incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From NoOp <>
Subject Re: CVE-2012-0037: data leakage vulnerability
Date Mon, 23 Apr 2012 18:58:36 GMT
On 04/22/2012 05:36 AM, Dennis E. Hamilton wrote:
> Although free-standing Linux patches remain unavailable for
> pre-Apache OpenOffice distributions, a platform distribution
> containing the repair has appeared.
> Here is how the Mandriva update was announced: 
> <>.
>  Mandriva issued patched versions of their supported distributions
> for, LibreOffice, and the common library that is the
> source of the vulnerability.  There are separate Mandriva advisories
> for each.
> - Dennis
Good for them. They distributed those versions of OOo & have taken a
responsible action. Just as Mandriva distributed those versions to
users, OOo (now AOO) distributed 3.3 and 3.4 Beta (and
earlier), on all platforms:the ones with the existing vulnerability.

AOO continue to distribute 3.3.0, (3.2.1, 3.2.0 for some languages):

So we must assume that *all* of those versions on that page have been
patched... otherwise AOO continue to provide packages with a 'important'
security vulnerability. Based on that 'assumption', I'll download &
reinstall 3.3.0 from that page & reinstall over my existing OOo 3.3.0
(deb, rmp, and Windows) versions. I'll then have a fully patched 3.3.0
version... right? If that is not the case, then I suggest that AOO
either pull those versions that have not been patched, or at the very
least provide a strong warning that the code has an 'important' security
vulnerability, on the download pages:
and any other place where the program can be downloaded from directly
(i.e., SF).

A "responsible" distributor of such code might take a hint from:
"Java SE 6 Update 31
This release includes security fixes. Learn more"
and only provide unpatched code in a different location, with a warning:
"WARNING: These older versions of the JRE and JDK are provided to help
developers debug issues in older systems. They are not updated with the
latest security patches and are not recommended for use in production."

- Gary

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message