From ooo-users-return-1216-apmail-incubator-ooo-users-archive=incubator.apache.org@incubator.apache.org Mon Apr 23 20:44:48 2012 Return-Path: X-Original-To: apmail-incubator-ooo-users-archive@minotaur.apache.org Delivered-To: apmail-incubator-ooo-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3082399D8 for ; Mon, 23 Apr 2012 20:44:48 +0000 (UTC) Received: (qmail 56980 invoked by uid 500); 23 Apr 2012 20:44:47 -0000 Delivered-To: apmail-incubator-ooo-users-archive@incubator.apache.org Received: (qmail 56900 invoked by uid 500); 23 Apr 2012 20:44:47 -0000 Mailing-List: contact ooo-users-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ooo-users@incubator.apache.org Delivered-To: mailing list ooo-users@incubator.apache.org Received: (qmail 56891 invoked by uid 99); 23 Apr 2012 20:44:47 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Apr 2012 20:44:47 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of dennis.hamilton@acm.org designates 216.119.133.2 as permitted sender) Received: from [216.119.133.2] (HELO a2s42.a2hosting.com) (216.119.133.2) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Apr 2012 20:44:39 +0000 Received: from 97-126-120-170.tukw.qwest.net ([97.126.120.170] helo=Astraendo) by a2s42.a2hosting.com with esmtpa (Exim 4.69) (envelope-from ) id 1SMQ7O-003TnS-9z for ooo-users@incubator.apache.org; Mon, 23 Apr 2012 16:44:18 -0400 Reply-To: From: "Dennis E. Hamilton" To: References: <1332454627.22852.YahooMailNeo@web161706.mail.bf1.yahoo.com> <1332502617.21672.20.camel@dan-ubuntu> <4F6CCCE3.2080302@sbcglobal.net> <3F211FCA-D9E0-4A72-B702-5334F3A1A6A7@comcast.net> <4F6CE71A.4020407@sbcglobal.net> <003101cd1dd9$f63ddad0$e2b99070$@acm.org> <01a901cd1e54$4ac6ef90$e054ceb0$@acm.org> <005501cd2084$980811d0$c8183570$@acm.org> In-Reply-To: Subject: RE: CVE-2012-0037: OpenOffice.org data leakage vulnerability Date: Mon, 23 Apr 2012 13:44:18 -0700 Organization: NuovoDoc Message-ID: <005a01cd2191$db8edd40$92ac97c0$@acm.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQLwKgIW76wKRBTg2sXRHXrnIcU+PgGffmiEAkZ87VEC042lUgGuA1BXAdOlc9ECMvv4CgIym08YAfoFDlECBWek1wFdKKldA4Y/iGwDDPVsJ5OORUgA Content-Language: en-us X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - a2s42.a2hosting.com X-AntiAbuse: Original Domain - incubator.apache.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - acm.org Gary, Thank you. Your concern for warnings to users who download these older = versions is well-taken. I agree: Something should be done about that = on the archive-download web pages. =20 However, it must not be assumed that archival downloads of any = OpenOffice.org releases preceding Apache OpenOffice 3.4 have been = updated in place. Apache does not do that and other projects, including = OpenOffice.org, have not done that. Previous releases are not replaced = in archives when there are security issues, they are simply superseded = by later releases (or, rarely, by a separate patch). In general, = releases are not updated in place and patches are extremely rare. Users = must install the later, corrected release to have the mitigation for any = security vulnerabilities discovered in an older release. If a patched = release for 3.3.0 had occurred, it would have a new number, such as = 3.3.1. The Apache OpenOffice project has not produced new releases for any = OpenOffice.org releases provided by Oracle and Sun that might still be = made available via the openoffice.org site. I'm certain that you know = that. The only Apache OpenOffice distributions are the provision of the source = code of the patch and the provision of two separately-installable = patches that apply to OpenOffice.org 3.3.0 and 3.4-dev/beta on Windows = and Mac. These are supplemental to the available downloads. When = Apache OpenOffice 3.4 is released, it will also provide mitigation of = security issues that have been developed since OpenOffice.org 3.3.0. - Dennis -----Original Message----- From: NoOp [mailto:glgxg@sbcglobal.net]=20 Sent: Monday, April 23, 2012 11:59 To: ooo-users@incubator.apache.org Subject: Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability [ ... ] AOO continue to distribute 3.3.0, (3.2.1, 3.2.0 for some languages): http://www.openoffice.org/download/other.html So we must assume that *all* of those versions on that page have been patched... otherwise AOO continue to provide packages with a 'important' security vulnerability. Based on that 'assumption', I'll download & reinstall 3.3.0 from that page & reinstall over my existing OOo 3.3.0 (deb, rmp, and Windows) versions. I'll then have a fully patched 3.3.0 version... right? If that is not the case, then I suggest that AOO either pull those versions that have not been patched, or at the very least provide a strong warning that the code has an 'important' security vulnerability, on the download pages: http://www.openoffice.org/download/index.html http://www.openoffice.org/download/other.html and any other place where the program can be downloaded from directly (i.e., SF). A "responsible" distributor of such code might take a hint from: http://www.oracle.com/technetwork/java/javase/downloads/index.html "Java SE 6 Update 31 This release includes security fixes. Learn more" and only provide unpatched code in a different location, with a warning: http://www.oracle.com/technetwork/java/archive-139210.html "WARNING: These older versions of the JRE and JDK are provided to help developers debug issues in older systems. They are not updated with the latest security patches and are not recommended for use in production." - Gary --------------------------------------------------------------------- To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org For additional commands, e-mail: ooo-users-help@incubator.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org For additional commands, e-mail: ooo-users-help@incubator.apache.org