> -Original Message-
> From: Don Lewis [mailto:truck...@apache.org]
> Sent: Friday, August 12, 2016 14:09
> To: dev@openoffice.apache.org
> Cc: dennis.hamil...@acm.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
> On 12 Aug, Dennis E.
il...@acm.org]
>> Sent: Sunday, July 24, 2016 15:45
>> To: dev@openoffice.apache.org
>> Subject: RE: Officially releasing a patch for CVE-2016-1513
>>
>> The patched DLL is shipped with an external digital signature. I
>> guess we could ask that to be installed alo
e.apache.org
> Subject: RE: Officially releasing a patch for CVE-2016-1513
>
> The patched DLL is shipped with an external digital signature. I guess
> we could ask that to be installed alongside it. That would be a good
> tell-tale.
>
> The web site where the patch is d
gmail.com]
>>>> Sent: Monday, August 1, 2016 15:43
>>>> To: dev@openoffice.apache.org
>>>> Subject: Re: Officially releasing a patch for CVE-2016-1513
>>>>
>>>>
>>>> On 07/31/2016 05:17 PM, Dennis E. Hamilton wrote:
>>>&g
-1513
On 07/31/2016 05:17 PM, Dennis E. Hamilton wrote:
-Original Message-
From: Kay sch...@apache.org [mailto:ksch...@apache.org]
Sent: Sunday, July 31, 2016 14:42
To: dev@openoffice.apache.org
Subject: Re: Officially releasing a patch for CVE-2016-1513
OK, I think I'm done
On 08/01/2016 07:38 PM, Dennis E. Hamilton wrote:
>
>
>> -Original Message-
>> From: Kay Schenk [mailto:kay.sch...@gmail.com]
>> Sent: Monday, August 1, 2016 15:43
>> To: dev@openoffice.apache.org
>> Subject: Re: Officially releasing a patch for CVE
> -Original Message-
> From: Kay Schenk [mailto:kay.sch...@gmail.com]
> Sent: Monday, August 1, 2016 15:43
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
>
> On 07/31/2016 05:17 PM, Dennis E. Hamilton wrote:
&g
Patricia Shanahan wrote:
For the end user, this is incredibly, painfully more complicated than
downloading and installing a new version.
It is. We must make clear that this is a "convenience" update made
available to power users, but at the same time state clearly that this
(non-critical)
On 7/31/2016 5:17 PM, Dennis E. Hamilton wrote:
-Original Message-
From: Kay sch...@apache.org [mailto:ksch...@apache.org]
Sent: Sunday, July 31, 2016 14:42
To: dev@openoffice.apache.org
Subject: Re: Officially releasing a patch for CVE-2016-1513
OK, I think I'm done
> -Original Message-
> From: Kay sch...@apache.org [mailto:ksch...@apache.org]
> Sent: Sunday, July 31, 2016 14:42
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
> OK, I think I'm done with the LInux64 bit area as wel
;> dev/openoffice/4.1.2-patch1/binary/ area, let me know. I will not do
>>> anything about added documentation for any of them until they are in
>>> the SVN.
>>>
>>> If you do not, I will do so, with some initial documentation.
>>>
>>> - Den
a patch for CVE-2016-1513
On 30/07/2016 Kay Schenk wrote:
duplicate fixed
libraries for Linux-32, and Linux-64 based on submissions from Carl,
Damjan, and Ariel. I'd be happy to move these somewhere in the next
day or
so, but I don't know what versions we want to use.
Ariel's were built on a CentOS
> -Original Message-
> From: Kay Schenk [mailto:kay.sch...@gmail.com]
> Sent: Sunday, July 31, 2016 11:53
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
[ ... ]
>
> I won't be doing anything with the Windows
--Original Message-
>> From: Andrea Pescetti [mailto:pesce...@apache.org]
>> Sent: Sunday, July 31, 2016 05:26
>> To: dev@openoffice.apache.org
>> Subject: Re: Officially releasing a patch for CVE-2016-1513
>>
>> On 30/07/2016 Kay Schenk wrote:
>>
Andrea Pescetti [mailto:pesce...@apache.org]
> Sent: Sunday, July 31, 2016 05:26
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
> On 30/07/2016 Kay Schenk wrote:
> > duplicate fixed
> > libraries for Linux-32, and Linux-
On 07/31/2016 05:55 AM, Carl Marcum wrote:
> On 07/31/2016 08:25 AM, Andrea Pescetti wrote:
>> On 30/07/2016 Kay Schenk wrote:
>>> duplicate fixed
>>> libraries for Linux-32, and Linux-64 based on submissions from Carl,
>>> Damjan, and Ariel. I'd be happy to move these somewhere in the next
>>>
On 07/31/2016 08:25 AM, Andrea Pescetti wrote:
On 30/07/2016 Kay Schenk wrote:
duplicate fixed
libraries for Linux-32, and Linux-64 based on submissions from Carl,
Damjan, and Ariel. I'd be happy to move these somewhere in the next
day or
so, but I don't know what versions we want to use.
