[libreoffice-users] CVE-2012-0337
Using both LO and OOo, I'm aware of the need to patch this vulnerability for both. What I don't know is what is the status of this with respect to LO. I presently have 3.5.1-102 and 3.4.5.502. I did not see anything mentioned about this on the LO main page. It would be nice to have a statement on the home page when it was fixed for 3.4.x and 3.5.x. It would be nice to have something on this mailing list. --Dan -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] CVE-2012-0337
On Fri, 2012-03-23 at 07:55 -0400, Dan Lewis wrote: Using both LO and OOo, I'm aware of the need to patch this vulnerability for both. What I don't know is what is the status of this with respect to LO. I presently have 3.5.1-102 and 3.4.5.502. I did not see anything mentioned about this on the LO main page. It would be nice to have a statement on the home page when it was fixed for 3.4.x and 3.5.x. It would be nice to have something on this mailing list. Hi Dan 3.4.6 for the patch. It was in the release announcement. Not sure but it maybe that 3.5.1 also has the fix - 3.5.2 surely will. //drew -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] CVE-2012-0337
On Fri, 2012-03-23 at 08:10 -0400, drew jensen wrote: On Fri, 2012-03-23 at 07:55 -0400, Dan Lewis wrote: Using both LO and OOo, I'm aware of the need to patch this vulnerability for both. What I don't know is what is the status of this with respect to LO. I presently have 3.5.1-102 and 3.4.5.502. I did not see anything mentioned about this on the LO main page. It would be nice to have a statement on the home page when it was fixed for 3.4.x and 3.5.x. It would be nice to have something on this mailing list. Hi Dan 3.4.6 for the patch. It was in the release announcement. Not sure but it maybe that 3.5.1 also has the fix - 3.5.2 surely will. //drew I have now read the release announcement, and it contains announcements for both 3.4.6 and 3.5.1. Both of these are rather vague. The 3.4.6 announcement mentions fixing a potential security issue. The 3.5.1 states: LibreOffice contains all the security fixes from OpenOffice.org in 3.3.0, and perhaps more as a side-effect of the code clean-ups. What security issues? I'm not sure I know from what I read. Another thing that comes from trying to find this information: What is a link that I can use to list my concerns or other comments about the layout of the LO website? --Dan -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] CVE-2012-0337
Hi Dan, On Friday 23 March 2012, 08:53:54 Dan Lewis wrote: On Fri, 2012-03-23 at 08:10 -0400, drew jensen wrote: On Fri, 2012-03-23 at 07:55 -0400, Dan Lewis wrote: ... [vague security announcements] What security issues? I'm not sure I know from what I read. I tend to share your wish for a clearer information here. Another thing that comes from trying to find this information: What is a link that I can use to list my concerns or other comments about the layout of the LO website? As the project is self organized I'd suggest to raise your concerns in the website[1] list. There's also a more formal procedure to file an issue in bugzilla[2] (component WWW) HTH Nino [1] webs...@global.libreoffice.org Discussions list covering the design and maintenance of our Web infrastructure (main website, wiki, blog, planet, etc.). Subscription: website+subscr...@global.libreoffice.org (I think you don't need to subscribe but then your mail takes longer as it has to be moderated before delivery) (info taken from:http://www.libreoffice.org/get-help/mailing-lists/ ) [2] via assistant: https://www.libreoffice.org/get-help/bug/ (choose component: WWW) or directly in bugzilla: https://bugs.freedesktop.org/enter_bug.cgi?product=LibreOfficecomponent=WWW For both you need a bugzilla account. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] CVE-2012-0337
On Fri, 2012-03-23 at 08:53 -0400, Dan Lewis wrote: On Fri, 2012-03-23 at 08:10 -0400, drew jensen wrote: On Fri, 2012-03-23 at 07:55 -0400, Dan Lewis wrote: Using both LO and OOo, I'm aware of the need to patch this vulnerability for both. What I don't know is what is the status of this with respect to LO. I presently have 3.5.1-102 and 3.4.5.502. I did not see anything mentioned about this on the LO main page. It would be nice to have a statement on the home page when it was fixed for 3.4.x and 3.5.x. It would be nice to have something on this mailing list. Hi Dan 3.4.6 for the patch. It was in the release announcement. Not sure but it maybe that 3.5.1 also has the fix - 3.5.2 surely will. //drew I have now read the release announcement, and it contains announcements for both 3.4.6 and 3.5.1. Both of these are rather vague. The 3.4.6 announcement mentions fixing a potential security issue. The 3.5.1 states: LibreOffice contains all the security fixes from OpenOffice.org in 3.3.0, and perhaps more as a side-effect of the code clean-ups. What security issues? I'm not sure I know from what I read. Another thing that comes from trying to find this information: What is a link that I can use to list my concerns or other comments about the layout of the LO website? Hi Dan, Try website at global.libreoffice.org //drew -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] CVE-2012-0337
