Re: July board report.
On Tue, Jun 30, 2015 at 12:51 PM, jan i j...@apache.org wrote: Hi. It is again time to make a board report, you can find my proposal at https://cwiki.apache.org/confluence/display/OOOUSERS/2015+July comments and changes are welcome. Should the fact CVE-2015-1774 is still unresolved in the released version be mentioned? Best regards Simon
Re: July board report.
On Tue, Jun 30, 2015 at 1:38 PM, jan i j...@apache.org wrote: On 30 June 2015 at 13:54, Simon Phipps si...@webmink.com wrote: On Tue, Jun 30, 2015 at 12:51 PM, jan i j...@apache.org wrote: Hi. It is again time to make a board report, you can find my proposal at https://cwiki.apache.org/confluence/display/OOOUSERS/2015+July comments and changes are welcome. Should the fact CVE-2015-1774 is still unresolved in the released version be mentioned? It is kind of obvious, no new release so of course it is still unresolved. The previous Board report was issued just before the CVE was made public, and is thus not mentioned. Given it's been unresolved for four months, two public, shouldn't it be mentioned this time? Thanks, Simon
July board report.
Hi. It is again time to make a board report, you can find my proposal at https://cwiki.apache.org/confluence/display/OOOUSERS/2015+July comments and changes are welcome. disclaimer: if you make changes directly in the report, the wording might be changed. I intent to submit the report with changes sunday 5th july. rgds jan i.
Re: July board report.
On 30 June 2015 at 13:54, Simon Phipps si...@webmink.com wrote: On Tue, Jun 30, 2015 at 12:51 PM, jan i j...@apache.org wrote: Hi. It is again time to make a board report, you can find my proposal at https://cwiki.apache.org/confluence/display/OOOUSERS/2015+July comments and changes are welcome. Should the fact CVE-2015-1774 is still unresolved in the released version be mentioned? It is kind of obvious, no new release so of course it is still unresolved. However we have provided a work around description, which seems to be sufficient. rgds jan i. Best regards Simon
Re: July board report.
On 30 June 2015 at 14:45, Simon Phipps si...@webmink.com wrote: On Tue, Jun 30, 2015 at 1:38 PM, jan i j...@apache.org wrote: On 30 June 2015 at 13:54, Simon Phipps si...@webmink.com wrote: On Tue, Jun 30, 2015 at 12:51 PM, jan i j...@apache.org wrote: Hi. It is again time to make a board report, you can find my proposal at https://cwiki.apache.org/confluence/display/OOOUSERS/2015+July comments and changes are welcome. Should the fact CVE-2015-1774 is still unresolved in the released version be mentioned? It is kind of obvious, no new release so of course it is still unresolved. The previous Board report was issued just before the CVE was made public, and is thus not mentioned. Given it's been unresolved for four months, two public, shouldn't it be mentioned this time? Allow me to correct your statement, it is not unresolved. We discussed it on this list and a workaround has been provided. That is the important part, had we not issued a workaround (and please do remember the theoretical nature of the problem), then it would have been escalated through other channels. But apart from that it is not custom to mention CVE in board reports, independent of their status. I have nothing against mentioning it, if the community at large feels it is needed, even though it would be exceptional. rgds jan i. Thanks, Simon
Re: July board report.
Am 06/30/2015 01:51 PM, schrieb jan i: It is again time to make a board report, you can find my proposal at https://cwiki.apache.org/confluence/display/OOOUSERS/2015+July comments and changes are welcome. just a spontaneous suggestion for the moment: Release 4.1.2: I would move the we have a release manager part down to the release section as IMHO it belongs there. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: CVE-2015-1774 (was: July board report)
On Tue, Jun 30, 2015 at 5:23 PM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: THE TL;DR: I agree. The extensive lag to availability of 4.1.2 is far more pertinent at the level of the Board Report. The existence of CVE-2015-1774 does not change that and should not overshadow it. I think featuring CVE-2015-1774 in the report exaggerates its importance and ignores the deliberation that accompanied our announcement of a straightforward CVE-2015-1774 mitigation, http://www.openoffice.org/security/cves/CVE-2015-1774.html. I would largely agree, although I still believe the CVE and its mitigation should be documented at http://www.openoffice.org/download/ as there is a negligible chance any user downloading AOO will see it otherwise and I believe the risk is greater than is being recognised. MORE MUSINGS We are not talking about a defect for which there is a known exploit and there would be very few users, if any, who might encounter one, were one worth developing. While Simon has expressed his own perspective on how dangerous the related defect is and what users are exposed to, that is not the consensus of the AOO security team and those who have oversight on its deliberations. That does not mean we shouldn't take further steps. It just means we have concluded there is no emergency. It would probably be a simpler and more-fruitful action to simply make this web page, http://www.openoffice.org/security/, the bulletins, and their translations more prominent and easily found on our web site. Also, with respect to CVE-2015-1774, I think the population of concern is those who use old (ca. 1999 and earlier) Korean-language HWP documents and are happily using OO.o 2.4 through 3.4 releases, remaining ignorant of AOO 4.1.2 and already-repaired LibreOffice distributions. If a malicious party were to create an HWP file crafted to exploit the vulnerability but then distribute it with another extension (say .ODT), AOO would still open it. I thus believe that there are two populations of concern: 1. Users of HWP files on any existing version of AOO and predecessors. This is alleged to be a small population, and I have no reason to disagree. Were this the only population of concern I would agree that the risk would be minimal. 2. All users of any distributed version of AOO and predecessors where the documented mitigation has not been applied are also vulnerable to the creation of a malicious HWP renamed with a benign file extension. There is no known exploit at present, but as the population of users with the vulnerability grows the risk increases. We can do what we are able to do, when we do it, yet there is little to be done for folks who have no desire or even means to replace their OpenOffice software. I agree that we can only do what we have the resources to do. However, I continue to believe we are not taking all the steps we could to ensure that the second population of concern are adequately informed even if we do not have the resources to protect them. S.
