assigned CVE id was cc'ed there somewhat later on. I
>> posted the 5 patches which in combination would fix it to the list as
>> well. I was informed an ApacheOOo representative had joined the list.
> 
> 
> On 5 Oct 2011, at 20:40, Dennis E. Hamilton wrote:
> 
>> [bcc to ooo-security@i.a.o]
>> 
>> It is difficult to tell from a press release what the details of security fixes are.
 
>> 
>> 
>> -----Original Message-----
>> From: FR web forum [mailto:oooforum@free.fr] 
>> Sent: Wednesday, October 05, 2011 10:15
>> 
>> Good morning,
>> 
>> TDF has published a fix for LibO: http://wp.me/p1byPE-bQ
>> 
>> Do you know if OOo is impacted too?
>> 
>> Thank you
>> 
> 


Mime
View raw message