[libreoffice-users] Re: Heartbleed
On 04/18/2014 10:00 AM, Sophie wrote: ... To answer you specific question now: Le 18/04/2014 17:37, alnuwer a écrit : So I guess I have 3 choices: Do nothing - I'm running version 4.2.2.1 (I have it set to auto update) Go back to 4.1.5. Will I be giving up functionality? Go to 4.2.3.3. But the release notes say it remains targeted for early adopters and private power users, which I'm not! Each of the 4.2.x.x releases are for early adopters because the version is still quite new and needs more tests to be said Stable. If you use version of this branch you should always update to the last available. So in layman terms, what is the difference between 4.2.2.1 and 4.1.5? See above, the 4.1.5 version is stable and has been tested for a long time now. I you want to use it for your daily work, you should always stay with this branch 4.1.x, until the 4.2.x branch is said stable and for all users. ... Unfortunately that is not how 4.2.x is presented to the casual/new user. If you go to libreoffice.org and click on the download button (see: http://s11.postimg.org/lpwmin3cj/Screenshot_from_2014_04_22_09_18_41.png), the link defaults to libreoffice-fresh and you are presented first with 4.2.x. See: http://s18.postimg.org/sm3gptoqh/Screenshot_from_2014_04_22_08_48_40.png and scrolling down the page 4.2.x is again presented as a 'released' version: http://s29.postimg.org/au30xbbt3/Screenshot_from_2014_04_22_08_49_44.png Nothing on that page indicates that 4.2.x is for 'early adopters', and any new prospective user will do as presented and download the 'Main Installer' Help file for 4.2.x. The user is only directed to libreoffice stable if they click on the libreoffice.org 'Download' dropdown menu: http://s16.postimg.org/hx3grlx6t/Screenshot_from_2014_04_22_09_19_13.png Also, when checking for updates from 4.2.2.1: Version: 4.2.2.1 Build ID: 3be8cda0bddd8e430d8cda1ebfd581265cca5a0f I am assured that LibreOffice 4.2 is up to date. http://s30.postimg.org/5szb78lo1/Screenshot_from_2014_04_22_08_57_37.png -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: Heartbleed
Ah, sorry, I'd missed that connection. I see what you mean, not that IE is inherently more at risk, but that this tool to flag potential problems isn't available for it. It seems strange that Netcraft release this tool, but exclude a large number of users who could probably do with it! Mark. Tom Davies wrote: Hi :) http://www.theregister.co.uk/2014/04/18/netcraft_heartbleed_browser_extension/ Netcraft's updated browser extension is available as a free download for Firefox 1.0 and later; Chrome 26 and later on Windows, OS X, and Linux; and for Opera 15 and later on OS X and Windows. Versions for other browsers aren't available, unfortunately, which means users of Internet Explorer and Safari are left in the dark. Regards from Tom :) On 19 April 2014 14:17, libreoffice-ml.mbou...@spamgourmet.com wrote: Tom Davies wrote: Anyone continuing to use Internet Explorer deserves whatever they get now more than ever. In what way does Heartbleed affect IE users any more than others? Heartbleed is a bug in server-side software, and affects anyone using affected sites regardless of their browser. In fact, from what I've seen, it appears that newer versions of Internet Explorer are amongst the best at handling certificate revocation (which is needed to prevent a compromised certificate from being used to impersonate the server - just installing a new certificate on the server prevent the old one being used up to its expiry date if it's already compromised). e.g.: http://news.netcraft.com/archives/2013/05/13/how- certificate-revocation-doesnt-work-in-practice.html That article is a year old now, so other browsers may have improved since (and if not, it would seem there's now a good reason to do so!) Mark. -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: Heartbleed
