incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From NoOp <gl...@sbcglobal.net>
Subject Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Thu, 19 Apr 2012 00:55:35 GMT
On 03/23/2012 02:17 PM, Rob Weir wrote:
> On Fri, Mar 23, 2012 at 5:11 PM, Girvin R. Herr
> <girvin.herr@sbcglobal.net> wrote:
>> Dave,
>> Thanks for the quick, encouraging response.
>> I thought this security patch was part of an Apache effort and sanction.  I
>> was not aware that it was produced by a 3rd party without Apache support.
> 
> That's a logical leap without basis.  It is possible for a small group
> at Apache to have produced the patch and for there to be no policy
> against Linux.  In fact both statements are true.
> 
> Remember, we're not a commercial software vendor. Apache is a
> non-profit, run by volunteers.  If volunteers wish to make a Linux
> patch, then they will.  And it appears they will.  We've certainly
> been building and testing OpenOffice 3.4 for Linux.  If there are
> volunteers for Solaris, BSD, OS/2 or whatever, those patches will also
> appear.  The Apache license allows anyone to take this code and build
> it on whatever platform they want.
> 
>>  My apologies to all. I will still keep an eye on it, but I am relieved that
>> the Linux omission was not a result of Apache policy.
> 
> Again, policy has nothing to do with this.
...

Really? Then perhaps you can tell us were to find the linux patch. It's
now April 18. AOO couldn't figure out a linux patch in all that time?

Is there a different mirror than:
<http://www.eng.lsu.edu/mirrors/apache//incubator/ooo/3.3/patches/cve-2012-0037/>
with the linux patch(s)?

Seems pretty sad that AOO are unable to provide a linux patch when the
Windows and Mac patches were provided 21 March.  Makes one wonder if
Apache even plan to support linux AOO. Particularly given this statement:

"Linux and other platforms should consult their distro or OS vendor for
patch instructions."

on <http://www.openoffice.org/security/cves/CVE-2012-0037.html>.

BTW: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0037> is
still showing:
CVE-2012-0037
(under review)
"** RESERVED ** This candidate has been reserved by an organization or
individual that will use it when announcing a new security problem. When
the candidate has been publicized, the details for this candidate will
be provided. "
Nor is there any mention of that CVE here:
<https://incubator.apache.org/openofficeorg/security.html>
So perhaps it really isn't something to worry about afterall.




---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


Mime
View raw message