incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <>
Subject Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)
Date Mon, 12 Dec 2011 19:27:19 GMT
Dennis E. Hamilton wrote on Mon, Dec 12, 2011 at 10:21:33 -0800:
> Well, the Apache practice is clear.
> Putting a CVE number in a patch is probably not the way to execute on that practice,
but that is not an Apache patch you are looking at.
> Red Hat also has a very large list of CVEs that you can find in their issue tracker and
elsewhere.  I am not clear when and how those show up and I don't know what it means when
such an issue is shown as unresolved, either.
> LibreOffice might want to take a page from the time-tested ASF Security procedures with
regard to avoiding premature disclosure, etc.
> Having said that, we are all learning on the job with regard to security issues surrounding
the family.  As the product becomes a more-profitable target for culprits,
I am certain that there will be more to learn.
>  - Dennis
> PS: It might be nice to have a single public place to discuss just
> these practices across the family without deflecting the reporting
> lists from their focused purpose with regard to receiving and
> assessing vulnerability and exploit reports.  Although I think one
> would be useful to have, there does not seem to be much interest on
> the part of the various security teams.

If you want to have an Apache-wide discussion about how to handle CVE's
I'm sure there's an existing list appropriate for that.

> -----Original Message-----
> From: Andrea Pescetti [] 
> Sent: Monday, December 12, 2011 07:14
> To:
> Subject: Re: Proposal: ooo-announce list
> On 11/12/2011 Rob Weir wrote:
> > Tthe practice is to check in such fixes without making it evident to
> > the observer that it is security-related.  So don't expect SVN
> > comments to give it away.
> Like this?
> I know the example is from LibreOffice (even though the bug might be 
> shared with or Apache OpenOffice) but I just happened to 
> spot it and it doesn't seem particularly hidden... Such a policy would 
> have to apply to all related projects (again, I totally don't know if 
> this bug is related to Apache OpenOffice too, I'm just discussing the 
> issue in general).
> Regards,
>    Andrea.

View raw message