Hi :) http://www.theregister.co.uk/2014/04/18/netcraft_heartbleed_browser_extension/ Netcraft's updated browser extension is available as a free download for Firefox 1.0 and later; Chrome 26 and later on Windows, OS X, and Linux; and for Opera 15 and later on OS X and Windows. Versions for other browsers aren't available, unfortunately, which means users of Internet Explorer and Safari are left in the dark. Regards from Tom :) On 19 April 2014 14:17, libreoffice-ml.mbou...@spamgourmet.com wrote: Tom Davies wrote: Anyone continuing to use Internet Explorer deserves whatever they get now more than ever. In what way does Heartbleed affect IE users any more than others? Heartbleed is a bug in server-side software, and affects anyone using affected sites regardless of their browser. In fact, from what I've seen, it appears that newer versions of Internet Explorer are amongst the best at handling certificate revocation (which is needed to prevent a compromised certificate from being used to impersonate the server - just installing a new certificate on the server prevent the old one being used up to its expiry date if it's already compromised). e.g.: http://news.netcraft.com/archives/2013/05/13/how- certificate-revocation-doesnt-work-in-practice.html That article is a year old now, so other browsers may have improved since (and if not, it would seem there's now a good reason to do so!) Mark. -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to- unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: Heartbleed
Tom Davies wrote: Anyone continuing to use Internet Explorer deserves whatever they get now more than ever. In what way does Heartbleed affect IE users any more than others? Heartbleed is a bug in server-side software, and affects anyone using affected sites regardless of their browser. In fact, from what I've seen, it appears that newer versions of Internet Explorer are amongst the best at handling certificate revocation (which is needed to prevent a compromised certificate from being used to impersonate the server - just installing a new certificate on the server prevent the old one being used up to its expiry date if it's already compromised). e.g.: http://news.netcraft.com/archives/2013/05/13/how-certificate-revocation-doesnt-work-in-practice.html That article is a year old now, so other browsers may have improved since (and if not, it would seem there's now a good reason to do so!) Mark. -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
[libreoffice-users] Re: Heartbleed
Le 18/04/14 11:59, Tanstaafl a écrit : But again... in what way does Libreoffice utilize TCP/UDP connectivity? What am I missing? Does it have a hidden built-in SSL client? Errmm, when it is used in server (headless) mode and accepts connections ? I don't know whether this allows for SSL connections though. Alex -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
[libreoffice-users] Re: Heartbleed
So I guess I have 3 choices: Do nothing - I'm running version 4.2.2.1 (I have it set to auto update) Go back to 4.1.5. Will I be giving up functionality? Go to 4.2.3.3. But the release notes say it remains targeted for early adopters and private power users, which I'm not! So in layman terms, what is the difference between 4.2.2.1 and 4.1.5? -- View this message in context: http://nabble.documentfoundation.org/Heartbleed-tp4105573p4105692.html Sent from the Users mailing list archive at Nabble.com. -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: Heartbleed
Hi all, Top posting to answer to all, the risk for LibreOffice users was when using remote location like webdav or cmis. But again, LibreOffice 4.1.x branch is not touched by Hearbleed because the OpenSSL library used doesn't have the bug. In the LibreOffice 4.2.x branch, the last 4.2.3.3 fixes the OpenSSl library used, so if you use this branch, you should update to the last released version. But again the risk for LO was rather low. To answer you specific question now: Le 18/04/2014 17:37, alnuwer a écrit : So I guess I have 3 choices: Do nothing - I'm running version 4.2.2.1 (I have it set to auto update) Go back to 4.1.5. Will I be giving up functionality? Go to 4.2.3.3. But the release notes say it remains targeted for early adopters and private power users, which I'm not! Each of the 4.2.x.x releases are for early adopters because the version is still quite new and needs more tests to be said Stable. If you use version of this branch you should always update to the last available. So in layman terms, what is the difference between 4.2.2.1 and 4.1.5? See above, the 4.1.5 version is stable and has been tested for a long time now. I you want to use it for your daily work, you should always stay with this branch 4.1.x, until the 4.2.x branch is said stable and for all users. Kind regards Sophie -- Sophie Gautier sophie.gaut...@documentfoundation.org Tel:+33683901545 Membership Certification Committee Member - Co-founder The Document Foundation -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
[libreoffice-users] Re: Heartbleed
