Michael, When will the real CVE-2011-2713, <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2713>, stand up and provide whatever clarity there is to be had about the specific nature of the defect and the kind of exploit it was vulnerable to until fixed in LO 3.4.3?
Until it is possible to comprehend CVE-2011-2713, it is difficult to square the higher-level report that credits the original reporter while that reporter has a different appraisal at <https://bugzilla.redhat.com/show_bug.cgi?id=725668>. It would be helpful all around were that cleared up enough so that users of earlier versions can make a responsible assessment and determine whether they have an at-risk circumstance or not. Absent that, the best advice that can be offered from Apache AOOo is what I provided to the question that brought the TDF announcement to our attention, <http://mail-archives.apache.org/mod_mbox/incubator-ooo-dev/201110.mbox/%[email protected]%3e>. How can you help us to get this flat and proceed on a fact-based course of action and clear-cut, verifiable information that users can rely on with regard to their exposure related to the CVE? - Dennis -----Original Message----- From: Michael Meeks [mailto:[email protected]] Sent: Monday, October 10, 2011 13:41 To: [email protected] Subject: Re: Vulnerability fixed in LibreOffice [ ... ] Potentially you confuse the issue that was found with the rather broader scope of the fix that was applied for it. [ ... ]
