Re: [tdf-discuss] LibreOffice and Java Security: OpenJDK Vulnerability

[Jonathan Aquilina]

I can confirm that that is whats already happening in firefox, seems like
safari and mac osx will pop up an error asking if you want to update block
or update later in terms of the java version.


On Fri, Jan 18, 2013 at 8:15 PM, Dennis E. Hamilton  wrote:

> <
> http://lists.grok.org.uk/pipermail/full-disclosure/2013-January/089440.html
> >
>
> It appears that the particular reflection feature in Java 7 is the
> security-exploit gift that just keeps on giving.  The answer is still to
> disable Java plug-ins in browsers and have Java installed only if you
> depend on it for something (certain LibreOffice extensions, Base, other
> Java-based applications, etc.).
>
> -Original Message-
> From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
> Sent: Wednesday, January 16, 2013 09:10
> To: 'Simon Phipps'
> Cc: 'lj'; 'Libreoffice Discussion List'
> Subject: RE: [tdf-discuss] LibreOffice and Java Security: OpenJDK
> Vulnerability
>
> Simon has just provided a superb account of the Java security problem in
> an InfoWorld blog post today:
> <
> http://www.infoworld.com/t/java-programming/why-fixing-the-java-flaw-will-take-so-long-210946
> >.
>
> I find this more-technical analysis to be plausible as well, and Simon's
> report provides context that makes it a bit more understandable:
> <
> http://lists.grok.org.uk/pipermail/full-disclosure/2013-January/089375.html
> >.
>
> [ ... ]
>
> For users of openoffice-lineage software, I am not sure what the concern
> should be.  Disabling java browser plugins seems prudent.  It may be
> inevitable that web sites will cease depending on users employing such
> plugins with the famed Java Applet disappearing into history.
>
> [ ... ]
>
> -Original Message-
> From: Simon Phipps [mailto:si...@webmink.com]
> Sent: Tuesday, January 15, 2013 19:29
> To: Dennis Hamilton
> Cc: lj; Libreoffice Discussion List
> Subject: Re: [tdf-discuss] LibreOffice and Java Security: OpenJDK
> Vulnerability
>
> I'm investigating, but the issue is a sandbox security manager bypass using
> unauthorised reflection and that's exploited using Rhino Javascript. So the
> context has to be a browser for there to be an issue even if OpenJDK is
> affected. See https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0422for
> lots of data...
>
> S.
>
>
> [ ... ]
>
>
> --
> Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org
> Problems?
> http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
> Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
> List archive: http://listarchives.documentfoundation.org/www/discuss/
> All messages sent to this list will be publicly archived and cannot be
> deleted
>



-- 
Jonathan Aquilina

-- 
Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be deleted

RE: [tdf-discuss] LibreOffice and Java Security: OpenJDK Vulnerability

[Dennis E. Hamilton]

It appears that the particular reflection feature in Java 7 is the 
security-exploit gift that just keeps on giving.  The answer is still to 
disable Java plug-ins in browsers and have Java installed only if you depend on 
it for something (certain LibreOffice extensions, Base, other Java-based 
applications, etc.).

-Original Message-
From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] 
Sent: Wednesday, January 16, 2013 09:10
To: 'Simon Phipps'
Cc: 'lj'; 'Libreoffice Discussion List'
Subject: RE: [tdf-discuss] LibreOffice and Java Security: OpenJDK Vulnerability

Simon has just provided a superb account of the Java security problem in an 
InfoWorld blog post today:
.

I find this more-technical analysis to be plausible as well, and Simon's report 
provides context that makes it a bit more understandable:
.

[ ... ]

For users of openoffice-lineage software, I am not sure what the concern should 
be.  Disabling java browser plugins seems prudent.  It may be inevitable that 
web sites will cease depending on users employing such plugins with the famed 
Java Applet disappearing into history.

[ ... ]

-Original Message-
From: Simon Phipps [mailto:si...@webmink.com] 
Sent: Tuesday, January 15, 2013 19:29
To: Dennis Hamilton
Cc: lj; Libreoffice Discussion List
Subject: Re: [tdf-discuss] LibreOffice and Java Security: OpenJDK Vulnerability

I'm investigating, but the issue is a sandbox security manager bypass using
unauthorised reflection and that's exploited using Rhino Javascript. So the
context has to be a browser for there to be an issue even if OpenJDK is
affected. See https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0422 for
lots of data...

S.


[ ... ]


-- 
Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be deleted

[tdf-discuss] Re: [board-discuss] TDF @ End of 2012

[Italo Vignoli]

On 1/18/13 10:14 AM, Tom Davies wrote:

> They have that famous by-line/strap-line/whatever.  Can we use that?
> Can we include "Intel the power inside" (or whatever the line was)?

No, we definitely can't, as this is a trademark for Intel.

-- 
Italo Vignoli - italo.vign...@gmail.com
mob +39.348.5653829 - VoIP 5316...@messagenet.it
skype italovignoli - gtalk italo.vign...@gmail.com

-- 
Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be deleted