RE: July board report [and CVE-2015-1774].
THE TL;DR: I agree. The extensive lag to availability of 4.1.2 is far more pertinent at the level of the Board Report. The existence of CVE-2015-1774 does not change that and should not overshadow it. I think featuring CVE-2015-1774 in the report exaggerates its importance and ignores the deliberation that accompanied our announcement of a straightforward CVE-2015-1774 mitigation, http://www.openoffice.org/security/cves/CVE-2015-1774.html. - Dennis MORE MUSINGS We are not talking about a defect for which there is a known exploit and there would be very few users, if any, who might encounter one, were one worth developing. While Simon has expressed his own perspective on how dangerous the related defect is and what users are exposed to, that is not the consensus of the AOO security team and those who have oversight on its deliberations. That does not mean we shouldn't take further steps. It just means we have concluded there is no emergency. It would probably be a simpler and more-fruitful action to simply make this web page, http://www.openoffice.org/security/, the bulletins, and their translations more prominent and easily found on our web site. Also, with respect to CVE-2015-1774, I think the population of concern is those who use old (ca. 1999 and earlier) Korean-language HWP documents and are happily using OO.o 2.4 through 3.4 releases, remaining ignorant of AOO 4.1.2 and already-repaired LibreOffice distributions. We can do what we are able to do, when we do it, yet there is little to be done for folks who have no desire or even means to replace their OpenOffice software. -Original Message- From: jan i [mailto:j...@apache.org] Sent: Tuesday, June 30, 2015 06:20 To: dev@openoffice.apache.org Subject: Re: July board report. On 30 June 2015 at 14:45, Simon Phipps si...@webmink.com wrote: On Tue, Jun 30, 2015 at 1:38 PM, jan i j...@apache.org wrote: On 30 June 2015 at 13:54, Simon Phipps si...@webmink.com wrote: On Tue, Jun 30, 2015 at 12:51 PM, jan i j...@apache.org wrote: Hi. It is again time to make a board report, you can find my proposal at https://cwiki.apache.org/confluence/display/OOOUSERS/2015+July comments and changes are welcome. Should the fact CVE-2015-1774 is still unresolved in the released version be mentioned? It is kind of obvious, no new release so of course it is still unresolved. The previous Board report was issued just before the CVE was made public, and is thus not mentioned. Given it's been unresolved for four months, two public, shouldn't it be mentioned this time? Allow me to correct your statement, it is not unresolved. We discussed it on this list and a workaround has been provided. That is the important part, had we not issued a workaround (and please do remember the theoretical nature of the problem), then it would have been escalated through other channels. But apart from that it is not custom to mention CVE in board reports, independent of their status. I have nothing against mentioning it, if the community at large feels it is needed, even though it would be exceptional. rgds jan i. Thanks, Simon - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: CVE-2015-1774 (was: July board report)
On Tue, Jun 30, 2015 at 9:54 AM, Simon Phipps si...@webmink.com wrote: On Tue, Jun 30, 2015 at 5:23 PM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: THE TL;DR: I agree. The extensive lag to availability of 4.1.2 is far more pertinent at the level of the Board Report. The existence of CVE-2015-1774 does not change that and should not overshadow it. I think featuring CVE-2015-1774 in the report exaggerates its importance and ignores the deliberation that accompanied our announcement of a straightforward CVE-2015-1774 mitigation, http://www.openoffice.org/security/cves/CVE-2015-1774.html. I would largely agree, although I still believe the CVE and its mitigation should be documented at http://www.openoffice.org/download/ as there is a negligible chance any user downloading AOO will see it otherwise and I believe the risk is greater than is being recognised. A reasonable suggestion I think. As it's been pointed out, there is little impact on the great majority of our users, but, additional information for new downloads is a good idea. MORE MUSINGS We are not talking about a defect for which there is a known exploit and there would be very few users, if any, who might encounter one, were one worth developing. While Simon has expressed his own perspective on how dangerous the related defect is and what users are exposed to, that is not the consensus of the AOO security team and those who have oversight on its deliberations. That does not mean we shouldn't take further steps. It just means we have concluded there is no emergency. It would probably be a simpler and more-fruitful action to simply make this web page, http://www.openoffice.org/security/, the bulletins, and their translations more prominent and easily found on our web site. Also, with respect to CVE-2015-1774, I think the population of concern is those who use old (ca. 1999 and earlier) Korean-language HWP documents and are happily using OO.o 2.4 through 3.4 releases, remaining ignorant of AOO 4.1.2 and already-repaired LibreOffice distributions. If a malicious party were to create an HWP file crafted to exploit the vulnerability but then distribute it with another extension (say .ODT), AOO would still open it. I thus believe that there are two populations of concern: 1. Users of HWP files on any existing version of AOO and predecessors. This is alleged to be a small population, and I have no reason to disagree. Were this the only population of concern I would agree that the risk would be minimal. 