On 23 Mar 2012, at 01:26, NoOp wrote:
Why is it that "security advisories" such as this: https://www.libreoffice.org/advisories/CVE-2012-0037/ are not posted on the user or announce lists? The only way I found out about this was via a Redhat bug report: https://bugzilla.redhat.com/show_bug.cgi?id=791296 [Bug 791296 - (CVE-2012-0037) CVE-2012-0037 raptor: XML External Entity (XXE) attack via RDF files ] And then later on the ApacheOOO user list: <http://permalink.gmane.org/gmane.comp.apache.incubator.ooo.user/866> It would be nice if someone 'official' (ala TDF) could post the CVE-2012-0037 notice on both the user and announce lists.
LibreOffice shares security information with other projects on a mailing list hosted neutrally at freedesktop.org. As I understand it, the embargo on mentioning this CVE was only lifted today, so you've not overlooked it up to now. S. -- Unsubscribe instructions: E-mail to discuss+help@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted