On Wed, Apr 29, 2015 at 2:00 PM, Andrea Pescetti <pesce...@apache.org> wrote:
> Simon Phipps wrote: > >> Given this problem is not fixed in the current download, should the >> project >> suspend downloads until it can be addressed? >> > > This looks like a very extreme measure to take. The severity of the issue > would not justify it. Can you explain that please? The CVE says "Severity: Important" and the effects are "a denial of service or possibly execution of arbitrary code by preparing specially crafted documents in the HWP document format." The fact we are unaware of current exploits does not mitigate the risk arising from distributing the software, and the rarity of the file format does not reduce the likelihood of it being used in an exploit. Maybe I am missing some of the context from the private security list? Thanks, S.