2. All users of any distributed version of AOO and predecessors where the documented mitigation has not been applied are also vulnerable to the creation of a malicious HWP renamed with a benign file extension. There is no known exploit at present, but as the population of users with the vulnerability grows the risk increases. We can do what we are able to do, when we do it, yet there is little to be done for folks who have no desire or even means to replace their OpenOffice software. I agree that we can only do what we have the resources to do. However, I continue to believe we are not taking all the steps we could to ensure that the second population of concern are adequately informed even if we do not have the resources to protect them. S. -- - MzK We can all sleep easy at night knowing that somewhere at any given time, the Foo Fighters are out there fighting Foo. -- David Letterman
Re: July board report.
On 30 June 2015 at 17:44, Marcus marcus.m...@wtnet.de wrote: Am 06/30/2015 01:51 PM, schrieb jan i: It is again time to make a board report, you can find my proposal at https://cwiki.apache.org/confluence/display/OOOUSERS/2015+July comments and changes are welcome. just a spontaneous suggestion for the moment: Release 4.1.2: I would move the we have a release manager part down to the release section as IMHO it belongs there. good catch, will do that. rgds jan i. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: July Board report (draft)
On 10/07/2014 Hagar Delest wrote: Sorry for being late, I've added a few words for the forum about the online users records and the header. Thanks, I've now sent the report. And indeed, I confirm we have had the new header in place at https://forum.openoffice.org/en/forum/ since last weekend! But I hadn't announced it yet since a quick administrator help is needed to refresh the CSS (they are already correct, but they need to be refreshed from the admin interface): this will make the slogan (User community support forum...) more visible, blue instead of white. I think imacat will take care of it as soon as she can. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: July Board report (draft)
Sorry for being late, I've added a few words for the forum about the online users records and the header. Hagar Le 08/07/2014 18:54, Kay Schenk a écrit : On Mon, Jul 7, 2014 at 7:41 PM, Peter Junge peter.ju...@gmx.org wrote: On 08/07/14 05:23, Andrea Pescetti wrote: It's report time again. The report for April, May, and June is available in draft at https://cwiki.apache.org/confluence/display/OOOUSERS/2014+Jul Feel free to complete and make corrections. It is due in a couple days. Looks good to me. /Peter Also good from my standpoint. I thought perhaps some of our native language groups had participated in some events over the last few months that we might want to mention as well. But, we would need input from representatives of those areas to provide information via this list. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: July Board report (draft)
On Mon, Jul 7, 2014 at 7:41 PM, Peter Junge peter.ju...@gmx.org wrote: On 08/07/14 05:23, Andrea Pescetti wrote: It's report time again. The report for April, May, and June is available in draft at https://cwiki.apache.org/confluence/display/OOOUSERS/2014+Jul Feel free to complete and make corrections. It is due in a couple days. Looks good to me. /Peter Also good from my standpoint. I thought perhaps some of our native language groups had participated in some events over the last few months that we might want to mention as well. But, we would need input from representatives of those areas to provide information via this list. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- - MzK To be trusted is a greater compliment than being loved. -- George MacDonald
July Board report (draft)
It's report time again. The report for April, May, and June is available in draft at https://cwiki.apache.org/confluence/display/OOOUSERS/2014+Jul Feel free to complete and make corrections. It is due in a couple days. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: July Board report (draft)
On 08/07/14 05:23, Andrea Pescetti wrote: It's report time again. The report for April, May, and June is available in draft at https://cwiki.apache.org/confluence/display/OOOUSERS/2014+Jul Feel free to complete and make corrections. It is due in a couple days. Looks good to me. /Peter Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
