Re: [libreoffice-users] What is the status of Java security vs. LibreOffice?
On 8/30/2012 2:33 PM, Jay Lozier jsloz...@gmail.com wrote: The security problems are Java problems and are not OS or app related and can affect any computer running the unpatched Java version(s). My understanding is the transmission is likely via rogue or corrupted websites that use Java rather than via a downloaded Java app. Or you can use Firefox+NoScript, and only selectively allow java for trusted sites (just like it does for javascript)... -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] What is the status of Java security vs. LibreOffice?
On 30/08/2012 at 20:14, Fabian Rodriguez magic...@member.fsf.org wrote: I saw this a few days ago, I'd like to know what should I make of it?: http://arstechnica.com/security/2012/08/critical-flaw-under-active-attack-p rompts-calls-to-disable-java/ This article already explains it: Those who need Java to run applications such as Open Office or Freemind can still protect themselves by disabling Java in their browser to prevent drive- by attacks on booby-trapped websites. Until patch is provided, it might be wise to not open office documents from uncertain source (that is: all but your own). Most likely it is not needed, but it won't harm. -- Best regards Mirosław Zalewski -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] What is the status of Java security vs. LibreOffice?
On 08/30/2012 02:14 PM, Fabian Rodriguez wrote: Hi all I saw this a few days ago, I'd like to know what should I make of it?: http://arstechnica.com/security/2012/08/critical-flaw-under-active-attack-prompts-calls-to-disable-java/ I never install Java when I install LibreOffice, but a few people end up installing it. I have seen a few threads about it in the fr-discuss list, but nothing clear/concise (although I may have missed a post or two). Thanks for any information. Cheers, Fabian Rodriguez http://libreoffice.magicfab.ca AFAIK Java is primarily used by the embedded Base engine and possibly some extensions. If you use a non-Java database (MySQL, Postgres, MariaDB, etc) that does not use Java you do not need Java. The security problems are Java problems and are not OS or app related and can affect any computer running the unpatched Java version(s). My understanding is the transmission is likely via rogue or corrupted websites that use Java rather than via a downloaded Java app. I do not know if this issue affects the openJRE project. -- Jay Lozier jsloz...@gmail.com -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] What is the status of Java security vs. LibreOffice?
Hi :) It's the same old story. All this has happened before and will happen again (any Battlestar Galactica fans out there?). Oracle tell us all that their new version of java is ultra safe and really is safe this time and that all their previous versions are horribly flawed and likely to cause widespread plagues and death etc to anyone that continues to use them. Then their new ultra safe one is found to also have horrible flaws in it. As it happens it seems very few people actually seem to suffer or at least we never hear of it. Still we keep advising people to update to the most recent possible version but to try avoiding it completely if they can. For us the 1.6_32 is currently the most usable as the 1.7 has never really worked well with LO. As time goes on it seems that java is compromised faster and faster. Each new release lasting less and less time until some horror story emerges. Their 1.7 branch was supposed to be their best ever taking the whole thing to a new plateau of rock solid stability and sfaety but the 1st 4 versions got compromised even before release! Meanwhile the TDF devs working on LO have removed just about all dependancy on java. There are still a few Wizards and Extensions that need it and, of course, the database program (but only if you use the internal embedded back-end) and all the Accessibility stuff. So, the User List stance is to try to get people to try not using Java at all but if they do need it to use the one that does work with LO - which i don't think has been compromised just yet although that's probably just because it hasn't reached the mainstream media yet because it's considered an 'old' version even though it was released after the latest in the 1.7 branch. Regards from Tom :) From: Fabian Rodriguez magic...@member.fsf.org To: users@global.libreoffice.org Sent: Thursday, 30 August 2012, 19:14 Subject: [libreoffice-users] What is the status of Java security vs. LibreOffice? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all I saw this a few days ago, I'd like to know what should I make of it?: http://arstechnica.com/security/2012/08/critical-flaw-under-active-attack-prompts-calls-to-disable-java/ I never install Java when I install LibreOffice, but a few people end up installing it. I have seen a few threads about it in the fr-discuss list, but nothing clear/concise (although I may have missed a post or two). Thanks for any information. Cheers, Fabian Rodriguez http://libreoffice.magicfab.ca - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: PGP/Mime available upon request Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA/rXIACgkQfUcTXFrypNXJOACcDs0YJHO+yhWBA2p/kMaUzRp0 W0wAnjYmH9iPtp74HZsHyglBFernR0cw =NWFH -END PGP SIGNATURE- -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] What is the status of Java security vs. LibreOffice?
On 30/08/2012 at 20:33, Jay Lozier jsloz...@gmail.com wrote: I do not know if this issue affects the openJRE project. I have not tested myself, but people say it does not. Users of openJRE are safe from this one. -- Best regards Mirosław Zalewski -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] What is the status of Java security vs. LibreOffice?
Hi :) Even though both openJRE and standard java are both run by Oracle it seems that openJRE tends to be a bit safer. Possibly something to do with running it through a community in a more OpenSource way. Regards from Tom :) From: Mirosław Zalewski mini...@poczta.onet.pl To: users@global.libreoffice.org Sent: Thursday, 30 August 2012, 19:39 Subject: Re: [libreoffice-users] What is the status of Java security vs. LibreOffice? On 30/08/2012 at 20:33, Jay Lozier jsloz...@gmail.com wrote: I do not know if this issue affects the openJRE project. I have not tested myself, but people say it does not. Users of openJRE are safe from this one. -- Best regards Mirosław Zalewski -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted