subject:"\[REPORT\] CVE\-2016\-1513 Security Advisory"

Re: [REPORT] CVE-2016-1513 Security Advisory

2016-09-01 Thread Marcus


Great to see that this issue is solved finally.

Thanks to everyone who was involved. I want to express a special thanks 
to the developers Patricia, Damjan and Ariel for creating the binary 
files and Dennis for his coordination.


:-)

Marcus



Am 08/30/2016 05:46 PM, schrieb Dennis E. Hamilton:

[BCC PMC]

Today, Version 2.0 of the Advisory for CVE-2016-1513 has been issued.

There is now general availability of a Hotfix that can be downloaded and 
applied to installations of Apache OpenOffice 4.1.2.  The Hotfix details can be 
found at
<http://archive.apache.org/dist/openoffice/4.1.2-patch1/hotfix.html>.

Please review the README instructions before deciding to download and apply the 
Hotfix.

  - Dennis


-Original Message-
From: Dennis E. Hamilton [mailto:orc...@apache.org]
Sent: Thursday, July 21, 2016 09:43
To: dev@openoffice.apache.org
Subject: [REPORT] CVE-2016-1513 Security Advisory

[BCC AOO Users; BCC AOO PMC]

Today, advisory CVE-2016-1513 has been published with regard to
disclosure of a potentially-exploitable defect in crafted Impress
documents.  The advisory can be found at
<http://www.openoffice.org/security/cves/CVE-2016-1513.html>.

There is no updated release at this time.  There is action underway.  We
can now discuss those actions and also seek assistance in the wider
community.


[ ... ]


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: [REPORT] CVE-2016-1513 Security Advisory

2016-08-30 Thread Dennis E. Hamilton



> -Original Message-
> From: Rodrigo Marin-Rogers [mailto:rodmarog...@gmail.com]
> Sent: Tuesday, August 30, 2016 16:44
> To: annou...@openoffice.apache.org; orc...@apache.org
> Subject: Re: [REPORT] CVE-2016-1513 Security Advisory
> 
> Dear Dennis:
> 
>  The hotfix download and installation process is quite long and
> complicated for the general users who are not developers.  Why don't you
> just create a new version with the hotfix already included much easier
> to download.  I've lost several documents that showed as corrupt when I
> tried to reopen them,  then I suspected that something like this was
> happening, so I deleted them from my computer.
> 
>   Thank you for your kind concern,  Please let me know if you create
> such new version!
> 
> Truly yours,
> 
> 
> 
>   Rodrigo.
[orcmid] 

Thank you for the feedback, Rodrigo.

It may be months before there is a full update for Apache OpenOffice.  The 
hotfixes are for those able to make use of them in the meantime.  The reason we 
make the README files available to be read first is so folks can calibrate 
whether they want to go through it or not.

With regard to your document corruption experience, that is not the behavior 
associated with the CVE-2016-1513 vulnerability.  They were probably damaged in 
the Save process.  That is not unknown.

 - Dennis
> 
> 
> On Tue, Aug 30, 2016 at 9:46 AM, Dennis E. Hamilton <orc...@apache.org
> <mailto:orc...@apache.org> > wrote:
> 
> 
>   [BCC PMC]
> 
>   Today, Version 2.0 of the Advisory for CVE-2016-1513  1513>  has been issued.
> 
>   There is now general availability of a Hotfix that can be
> downloaded and applied to installations of Apache OpenOffice 4.1.2.  The
> Hotfix details can be found at
>   <http://archive.apache.org/dist/openoffice/4.1.2-patch1/hotfix.html
> <http://archive.apache.org/dist/openoffice/4.1.2-patch1/hotfix.html> >.
> 
>   Please review the README instructions before deciding to download
> and apply the Hotfix.
[ ... ]



-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: [REPORT] CVE-2016-1513 Security Advisory

2016-08-30 Thread Dennis E. Hamilton

[BCC PMC]

Today, Version 2.0 of the Advisory for CVE-2016-1513 has been issued.

There is now general availability of a Hotfix that can be downloaded and 
applied to installations of Apache OpenOffice 4.1.2.  The Hotfix details can be 
found at 
<http://archive.apache.org/dist/openoffice/4.1.2-patch1/hotfix.html>.

Please review the README instructions before deciding to download and apply the 
Hotfix.

 - Dennis

> -Original Message-
> From: Dennis E. Hamilton [mailto:orc...@apache.org]
> Sent: Thursday, July 21, 2016 09:43
> To: dev@openoffice.apache.org
> Subject: [REPORT] CVE-2016-1513 Security Advisory
> 
> [BCC AOO Users; BCC AOO PMC]
> 
> Today, advisory CVE-2016-1513 has been published with regard to
> disclosure of a potentially-exploitable defect in crafted Impress
> documents.  The advisory can be found at
> <http://www.openoffice.org/security/cves/CVE-2016-1513.html>.
> 
> There is no updated release at this time.  There is action underway.  We
> can now discuss those actions and also seek assistance in the wider
> community.
> 
[ ... ]


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

[REPORT] CVE-2016-1513 Security Advisory

2016-07-21 Thread Dennis E. Hamilton

[BCC AOO Users; BCC AOO PMC]

Today, advisory CVE-2016-1513 has been published with regard to disclosure of a 
potentially-exploitable defect in crafted Impress documents.  The advisory can 
be found at .

There is no updated release at this time.  There is action underway.  We can 
now discuss those actions and also seek assistance in the wider community.

NEXT STEPS

As indicated in the advisory, a patch is already known and available for 
developer use.

In addition, the Apache OpenOffice security team has developed candidate "hot 
fix" binaries.  These are single shared-library files that can be manually 
installed by users in place of the same file in the program directory of their 
Apache OpenOffice 4.1.2 installation.

There are two crucial concerns for the eventual release of a hotfix in this 
manner.  First, we must have more testing of the hotfix substitution to ensure 
that there is no regression of any kind.  Secondly, the introduction of a 
hotfix is something that casual users must be able to perform with confidence 
and reliability.  For that, we need to ensure that the procedures provided are 
complete and reliable (and that users have a way to recover from any misstep).  
So we also require community assistance in reviewing, applying, and revising 
the procedure.

Ultimately, the preferable solution is to have an automatic installer for the 
hotfix that does not require manual manipulations in operating-system file 
locations.  Because localization does not appear to be relevant to this fix, 
that is easier than producing complete localized distributions for all 
platforms and languages.

Additional information and details for participating in the assurance of the 
available hotfix replacements will be provided over the next couple of days.

Thank you for your continuing support and reliance on Apache OpenOffice.

 - Dennis E. Hamilton
   Chair, Apache OpenOfice Project Management Committee




-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [REPORT] CVE-2016-1513 Security Advisory

RE: [REPORT] CVE-2016-1513 Security Advisory

RE: [REPORT] CVE-2016-1513 Security Advisory

[REPORT] CVE-2016-1513 Security Advisory

4 matches

Site Navigation

Mail list logo

Footer information