RE: [tdf-discuss] Re: Security Advisories

That's BS. The disclosure has been embargoed since it report to multiple security lists in January. 
 All of the involved parties recently settled on the March 22 date because that was the earliest 
date Apache OpenOffice could produce either a release or a patch in First-Quarter 2012.  There is 
no way that Apache OpenOffice forced this as an early date.  Nor did Apache OpenOffice surprise 
anyone.  There were others (*not* LO/TDF) who wanted the embargo lifted even earlier.  

It was certainly valuable to delay disclosure as long as possible to permit seeding of updates, but 
there was no way that could happen in the AOO case, since the production of a back-version patch to 
OO.o 3.3.0 would be and is an extraordinary event.  Considering how easy it is to exploit the 
vulnerability with a maliciously-crafted ODF 1.2 document, there is always the fear that failure to 
disclose an important need to update also gives miscreants a head start at putting an exploit in 
the wild.

The LO security team was fully aware of this and there was no pre-emption on the part of the Apache 
OpenOffice project.

I personally want to acknowledge the forbearance of TDF and the LibreOffice security team in 
holding back so that the Apache OpenOffice team had this opportunity serve those who continue to 
operate with OpenOffice 3.3.0 and earlier releases.

 - Dennis

-----Original Message-----
From: lohmaier@googlemail.com [mailto:lohmaier@googlemail.com] On Behalf Of Christian Lohmaier
Sent: Friday, March 23, 2012 05:24
To: discuss@documentfoundation.org
Subject: Re: [tdf-discuss] Re: Security Advisories

Hi NoOp,

On Fri, Mar 23, 2012 at 2:56 AM, NoOp <glgxg@sbcglobal.net> wrote:
> On 03/22/2012 06:31 PM, Italo Vignoli wrote:
> > NoOp wrote:
> >
> > > It would be nice if someone 'official' (ala TDF) could post the
> > > CVE-2012-0037 notice on both the user and announce lists.

The public was not supposed to know of this CVE, people should be
given time to update to the fixed version before.

[ ... ]

But Apache-OOo made it public on their list, so we also had to make
the info available.
http://mail-archives.apache.org/mod_mbox/incubator-ooo-dev/201203.mbox/%3CCAP-ksoj7o5%2B2YH-E4XzR044V0e3YZfZvuef7eJuNGhdy%2Bk9kyA%40mail.gmail.com%3E


> Neither do the release logs or release notes.

As above - this was intentional. No details about the security fixes
until the upstream project makes the CVE public (the bug is in a
third-party component that is shipped along with LibreOffice).

That of course doesn't mean it shouldn't be added now that the CVE is public.

ciao
Christian

-- 
Unsubscribe instructions: E-mail to discuss+help@documentfoundation.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be deleted


-- 
Unsubscribe instructions: E-mail to discuss+help@documentfoundation.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be deleted