Am 04/29/2015 05:39 PM, schrieb jan i:
On 29 April 2015 at 15:07, Simon Phipps<si...@webmink.com> wrote:
On Wed, Apr 29, 2015 at 2:00 PM, Andrea Pescetti<pesce...@apache.org>
wrote:
Simon Phipps wrote:
Given this problem is not fixed in the current download, should the
project
suspend downloads until it can be addressed?
This looks like a very extreme measure to take. The severity of the issue
would not justify it.
Can you explain that please? The CVE says "Severity: Important" and the
effects are "a denial of service or possibly execution of arbitrary code by
preparing specially crafted documents in the HWP document format."
The fact we are unaware of current exploits does not mitigate the risk
arising from distributing the software, and the rarity of the file format
does not reduce the likelihood of it being used in an exploit. Maybe I am
missing some of the context from the private security list?
It seems to be an extremely seldom used feature, that makes the exploit
unlikely.
I am with Andrea, stopping downloads would not be right in this case.
+1 I also don't see this as a reason to stop to offer downloads.
Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