Hi all, To answer you specific question now: Le 18/04/2014 17:37, alnuwer a écrit : So I guess I have 3 choices: Do nothing - I'm running version 4.2.2.1 (I have it set to auto update) Go back to 4.1.5. Will I be giving up functionality? Go to 4.2.3.3. But the release notes say it remains targeted for early adopters and private power users, which I'm not! Each of the 4.2.x.x releases are for early adopters because the version is still quite new and needs more tests to be said Stable. If you use version of this branch you should always update to the last available. So in layman terms, what is the difference between 4.2.2.1 and 4.1.5? See above, the 4.1.5 version is stable and has been tested for a long time now. I you want to use it for your daily work, you should always stay with this branch 4.1.x, until the 4.2.x branch is said stable and for all users. Kind regards Sophie Thanks Sophie - I am updating to 4.2.3.3. Recall, I started this thread because my password manager, LastPass, flagged the site openoffice.org as vulnerable. The discussion took on a life of it's own regarding the OpenOffice application. I believe this was goodness, but now, what about the openoffice.org site? Is it indeed vulnerable? And if so, when will it get fixed? -- View this message in context: http://nabble.documentfoundation.org/Heartbleed-tp4105573p4105709.html Sent from the Users mailing list archive at Nabble.com. -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: Heartbleed
Hi, Le 18/04/2014 20:33, alnuwer a écrit : Hi all, To answer you specific question now: Le 18/04/2014 17:37, alnuwer a écrit : So I guess I have 3 choices: Do nothing - I'm running version 4.2.2.1 (I have it set to auto update) Go back to 4.1.5. Will I be giving up functionality? Go to 4.2.3.3. But the release notes say it remains targeted for early adopters and private power users, which I'm not! Each of the 4.2.x.x releases are for early adopters because the version is still quite new and needs more tests to be said Stable. If you use version of this branch you should always update to the last available. So in layman terms, what is the difference between 4.2.2.1 and 4.1.5? See above, the 4.1.5 version is stable and has been tested for a long time now. I you want to use it for your daily work, you should always stay with this branch 4.1.x, until the 4.2.x branch is said stable and for all users. Kind regards Sophie Thanks Sophie - I am updating to 4.2.3.3. Recall, I started this thread because my password manager, LastPass, flagged the site openoffice.org as vulnerable. The discussion took on a life of it's own regarding the OpenOffice application. I believe this was goodness, but now, what about the openoffice.org site? Is it indeed vulnerable? And if so, when will it get fixed? Hey, you are on the LibreOffice list, so I don't know, may be they need to wait for the new certificate to be in place :) A lot of sites have been affected and not all of them have been able to add the new certificate quickly however they patched the OpenSSL security thing and the site by itself was safe, only the new certificate needed to be issued, at least that's what we've done on the LibreOffice infrastructure side. Kind regards Sophie -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: Heartbleed
Hi :) Ok, so since you are already using 4.2.2 you are already an early adopter or private power-user even if you don't feel confident about that label. The 4.2.3 fixes a few things that would normally need a private power user to handle. Since you've not had any problems with the 4.2.2 you can comfortably update to the 4.2.3. Regards from Tom :) On 18 April 2014 18:00, Sophie gautier.sop...@gmail.com wrote: Hi all, Top posting to answer to all, the risk for LibreOffice users was when using remote location like webdav or cmis. But again, LibreOffice 4.1.x branch is not touched by Hearbleed because the OpenSSL library used doesn't have the bug. In the LibreOffice 4.2.x branch, the last 4.2.3.3 fixes the OpenSSl library used, so if you use this branch, you should update to the last released version. But again the risk for LO was rather low. To answer you specific question now: Le 18/04/2014 17:37, alnuwer a écrit : So I guess I have 3 choices: Do nothing - I'm running version 4.2.2.1 (I have it set to auto update) Go back to 4.1.5. Will I be giving up functionality? Go to 4.2.3.3. But the release notes say it remains targeted for early adopters and private power users, which I'm not! Each of the 4.2.x.x releases are for early adopters because the version is still quite new and needs more tests to be said Stable. If you use version of this branch you should always update to the last available. So in layman terms, what is the difference between 4.2.2.1 and 4.1.5? See above, the 4.1.5 version is stable and has been tested for a long time now. I you want to use it for your daily work, you should always stay with this branch 4.1.x, until the 4.2.x branch is said stable and for all users. Kind regards Sophie -- Sophie Gautier sophie.gaut...@documentfoundation.org Tel:+33683901545 Membership Certification Committee Member - Co-founder The Document Foundation -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: Heartbleed
