incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Thu, 19 Apr 2012 14:32:53 GMT
On Thu, Apr 19, 2012 at 2:55 AM, NoOp <glgxg@sbcglobal.net> wrote:
> On 03/23/2012 02:17 PM, Rob Weir wrote:
>> On Fri, Mar 23, 2012 at 5:11 PM, Girvin R. Herr
>> <girvin.herr@sbcglobal.net> wrote:
>>> Dave,
>>> Thanks for the quick, encouraging response.
>>> I thought this security patch was part of an Apache effort and sanction.  I
>>> was not aware that it was produced by a 3rd party without Apache support.
>>
>> That's a logical leap without basis.  It is possible for a small group
>> at Apache to have produced the patch and for there to be no policy
>> against Linux.  In fact both statements are true.
>>
>> Remember, we're not a commercial software vendor. Apache is a
>> non-profit, run by volunteers.  If volunteers wish to make a Linux
>> patch, then they will.  And it appears they will.  We've certainly
>> been building and testing OpenOffice 3.4 for Linux.  If there are
>> volunteers for Solaris, BSD, OS/2 or whatever, those patches will also
>> appear.  The Apache license allows anyone to take this code and build
>> it on whatever platform they want.
>>
>>>  My apologies to all. I will still keep an eye on it, but I am relieved that
>>> the Linux omission was not a result of Apache policy.
>>
>> Again, policy has nothing to do with this.
> ...
>
> Really? Then perhaps you can tell us were to find the linux patch. It's
> now April 18. AOO couldn't figure out a linux patch in all that time?
>

AOO is a community of volunteers.  It is safe to say that no volunteer
has produced a Linux patch in this interval, but it is not safe to
assume this is because "AOO couldn't figure out" how to do it.

> Is there a different mirror than:
> <http://www.eng.lsu.edu/mirrors/apache//incubator/ooo/3.3/patches/cve-2012-0037/>
> with the linux patch(s)?
>

There are many different mirrors in the Apache mirror network.  But
they should all have the same files.

> Seems pretty sad that AOO are unable to provide a linux patch when the
> Windows and Mac patches were provided 21 March.  Makes one wonder if
> Apache even plan to support linux AOO. Particularly given this statement:
>
> "Linux and other platforms should consult their distro or OS vendor for
> patch instructions."
>
> on <http://www.openoffice.org/security/cves/CVE-2012-0037.html>.
>

If you check the AOO 3.4 dev snapshots I think it is clear that we are
planning to release AOO 3.4 on Linux, both 32 and 64-bits, and with
two packaging formats:

https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+3.4+Unofficial+Developer+Snapshots

> BTW: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0037> is
> still showing:
> CVE-2012-0037
> (under review)
> "** RESERVED ** This candidate has been reserved by an organization or
> individual that will use it when announcing a new security problem. When
> the candidate has been publicized, the details for this candidate will
> be provided. "
> Nor is there any mention of that CVE here:
> <https://incubator.apache.org/openofficeorg/security.html>
> So perhaps it really isn't something to worry about afterall.
>

That page is for Apache OpenOffice security patches.   The patch we're
talking about was for the pre-Apache OpenOffice.org.  Those security
bulletins are on the legacy OpenOffice.org security page here:

http://www.openoffice.org/security/bulletin.html

Regards,

-Rob


>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


Mime
View raw message