incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Fri, 23 Mar 2012 21:17:13 GMT
On Fri, Mar 23, 2012 at 5:11 PM, Girvin R. Herr
<girvin.herr@sbcglobal.net> wrote:
> Dave,
> Thanks for the quick, encouraging response.
> I thought this security patch was part of an Apache effort and sanction.  I
> was not aware that it was produced by a 3rd party without Apache support.

That's a logical leap without basis.  It is possible for a small group
at Apache to have produced the patch and for there to be no policy
against Linux.  In fact both statements are true.

Remember, we're not a commercial software vendor. Apache is a
non-profit, run by volunteers.  If volunteers wish to make a Linux
patch, then they will.  And it appears they will.  We've certainly
been building and testing OpenOffice 3.4 for Linux.  If there are
volunteers for Solaris, BSD, OS/2 or whatever, those patches will also
appear.  The Apache license allows anyone to take this code and build
it on whatever platform they want.

>  My apologies to all. I will still keep an eye on it, but I am relieved that
> the Linux omission was not a result of Apache policy.

Again, policy has nothing to do with this.

> Thanks.
> Girvin
>
>
>
> Dave Fisher wrote:
>>
>> Work is proceeding on the Linux patch. Please subscribe to OOo-dev mailing
>> list if you would like to help.
>>
>> There is no Apache policy at play here at all. A very small group prepared
>> this security patch as one would expect.
>>
>> Many of the members of the Apache OpenOffice Podling Project Management
>> Committee agree that Linux versions should have been included.
>>
>> Regards,
>> Dave
>>
>> Sent from my iPhone
>>
>> On Mar 23, 2012, at 3:20 PM, "Girvin R. Herr" <girvin.herr@sbcglobal.net>
>> wrote:
>>
>>
>>>
>>> Dan Lewis wrote:
>>>
>>>>
>>>> On Thu, 2012-03-22 at 15:17 -0700, Terry wrote:
>>>>
>>>>>
>>>>> This quote from the page mentioned by Rob:
>>>>>
>>>>> <quote>Linux and other platforms should consult their distro or
OS
>>>>> vendor for patch instructions.</quote>
>>>>>
>>>>> My distro doesn't support OpenOffice; most, I gather, don't.
>>>>>
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>
>>>>>>
>>>>>> From: NoOp <glgxg@sbcglobal.net>
>>>>>> To: ooo-users@incubator.apache.org
>>>>>> Cc: Sent: Friday, 23 March 2012 5:13 AM
>>>>>> Subject: Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
>>>>>>
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>>
>>>>>> On 03/22/2012 06:16 AM, Rob Weir wrote:
>>>>>>
>>>>>>>
>>>>>>> Please note, this is the official security bulletin, targeted
for
>>>>>>>  security professionals.  If you are an OpenOffice.org 3.3
user, and
>>>>>>> are able to apply the mentioned patch, then you are encouraged
to
>>>>>>> do so.  If someone else supports or manages your desktop, then
>>>>>>>  please forward this information to them.
>>>>>>>
>>>>>>
>>>>>> ...
>>>>>>
>>>>>> Where are the linux patches? I could only find Window and Mac:
>>>>>>
>>>>>>
>>>>>> <http://www.eng.lsu.edu/mirrors/apache//incubator/ooo/3.3/patches/cve-2012-0037/>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>    There is still a group of people using linux who have been ignored:
>>>> the people who have downloaded their copy of OOo from the OOo website. I
>>>> fall into this category.
>>>>    Seems to me that if you are going to issue patches for Windows and
>>>> OSX for which you provide downloads from your website, you should
>>>> provide a patch for the rest of the versions available as binaries for
>>>> downloading from it.
>>>>    As far as compiling the patch, how many of the group I mentioned
>>>> know how to compile the patches for their version? I don't, and likely
>>>> many others don't either. In fact, I have never been able to compile any
>>>> program following directions. I always have gotten one or more errors
>>>> and not known what had caused the mistake nor how to fix it. That is why
>>>> I download and install binaries.
>>>>    Fortunately for me, I have already downloaded from the BuildBot on
>>>> 3/10/12 so I've gotten the patch applied.
>>>>
>>>> --Dan
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
>>>> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>>>>
>>>>
>>>>
>>>
>>> Dan,
>>> First, I must divulge that I am a retired software/hardware engineer, so
>>> I do have experience in compiling programs under Linux.  Some time ago, I
>>> did compile OO.o 2.x for my Slackware Linux workstation, which does not come
>>> with OO.o support.  Although I didn't have any errors. it took about 3 hours
>>> to do so on my 1.2GHz 1GB Athlon system, so I have since been repackaging
>>> the downloaded OO.o binary packages into Slackware packages for
>>> installation. So, I too am in the class of Linux users who download the
>>> binary OO.o and are left out in the cold with this new scary Apache policy.
>>>  It deeply concerns me that there is any "discussion" at all regarding Linux
>>> support.  Although it may not be intended, it appears to me that Apache is
>>> cutting off the *nix limb of the OO.o tree.  That does not bode well for us
>>> Linux users who have grown dependent on OO.o for maintaining our documents
>>> and, more importantly and more critical to me, our database forms and
>>> reports.  It makes me want to look for another Open Document office suite.
>>>  Instead of being loyal to OO.o (aka AOO now) maybe I should take another
>>> look at LO...
>>>
>>> I will at least be watching this issue closely and how Apache reacts.
>>>
>>> Girvin Herr
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


Mime
View raw message