incubator-ooo-dev mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	Dave Fisher <dave2w...@comcast.net>
Subject	Re: Vulnerability fixed in LibreOffice
Date	Wed, 05 Oct 2011 21:00:28 GMT
On Oct 5, 2011, at 1:21 PM, Dennis E. Hamilton wrote: > [bcc: ooo-security@i.a.o, tdf-security@l.df.o] > > That information concerning an ApacheOOo representative on > securityteam@openoffice.org is apparently inaccurate. Or > else there is a breakdown in the vulnerability being > communicated to ApacheOOo. Rather unfortunate as that seemed to be one area of co-operation. IMHO - It would make sense for someone to either immediately shutdown securityteam@openoffice.org or make it forward to ooo-security@i.a.o. If INFRA-3898 were completed we might have a chance until then ... Regards, Dave > > However, since the patch has been made, the CVE and supporting > details should now be available somewhere public. Also, the > report refers to "some additional security patches and fixes" > without mention of any CVEs. It would be good to know what > that is about. > > The LibreOffice 3.4.3 Release Notes provide no clue: > < http://wiki.documentfoundation.org/Releases/3.4.3_info_about_fixes>. > > I did find two CVEs here: > < http://www.libreoffice.org/advisories/> > > The CVE list has not been updated yet: > < http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2713> > > I trust this is the last time that either of our projects learn about > something like this in a press release. > > > - Dennis > > -----Original Message----- > From: Simon Phipps [mailto:simon@webmink.com] > Sent: Wednesday, October 05, 2011 12:49 > To: ooo-dev@incubator.apache.org > Subject: Re: Vulnerability fixed in LibreOffice > > I've investigated and I am informed by one of the LO developers: >> The initial report was sent to securityteam@openoffice.org on >> 25-07-2011, the assigned CVE id was cc'ed there somewhat later on. I >> posted the 5 patches which in combination would fix it to the list as >> well. I was informed an ApacheOOo representative had joined the list. > > > On 5 Oct 2011, at 20:40, Dennis E. Hamilton wrote: > >> [bcc to ooo-security@i.a.o] >> >> It is difficult to tell from a press release what the details of security fixes are. >> >> >> -----Original Message----- >> From: FR web forum [mailto:oooforum@free.fr] >> Sent: Wednesday, October 05, 2011 10:15 >> >> Good morning, >> >> TDF has published a fix for LibO: http://wp.me/p1byPE-bQ >> >> Do you know if OOo is impacted too? >> >> Thank you >> >
Mime	Unnamed text/plain (inline, Quoted Printable, 2434 bytes)
	View raw message