This is an update on arrangements to have a common place by which different security teams are able to share and coordinate analysis and resolution of potentially-common security vulnerabilities.
The private ooo-security@ incubator.apache.org list is now set up as a subscriber to the securityteam@ openoffice.org list. The main security@ apache.org list is automatically a subscriber to ooo-security@ i.a.o, and will also see material from securityteam@ OO.o. This provides a direct channel by which ooo-security@ i.a.o (and security@ apache.org) will be informed of sensitive security-related matters being reported and discussed in the securityteam@ forum. This should significantly reduce the possibility that any issue that impacts the safety of Apache OOo releases goes unrecognized and unreported. In the event that an issue becomes known to ooo-security independently, those will be shared with securityteam@ OO.o. I want to clarify why this coordination is done privately and, for the Apache OOo podling, confined within the PPMC. Premature disclosure of an exploitable defect is essentially an open invitation for unscrupulous creation and application of exploits. This means that defects which are identified as exploitable are withheld from public issue trackers and even the publicly-visible changes to the code base. No mention of vulnerability and exploitation is made in the public operations. The goal is to have the repair identified and the fix (or new release when patches are not provided) on its way before disclosing any information about there being an associated vulnerability. (Known, active exploits require emergency measures outside this practice, leading to advisories in advance of any repair in some case.) Apache has extensive experience with the appropriate procedures, and has a strong security team, <http://www.apache.org/security/>. The Apache AOOo security team and the PPMC are guided by the practices and procedures established by the Apache security team, <http://www.apache.org/security/committers.html>. WHAT YOU'LL SEE ABOUT SECURITY ISSUES In general, only vulnerabilities that are confirmed and that apply to Apache AOOo code will be disclosed in any public location such as the ooo-dev and ooo-users lists. Reports will be on user lists, the web site, and the project blog, among other locations. It is typical for there to be a CVE (Common Vulnerabilities and Exposures) identification associated with a vulnerability. These identifiers are managed by a naming authority that also provides information for each issued CVE identifier. For example, CVE-2008-2370 is a typical notification related to an Apache project, <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370>. CVE registrations are not the same as advisories and security-update announcements, such as this one from a downstream dependency impacted by vulnerability CVE-2008-2370: <https://rhn.redhat.com/errata/RHSA-2008-0862.html>. A CVE can be linked to the advisories that reference it, as is the case with CVE-2008-2370. - Dennis
smime.p7s
Description: S/MIME cryptographic signature
