incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Mon, 23 Apr 2012 20:44:18 GMT
Gary,

Thank you.  Your concern for warnings to users who download these older versions is well-taken.
 I agree:  Something should be done about that on the archive-download web pages.  


However, it must not be assumed that archival downloads of any OpenOffice.org releases preceding
Apache OpenOffice 3.4 have been updated in place.  Apache does not do that and other projects,
including OpenOffice.org, have not done that.  Previous releases are not replaced in archives
when there are security issues, they are simply superseded by later releases (or, rarely,
by a separate patch).  In general, releases are not updated in place and patches are extremely
rare.  Users must install the later, corrected release to have the mitigation for any security
vulnerabilities discovered in an older release.  If a patched release for 3.3.0 had occurred,
it would have a new number, such as 3.3.1.

The Apache OpenOffice project has not produced new releases for any OpenOffice.org releases
provided by Oracle and Sun that might still be made available via the openoffice.org site.
 I'm certain that you know that.

The only Apache OpenOffice distributions are the provision of the source code of the patch
and the provision of two separately-installable patches that apply to OpenOffice.org 3.3.0
and 3.4-dev/beta on Windows and Mac.  These are supplemental to the available downloads. 
When Apache OpenOffice 3.4 is released, it will also provide mitigation of security issues
that have been developed since OpenOffice.org 3.3.0.


 - Dennis

-----Original Message-----
From: NoOp [mailto:glgxg@sbcglobal.net] 
Sent: Monday, April 23, 2012 11:59
To: ooo-users@incubator.apache.org
Subject: Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability

[ ... ]

AOO continue to distribute 3.3.0, (3.2.1, 3.2.0 for some languages):
http://www.openoffice.org/download/other.html

So we must assume that *all* of those versions on that page have been
patched... otherwise AOO continue to provide packages with a 'important'
security vulnerability. Based on that 'assumption', I'll download &
reinstall 3.3.0 from that page & reinstall over my existing OOo 3.3.0
(deb, rmp, and Windows) versions. I'll then have a fully patched 3.3.0
version... right? If that is not the case, then I suggest that AOO
either pull those versions that have not been patched, or at the very
least provide a strong warning that the code has an 'important' security
vulnerability, on the download pages:
http://www.openoffice.org/download/index.html
http://www.openoffice.org/download/other.html
and any other place where the program can be downloaded from directly
(i.e., SF).

A "responsible" distributor of such code might take a hint from:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
"Java SE 6 Update 31
This release includes security fixes. Learn more"
and only provide unpatched code in a different location, with a warning:
http://www.oracle.com/technetwork/java/archive-139210.html
"WARNING: These older versions of the JRE and JDK are provided to help
developers debug issues in older systems. They are not updated with the
latest security patches and are not recommended for use in production."

- Gary



---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


Mime
View raw message