Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: ooo-dev@incubator.apache.org
Received-SPF: pass (athena.apache.org: domain of dave2wave@comcast.net
 designates 76.96.27.227 as permitted sender)
Subject: Re: Vulnerability fixed in LibreOffice
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: Dave Fisher <dave2wave@comcast.net>
In-Reply-To: <00ed01cc839c$70bd9030$5238b090$@apache.org>
Date: Wed, 5 Oct 2011 14:00:28 -0700
Cc: <simon@webmink.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F1B5E6A8-DB9A-4F4C-9C0B-780A0516EC62@comcast.net>
References: 
 <b629500c-045c-4018-90ba-d40924bc4121@zimbra60-e10.priv.proxad.net>
 <ae2e5b53-710b-4ed4-81b7-f5c386281837@zimbra60-e10.priv.proxad.net>
 <00e601cc8396$a4eeaca0$eecc05e0$@apache.org>
 <6AA74BAB-B366-4B88-9472-D78FA94DD599@webmink.com>
 <00ed01cc839c$70bd9030$5238b090$@apache.org>
To: ooo-dev@incubator.apache.org


On Oct 5, 2011, at 1:21 PM, Dennis E. Hamilton wrote:

> [bcc: ooo-security@i.a.o, tdf-security@l.df.o]
>=20
> That information concerning an ApacheOOo representative on=20
> securityteam@openoffice.org is apparently inaccurate.  Or=20
> else there is a breakdown in the vulnerability being=20
> communicated to ApacheOOo.

Rather unfortunate as that seemed to be one area of co-operation.

IMHO - It would make sense for someone to either immediately shutdown =
securityteam@openoffice.org or make it forward to ooo-security@i.a.o.

If INFRA-3898 were completed we might have a chance until then ...

Regards,
Dave


>=20
> However, since the patch has been made, the CVE and supporting
> details should now be available somewhere public.  Also, the
> report refers to "some additional security patches and fixes"
> without mention of any CVEs.  It would be good to know what=20
> that is about.
>=20
> The LibreOffice 3.4.3 Release Notes provide no clue:
> < http://wiki.documentfoundation.org/Releases/3.4.3_info_about_fixes>.
>=20
> I did find two CVEs here:
> < http://www.libreoffice.org/advisories/>
>=20
> The CVE list has not been updated yet:
> < http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2011-2713>
>=20
> I trust this is the last time that either of our projects learn about=20=

> something like this in a press release.
>=20
>=20
> - Dennis
>=20
> -----Original Message-----
> From: Simon Phipps [mailto:simon@webmink.com]=20
> Sent: Wednesday, October 05, 2011 12:49
> To: ooo-dev@incubator.apache.org
> Subject: Re: Vulnerability fixed in LibreOffice
>=20
> I've investigated and I am informed by one of the LO developers:
>> The initial report was sent to securityteam@openoffice.org on
>> 25-07-2011, the assigned CVE id was cc'ed there somewhat later on. I
>> posted the 5 patches which in combination would fix it to the list as
>> well. I was informed an ApacheOOo representative had joined the list.
>=20
>=20
> On 5 Oct 2011, at 20:40, Dennis E. Hamilton wrote:
>=20
>> [bcc to ooo-security@i.a.o]
>>=20
>> It is difficult to tell from a press release what the details of =
security fixes are. =20
>>=20
>>=20
>> -----Original Message-----
>> From: FR web forum [mailto:oooforum@free.fr]=20
>> Sent: Wednesday, October 05, 2011 10:15
>>=20
>> Good morning,
>>=20
>> TDF has published a fix for LibO: http://wp.me/p1byPE-bQ
>>=20
>> Do you know if OOo is impacted too?
>>=20
>> Thank you
>>=20
>=20