On 30/07/2016 Kay Schenk wrote:
duplicate fixed
libraries for Linux-32, and Linux-64 based on submissions from Carl,
Damjan, and Ariel. I'd be happy to move these somewhere in the next day or
so, but I don't know what versions we want to use.
Ariel's were built on a CentOS 5 system, so
t; From: Andrea Pescetti [mailto:pesce...@apache.org]
> > Sent: Saturday, July 30, 2016 11:09
> > To: dev@openoffice.apache.org
> > Subject: Re: Officially releasing a patch for CVE-2016-1513
> >
> > Dennis E. Hamilton wrote:
> > > I would like to remove those
> -Original Message-
> From: Andrea Pescetti [mailto:pesce...@apache.org]
> Sent: Saturday, July 30, 2016 11:09
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
> Dennis E. Hamilton wrote:
> > I would like to re
Dennis E. Hamilton wrote:
I would like to remove those three.
Sure, feel free to. As I wrote, they were meant as backup solutions in
case we had issues with the patch-only package.
I have reviewed apache-openoffice-4.1.2-patch1.zip ...
I think this is good enough to go with.
Perfect,
> -Original Message-
> From: Andrea Pescetti [mailto:pesce...@apache.org]
> Sent: Saturday, July 30, 2016 05:54
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
> On 30/07/2016 Dennis E. Hamilton wrote:
>
On 30/07/2016 Dennis E. Hamilton wrote:
-Original Message-
From: Andrea Pescetti
So I can supply a full source package or I can give my +1 to a "patch"
package that others prepare. ...
[orcmid] I can provide the patch source package on Monday.
Since I can only work on it today, I've
> -Original Message-
> From: Andrea Pescetti [mailto:pesce...@apache.org]
> Sent: Friday, July 29, 2016 14:23
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
> On 24/07/2016 Andrea Pescetti wrote:
> > To do so, an
On 24/07/2016 Andrea Pescetti wrote:
To do so, an outline would be:
1) We commit the patch to the AOO410 branch. This is the branch used for
all the 4.1.x series. 4.2.0 isn't out yet, so 4.1.x is still our
reference version.
This was done by Kay today (thanks!).
2) We do not make any other
Looks good to me.
On 07/24/2016 05:37 PM, Andrea Pescetti wrote:
While the severity of the security bug we disclosed
http://www.openoffice.org/security/cves/CVE-2016-1513.html is not
particularly high (it is classified as "Medium" with no known exploits
and anti-virus software can detect
+1 this looks like a good plan
On 07/24/2016 02:37 PM, Andrea Pescetti wrote:
> While the severity of the security bug we disclosed
> http://www.openoffice.org/security/cves/CVE-2016-1513.html is not
> particularly high (it is classified as "Medium" with no known exploits
> and anti-virus
: Sunday, July 24, 2016 15:14
To: dev@openoffice.apache.org
Subject: Re: Officially releasing a patch for CVE-2016-1513
On 24 Jul, Don Lewis wrote:
At a minimum, we should publish the hash values of buggy and fixed
versions of the library. That might not help someone who builds and
installs from source
Thanks for the list. Apart from the differences thing it looks good to me.
Marcus
Am 07/24/2016 11:37 PM, schrieb Andrea Pescetti:
While the severity of the security bug we disclosed
http://www.openoffice.org/security/cves/CVE-2016-1513.html is not
particularly high (it is classified as
ially releasing a patch for CVE-2016-1513
>
> On 24 Jul, Don Lewis wrote:
>
> > At a minimum, we should publish the hash values of buggy and fixed
> > versions of the library. That might not help someone who builds and
> > installs from source since the build not be completel
On 24 Jul, Don Lewis wrote:
> At a minimum, we should publish the hash values of buggy and fixed
> versions of the library. That might not help someone who builds and
> installs from source since the build not be completely repeatable.
> For instance the library might contain a timestamp.
On 24 Jul, Andrea Pescetti wrote:
> While the severity of the security bug we disclosed
> http://www.openoffice.org/security/cves/CVE-2016-1513.html is not
> particularly high (it is classified as "Medium" with no known exploits
> and anti-virus software can detect malicious documents), we
[BCC to PMC, AOO Security team where how to accomplish this has been under
discussion]
+1 from me, all the way down the line.
> -Original Message-
> From: Andrea Pescetti [mailto:pesce...@apache.org]
> Sent: Sunday, July 24, 2016 14:38
> To: dev@openoffice.apache.org
> Subject:
33 matches
Mail list logo