Hi :) From what i heard most of this is a case of the solution being more of a hindrance than the actual problem was in the first place. There is a LOT of politics at play here because openSSL was OpenSource. Apparently it was running on donations of about $2k/yr and less than minimal staffing. If all the companies using it donated 0.1% of their income towards the project then it would be raking in millions. So, it's carefully being ignored that the last time openSSL had a problem was 15 years ago. Taking advantage of this problem would have required an extreme amount of skill and a huge amount of patience. Each successful attack on a website would scrape something like 64kb, or was it 16? So getting anything useful would take millions of attacks, which would probably have been noticed as a sudden increase in network traffic and caused the website to crouch down in defensive mode (or maybe even start counter-attacks in a tiny number of cases). The question is are you storing valuable data on whichever website? Is your password to that site likely to give-away all, or a lot of, the passwords you use on other sites? How about the security question for when you forget your password? How much personal information does whichever site hold about you and could that data be used to cause you some bother? Even where the answers to all but q1 are yes you have to bear in mind that they would have to be quick to deal with the tons of other people's information they had scraped at the same time and could the criminal process all that fast enough? So most of the threat has been blown out of all proportion. Of course we still have to fix it but that has probably already been done and now we just sitwait for external recognition of that fact. The people who verify that are swamped so it might be a bit of a wait. It might be a good idea to step-up your own security over the next few months. Anyone continuing to use Internet Explorer deserves whatever they get now more than ever. Regards from Tom :) On 18 April 2014 19:51, Sophie gautier.sop...@gmail.com wrote: Hi, Le 18/04/2014 20:33, alnuwer a écrit : Hi all, To answer you specific question now: Le 18/04/2014 17:37, alnuwer a écrit : So I guess I have 3 choices: Do nothing - I'm running version 4.2.2.1 (I have it set to auto update) Go back to 4.1.5. Will I be giving up functionality? Go to 4.2.3.3. But the release notes say it remains targeted for early adopters and private power users, which I'm not! Each of the 4.2.x.x releases are for early adopters because the version is still quite new and needs more tests to be said Stable. If you use version of this branch you should always update to the last available. So in layman terms, what is the difference between 4.2.2.1 and 4.1.5? See above, the 4.1.5 version is stable and has been tested for a long time now. I you want to use it for your daily work, you should always stay with this branch 4.1.x, until the 4.2.x branch is said stable and for all users. Kind regards Sophie Thanks Sophie - I am updating to 4.2.3.3. Recall, I started this thread because my password manager, LastPass, flagged the site openoffice.org as vulnerable. The discussion took on a life of it's own regarding the OpenOffice application. I believe this was goodness, but now, what about the openoffice.org site? Is it indeed vulnerable? And if so, when will it get fixed? Hey, you are on the LibreOffice list, so I don't know, may be they need to wait for the new certificate to be in place :) A lot of sites have been affected and not all of them have been able to add the new certificate quickly however they patched the OpenSSL security thing and the site by itself was safe, only the new certificate needed to be issued, at least that's what we've done on the LibreOffice infrastructure side. Kind regards Sophie -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted