incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Re: CVE-2012-0037: data leakage vulnerability
Date Thu, 19 Apr 2012 14:32:53 GMT
On Thu, Apr 19, 2012 at 2:55 AM, NoOp <> wrote:
> On 03/23/2012 02:17 PM, Rob Weir wrote:
>> On Fri, Mar 23, 2012 at 5:11 PM, Girvin R. Herr
>> <> wrote:
>>> Dave,
>>> Thanks for the quick, encouraging response.
>>> I thought this security patch was part of an Apache effort and sanction.  I
>>> was not aware that it was produced by a 3rd party without Apache support.
>> That's a logical leap without basis.  It is possible for a small group
>> at Apache to have produced the patch and for there to be no policy
>> against Linux.  In fact both statements are true.
>> Remember, we're not a commercial software vendor. Apache is a
>> non-profit, run by volunteers.  If volunteers wish to make a Linux
>> patch, then they will.  And it appears they will.  We've certainly
>> been building and testing OpenOffice 3.4 for Linux.  If there are
>> volunteers for Solaris, BSD, OS/2 or whatever, those patches will also
>> appear.  The Apache license allows anyone to take this code and build
>> it on whatever platform they want.
>>>  My apologies to all. I will still keep an eye on it, but I am relieved that
>>> the Linux omission was not a result of Apache policy.
>> Again, policy has nothing to do with this.
> ...
> Really? Then perhaps you can tell us were to find the linux patch. It's
> now April 18. AOO couldn't figure out a linux patch in all that time?

AOO is a community of volunteers.  It is safe to say that no volunteer
has produced a Linux patch in this interval, but it is not safe to
assume this is because "AOO couldn't figure out" how to do it.

> Is there a different mirror than:
> <>
> with the linux patch(s)?

There are many different mirrors in the Apache mirror network.  But
they should all have the same files.

> Seems pretty sad that AOO are unable to provide a linux patch when the
> Windows and Mac patches were provided 21 March.  Makes one wonder if
> Apache even plan to support linux AOO. Particularly given this statement:
> "Linux and other platforms should consult their distro or OS vendor for
> patch instructions."
> on <>.

If you check the AOO 3.4 dev snapshots I think it is clear that we are
planning to release AOO 3.4 on Linux, both 32 and 64-bits, and with
two packaging formats:

> BTW: <> is
> still showing:
> CVE-2012-0037
> (under review)
> "** RESERVED ** This candidate has been reserved by an organization or
> individual that will use it when announcing a new security problem. When
> the candidate has been publicized, the details for this candidate will
> be provided. "
> Nor is there any mention of that CVE here:
> <>
> So perhaps it really isn't something to worry about afterall.

That page is for Apache OpenOffice security patches.   The patch we're
talking about was for the pre-Apache  Those security
bulletins are on the legacy security page here:



> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message