Return-Path: X-Original-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5AB0A9BBF for ; Mon, 12 Dec 2011 18:22:08 +0000 (UTC) Received: (qmail 12753 invoked by uid 500); 12 Dec 2011 18:22:08 -0000 Delivered-To: apmail-incubator-ooo-dev-archive@incubator.apache.org Received: (qmail 12707 invoked by uid 500); 12 Dec 2011 18:22:08 -0000 Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ooo-dev@incubator.apache.org Delivered-To: mailing list ooo-dev@incubator.apache.org Received: (qmail 12699 invoked by uid 99); 12 Dec 2011 18:22:08 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 12 Dec 2011 18:22:08 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of dennis.hamilton@acm.org designates 75.98.160.130 as permitted sender) Received: from [75.98.160.130] (HELO a2s15.a2hosting.com) (75.98.160.130) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 12 Dec 2011 18:21:54 +0000 Received: from 63-226-210-225.tukw.qwest.net ([63.226.210.225] helo=Astraendo) by a2s15.a2hosting.com with esmtpa (Exim 4.69) (envelope-from ) id 1RaAVJ-0003E6-Vc for ooo-dev@incubator.apache.org; Mon, 12 Dec 2011 13:21:34 -0500 Reply-To: From: "Dennis E. Hamilton" To: Subject: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list) Date: Mon, 12 Dec 2011 10:21:33 -0800 Organization: NuovoDoc Message-ID: <007601ccb8fa$e14b1230$a3e13690$@acm.org> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: Acy4+tQiQgSZkM7eRtmPlJi2SJpglg== Content-Language: en-us X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - a2s15.a2hosting.com X-AntiAbuse: Original Domain - incubator.apache.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - acm.org Well, the Apache practice is clear. Putting a CVE number in a patch is probably not the way to execute on = that practice, but that is not an Apache patch you are looking at. Red Hat also has a very large list of CVEs that you can find in their = issue tracker and elsewhere. I am not clear when and how those show up = and I don't know what it means when such an issue is shown as = unresolved, either. LibreOffice might want to take a page from the time-tested ASF Security = procedures with regard to avoiding premature disclosure, etc. Having said that, we are all learning on the job with regard to security = issues surrounding the OpenOffice.org family. As the product becomes a = more-profitable target for culprits, I am certain that there will be = more to learn. - Dennis PS: It might be nice to have a single public place to discuss just these = practices across the family without deflecting the reporting lists from = their focused purpose with regard to receiving and assessing = vulnerability and exploit reports. Although I think one would be useful = to have, there does not seem to be much interest on the part of the = various security teams. -----Original Message----- From: Andrea Pescetti [mailto:pescetti@openoffice.org]=20 Sent: Monday, December 12, 2011 07:14 To: ooo-dev@incubator.apache.org Subject: Re: Proposal: ooo-announce list On 11/12/2011 Rob Weir wrote: > Tthe practice is to check in such fixes without making it evident to > the observer that it is security-related. So don't expect SVN > comments to give it away. Like this? http://cgit.freedesktop.org/libreoffice/core/commit/?id=3Dcf5d0e20f2ba5a7= 1f9ca2ed78a1b24841c97bb06 I know the example is from LibreOffice (even though the bug might be=20 shared with OpenOffice.org or Apache OpenOffice) but I just happened to=20 spot it and it doesn't seem particularly hidden... Such a policy would=20 have to apply to all related projects (again, I totally don't know if=20 this bug is related to Apache OpenOffice too, I'm just discussing the=20 issue in general). Regards, Andrea.