On Fri, 2012-03-23 at 12:52 -0400, drew jensen wrote: On Fri, 2012-03-23 at 08:53 -0400, Dan Lewis wrote: On Fri, 2012-03-23 at 08:10 -0400, drew jensen wrote: On Fri, 2012-03-23 at 07:55 -0400, Dan Lewis wrote: Using both LO and OOo, I'm aware of the need to patch this vulnerability for both. What I don't know is what is the status of this with respect to LO. I presently have 3.5.1-102 and 3.4.5.502. I did not see anything mentioned about this on the LO main page. It would be nice to have a statement on the home page when it was fixed for 3.4.x and 3.5.x. It would be nice to have something on this mailing list. Hi Dan 3.4.6 for the patch. It was in the release announcement. Not sure but it maybe that 3.5.1 also has the fix - 3.5.2 surely will. //drew I have now read the release announcement, and it contains announcements for both 3.4.6 and 3.5.1. Both of these are rather vague. The 3.4.6 announcement mentions fixing a potential security issue. The 3.5.1 states: LibreOffice contains all the security fixes from OpenOffice.org in 3.3.0, and perhaps more as a side-effect of the code clean-ups. What security issues? I'm not sure I know from what I read. Another thing that comes from trying to find this information: What is a link that I can use to list my concerns or other comments about the layout of the LO website? Hi Dan, Try website at global.libreoffice.org //drew Thanks, I already did when someone also sent me this mailing list link. --Dan -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
RE: [libreoffice-users] CVE-2012-0337
This was a common vulnerability in software having lineage from OpenOffice 3.x, where it was introduced as part of support for features that are new in ODF 1.2. I have provided an unofficial, personal analysis on the ooo-users list. See http://mail-archives.apache.org/mod_mbox/incubator-ooo-users/201203.mbox/%3c008c01cd08af$dd22b230$97681690$@acm.org%3e. (I considered posting that here, but wasn't sure if it would be seen as appropriate.) - Dennis -Original Message- From: Nino Novak [mailto:nn.l...@kflog.org] Sent: Friday, March 23, 2012 06:29 To: users@global.libreoffice.org Subject: Re: [libreoffice-users] CVE-2012-0337 Hi Dan, On Friday 23 March 2012, 08:53:54 Dan Lewis wrote: On Fri, 2012-03-23 at 08:10 -0400, drew jensen wrote: On Fri, 2012-03-23 at 07:55 -0400, Dan Lewis wrote: ... [vague security announcements] What security issues? I'm not sure I know from what I read. I tend to share your wish for a clearer information here. Another thing that comes from trying to find this information: What is a link that I can use to list my concerns or other comments about the layout of the LO website? As the project is self organized I'd suggest to raise your concerns in the website[1] list. There's also a more formal procedure to file an issue in bugzilla[2] (component WWW) HTH Nino [ ... ] -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
RE: [libreoffice-users] CVE-2012-0337
Hi :) I think it would be good to post it here too. It's unusual for LibreOffice to suffer anything like it. In almost any other program it wouldn't have even been reported as it's so trivial. Just another patch for just another unlikely exploit. You basically have to be passing the document backwards and forwards without changing formats with someone you think of as reasonably friendly but who is actually fairly evil and who has a fairly unusually high skill level and knowledge-base. I think the not changing formats part of that is fairly unlikely at the moment. Their skill level is an issue too. Perhaps most people on this list could do it fairly easily but the average skill level here is far higher than the vast majority of office workers. With LO or other OpenSource programs such things are rare enough that they become big News stories. Regards from Tom :) --- On Fri, 23/3/12, Dennis E. Hamilton dennis.hamil...@acm.org wrote: From: Dennis E. Hamilton dennis.hamil...@acm.org Subject: RE: [libreoffice-users] CVE-2012-0337 To: users@global.libreoffice.org Date: Friday, 23 March, 2012, 17:13 This was a common vulnerability in software having lineage from OpenOffice 3.x, where it was introduced as part of support for features that are new in ODF 1.2. I have provided an unofficial, personal analysis on the ooo-users list. See http://mail-archives.apache.org/mod_mbox/incubator-ooo-users/201203.mbox/%3c008c01cd08af$dd22b230$97681690$@acm.org%3e. (I considered posting that here, but wasn't sure if it would be seen as appropriate.) - Dennis -Original Message- From: Nino Novak [mailto:nn.l...@kflog.org] Sent: Friday, March 23, 2012 06:29 To: users@global.libreoffice.org Subject: Re: [libreoffice-users] CVE-2012-0337 Hi Dan, On Friday 23 March 2012, 08:53:54 Dan Lewis wrote: On Fri, 2012-03-23 at 08:10 -0400, drew jensen wrote: On Fri, 2012-03-23 at 07:55 -0400, Dan Lewis wrote: ... [vague security announcements] What security issues? I'm not sure I know from what I read. I tend to share your wish for a clearer information here. Another thing that comes from trying to find this information: What is a link that I can use to list my concerns or other comments about the layout of the LO website? As the project is self organized I'd suggest to raise your concerns in the website[1] list. There's also a more formal procedure to file an issue in bugzilla[2] (component WWW) HTH Nino [ ... ] -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted