incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <...@daniel.shahaf.name>
Subject Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)
Date Mon, 12 Dec 2011 19:27:19 GMT
Dennis E. Hamilton wrote on Mon, Dec 12, 2011 at 10:21:33 -0800:
> Well, the Apache practice is clear.
> 
> Putting a CVE number in a patch is probably not the way to execute on that practice,
but that is not an Apache patch you are looking at.
> 
> Red Hat also has a very large list of CVEs that you can find in their issue tracker and
elsewhere.  I am not clear when and how those show up and I don't know what it means when
such an issue is shown as unresolved, either.
> 
> LibreOffice might want to take a page from the time-tested ASF Security procedures with
regard to avoiding premature disclosure, etc.
> 
> Having said that, we are all learning on the job with regard to security issues surrounding
the OpenOffice.org family.  As the product becomes a more-profitable target for culprits,
I am certain that there will be more to learn.
> 
>  - Dennis
> 
> PS: It might be nice to have a single public place to discuss just
> these practices across the family without deflecting the reporting
> lists from their focused purpose with regard to receiving and
> assessing vulnerability and exploit reports.  Although I think one
> would be useful to have, there does not seem to be much interest on
> the part of the various security teams.
> 

If you want to have an Apache-wide discussion about how to handle CVE's
I'm sure there's an existing list appropriate for that.

> 
> 
> -----Original Message-----
> From: Andrea Pescetti [mailto:pescetti@openoffice.org] 
> Sent: Monday, December 12, 2011 07:14
> To: ooo-dev@incubator.apache.org
> Subject: Re: Proposal: ooo-announce list
> 
> On 11/12/2011 Rob Weir wrote:
> > Tthe practice is to check in such fixes without making it evident to
> > the observer that it is security-related.  So don't expect SVN
> > comments to give it away.
> 
> Like this?
> http://cgit.freedesktop.org/libreoffice/core/commit/?id=cf5d0e20f2ba5a71f9ca2ed78a1b24841c97bb06
> 
> I know the example is from LibreOffice (even though the bug might be 
> shared with OpenOffice.org or Apache OpenOffice) but I just happened to 
> spot it and it doesn't seem particularly hidden... Such a policy would 
> have to apply to all related projects (again, I totally don't know if 
> this bug is related to Apache OpenOffice too, I'm just discussing the 
> issue in general).
> 
> Regards,
>    Andrea.
> 

Mime
View raw message