subject:"\[tdf\-discuss\] Re\: security related information, CVE\-2019\-9848, CVE\-2019\-9849"

Re: [tdf-discuss] Re: security related information, CVE-2019-9848, CVE-2019-9849

2019-08-10 Thread Caolán McNamara

On Fri, 2019-08-09 at 21:38 -0700, Derek Currie wrote:
> A further patch was supposed to be applied in version
> 6.3.4 this week.
> And yet there is no record in the release notes of that patch.
> Instead, there is an incorrect listing that CVE-2019-9848 was patched
> in v6.2.5.2, which has been published to not be the case.

It is not incorrect to state that CVE-2019-9848 was patched in 6.2.5.2,
but it is fair to state that it turns out the solution is not totally
sufficient and there is an additional problem with the solution.

A new advisory will be issued with a new CVE number for the follow-up
issue when the solution is ready. We're working on making it available.

-- 
To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.documentfoundation.org/www/discuss/
Privacy Policy: https://www.documentfoundation.org/privacy

Re: [tdf-discuss] Re: security related information, CVE-2019-9848, CVE-2019-9849

2019-08-10 Thread Charles-H. Schulz

Hello Derek,

Le 10 août 2019 06:38:34 GMT+02:00, Derek Currie  a écrit :
>I've been following this situation closely and advising users about the
>workaround for *CVE-2019-9848*.
>
>*Problem:* The Document Foundation has stated that the patch for
>CVE-2019-9848 was not entirely effective. I can provide documentation.
>A
>further patch was supposed to be applied in version 6.3.4 this week.
>And yet
>there is no record in the release notes of that patch. Instead, there
>is an
>incorrect listing that CVE-2019-9848 was patched in v6.2.5.2, which has
>been
>published to not be the case.


So both MITRE and the Document Foundation are wrong according to you?

Also, 6.3.0/was just released, not 6.3.4, and in my understanding has also the 
proper patch(es). This is of course a rather dynamic situation that our 
security team is actively working on.

>
>https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/
>
> 
>
>This situation is thoroughly confusing users.
>

I am not sure it is...

>I'm continuing to advise users to apply the workaround for
>CVE-2019-9848.


What workaround? Are you in charge of users in a professional environment?

Thanks,

Charles.

>
>Please sort this out ASAP.
>
>Thank you.
>
>Derek Currie
>
>
>
>--
>Sent from:
>http://document-foundation-mail-archive.969070.n3.nabble.com/Discuss-f1621725.html

-- 
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma 
brièveté.

-- 
To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.documentfoundation.org/www/discuss/
Privacy Policy: https://www.documentfoundation.org/privacy

[tdf-discuss] Re: security related information, CVE-2019-9848, CVE-2019-9849

2019-08-09 Thread Derek Currie

I've been following this situation closely and advising users about the
workaround for *CVE-2019-9848*.

*Problem:* The Document Foundation has stated that the patch for
CVE-2019-9848 was not entirely effective. I can provide documentation. A
further patch was supposed to be applied in version 6.3.4 this week. And yet
there is no record in the release notes of that patch. Instead, there is an
incorrect listing that CVE-2019-9848 was patched in v6.2.5.2, which has been
published to not be the case.

https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/
  

This situation is thoroughly confusing users.

I'm continuing to advise users to apply the workaround for CVE-2019-9848.

Please sort this out ASAP.

Thank you.

Derek Currie



--
Sent from: 
http://document-foundation-mail-archive.969070.n3.nabble.com/Discuss-f1621725.html

-- 
To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.documentfoundation.org/www/discuss/
Privacy Policy: https://www.documentfoundation.org/privacy

Re: [tdf-discuss] Re: security related information, CVE-2019-9848, CVE-2019-9849

Re: [tdf-discuss] Re: security related information, CVE-2019-9848, CVE-2019-9849

[tdf-discuss] Re: security related information, CVE-2019-9848, CVE-2019-9849

3 matches

Site Navigation

Mail list logo

Footer information