incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Girvin R. Herr" <girvin.h...@sbcglobal.net>
Subject Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Fri, 23 Mar 2012 21:11:54 GMT
Dave,
Thanks for the quick, encouraging response.
I thought this security patch was part of an Apache effort and 
sanction.  I was not aware that it was produced by a 3rd party without 
Apache support.  My apologies to all. 
I will still keep an eye on it, but I am relieved that the Linux 
omission was not a result of Apache policy.
Thanks.
Girvin


Dave Fisher wrote:
> Work is proceeding on the Linux patch. Please subscribe to OOo-dev mailing list if you
would like to help.
>
> There is no Apache policy at play here at all. A very small group prepared this security
patch as one would expect.
>
> Many of the members of the Apache OpenOffice Podling Project Management Committee agree
that Linux versions should have been included.
>
> Regards,
> Dave
>
> Sent from my iPhone
>
> On Mar 23, 2012, at 3:20 PM, "Girvin R. Herr" <girvin.herr@sbcglobal.net> wrote:
>
>   
>> Dan Lewis wrote:
>>     
>>> On Thu, 2012-03-22 at 15:17 -0700, Terry wrote:
>>>  
>>>       
>>>> This quote from the page mentioned by Rob:
>>>>
>>>> <quote>Linux and other platforms should consult their distro or OS
vendor for patch instructions.</quote>
>>>>
>>>> My distro doesn't support OpenOffice; most, I gather, don't.
>>>>
>>>>
>>>>
>>>> ----- Original Message -----
>>>>    
>>>>         
>>>>> From: NoOp <glgxg@sbcglobal.net>
>>>>> To: ooo-users@incubator.apache.org
>>>>> Cc: Sent: Friday, 23 March 2012 5:13 AM
>>>>> Subject: Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
>>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> On 03/22/2012 06:16 AM, Rob Weir wrote:
>>>>>      
>>>>>           
>>>>>> Please note, this is the official security bulletin, targeted for
 security professionals.  If you are an OpenOffice.org 3.3 user, and
>>>>>> are able to apply the mentioned patch, then you are encouraged to
>>>>>> do so.  If someone else supports or manages your desktop, then  please
forward this information to them.
>>>>>>        
>>>>>>             
>>>>> ...
>>>>>
>>>>> Where are the linux patches? I could only find Window and Mac:
>>>>>
>>>>> <http://www.eng.lsu.edu/mirrors/apache//incubator/ooo/3.3/patches/cve-2012-0037/>
>>>>>
>>>>>
>>>>>      
>>>>>           
>>>     There is still a group of people using linux who have been ignored:
>>> the people who have downloaded their copy of OOo from the OOo website. I
>>> fall into this category.
>>>     Seems to me that if you are going to issue patches for Windows and
>>> OSX for which you provide downloads from your website, you should
>>> provide a patch for the rest of the versions available as binaries for
>>> downloading from it.
>>>     As far as compiling the patch, how many of the group I mentioned
>>> know how to compile the patches for their version? I don't, and likely
>>> many others don't either. In fact, I have never been able to compile any
>>> program following directions. I always have gotten one or more errors
>>> and not known what had caused the mistake nor how to fix it. That is why
>>> I download and install binaries.
>>>     Fortunately for me, I have already downloaded from the BuildBot on
>>> 3/10/12 so I've gotten the patch applied.
>>>
>>> --Dan
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>>>
>>>
>>>  
>>>       
>> Dan,
>> First, I must divulge that I am a retired software/hardware engineer, so I do have
experience in compiling programs under Linux.  Some time ago, I did compile OO.o 2.x for my
Slackware Linux workstation, which does not come with OO.o support.  Although I didn't have
any errors. it took about 3 hours to do so on my 1.2GHz 1GB Athlon system, so I have since
been repackaging the downloaded OO.o binary packages into Slackware packages for installation.

>> So, I too am in the class of Linux users who download the binary OO.o and are left
out in the cold with this new scary Apache policy.  It deeply concerns me that there is any
"discussion" at all regarding Linux support.  Although it may not be intended, it appears
to me that Apache is cutting off the *nix limb of the OO.o tree.  That does not bode well
for us Linux users who have grown dependent on OO.o for maintaining our documents and, more
importantly and more critical to me, our database forms and reports.  It makes me want to
look for another Open Document office suite.  Instead of being loyal to OO.o (aka AOO now)
maybe I should take another look at LO...
>>
>> I will at least be watching this issue closely and how Apache reacts.
>>
>> Girvin Herr
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>>
>>     
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>
>
>   

---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


Mime
View raw message