THE TL;DR: I agree. The extensive lag to availability of 4.1.2 is far more pertinent at the level of the Board Report. The existence of CVE-2015-1774 does not change that and should not overshadow it.
I think featuring CVE-2015-1774 in the report exaggerates its importance and ignores the deliberation that accompanied our announcement of a straightforward CVE-2015-1774 mitigation, <http://www.openoffice.org/security/cves/CVE-2015-1774.html>. - Dennis MORE MUSINGS We are not talking about a defect for which there is a known exploit and there would be very few users, if any, who might encounter one, were one worth developing. While Simon has expressed his own perspective on how dangerous the related defect is and what users are exposed to, that is not the consensus of the AOO security team and those who have oversight on its deliberations. That does not mean we shouldn't take further steps. It just means we have concluded there is no emergency. It would probably be a simpler and more-fruitful action to simply make this web page, <http://www.openoffice.org/security/>, the bulletins, and their translations more prominent and easily found on our web site. Also, with respect to CVE-2015-1774, I think the population of concern is those who use old (ca. 1999 and earlier) Korean-language HWP documents and are happily using OO.o 2.4 through 3.4 releases, remaining ignorant of AOO 4.1.2 and already-repaired LibreOffice distributions. We can do what we are able to do, when we do it, yet there is little to be done for folks who have no desire or even means to replace their OpenOffice software. -----Original Message----- From: jan i [mailto:j...@apache.org] Sent: Tuesday, June 30, 2015 06:20 To: dev@openoffice.apache.org Subject: Re: July board report. On 30 June 2015 at 14:45, Simon Phipps <si...@webmink.com> wrote: > On Tue, Jun 30, 2015 at 1:38 PM, jan i <j...@apache.org> wrote: > > > On 30 June 2015 at 13:54, Simon Phipps <si...@webmink.com> wrote: > > > > > On Tue, Jun 30, 2015 at 12:51 PM, jan i <j...@apache.org> wrote: > > > > > > > Hi. > > > > > > > > It is again time to make a board report, you can find my proposal at > > > > https://cwiki.apache.org/confluence/display/OOOUSERS/2015+July > > > > > > > > comments and changes are welcome. > > > > > > > > > > Should the fact CVE-2015-1774 is still unresolved in the released > version > > > be mentioned? > > > > > It is kind of obvious, no new release so of course it is still > unresolved. > > > > The previous Board report was issued just before the CVE was made public, > and is thus not mentioned. Given it's been unresolved for four months, two > public, shouldn't it be mentioned this time? > Allow me to correct your statement, it is not unresolved. We discussed it on this list and a workaround has been provided. That is the important part, had we not issued a workaround (and please do remember the theoretical nature of the problem), then it would have been escalated through other channels. But apart from that it is not custom to mention CVE in board reports, independent of their status. I have nothing against mentioning it, if the community at large feels it is needed, even though it would be exceptional. rgds jan i. > > Thanks, > > Simon > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
