> On Oct 6, 2021, at 10:37 AM, Carl Marcum <carl.b.mar...@gmail.com> wrote:
>
> Hi Marcus,
>
> On 10/6/21 1:15 PM, Marcus wrote:
>> Am 06.10.21 um 19:06 schrieb Carl Marcum:
>>> On 10/6/21 12:37 PM, Marcus wrote:
>>>> Am 06.10.21 um 18:31 schrieb Matthias Seidel:
>>>>> Am 06.10.21 um 18:26 schrieb Dave Fisher:
>>>>>>
>>>>>>> On Oct 6, 2021, at 9:22 AM, Matthias Seidel
>>>>>>> <matthias.sei...@hamburg.de> wrote:
>>>>>>>
>>>>>>> Am 06.10.21 um 18:19 schrieb Dave Fisher:
>>>>>>>>> On Oct 6, 2021, at 8:16 AM, Matthias Seidel
>>>>>>>>> <matthias.sei...@hamburg.de> wrote:
>>>>>>>>>
>>>>>>>>> Uploads are complete and files are on at least 20 mirrors.
>>>>>>>>>
>>>>>>>>> SourceForge is ready to go!
>>>>>>>> I don’t see the files here:
>>>>>>>> https://sourceforge.net/projects/openofficeorg.mirror/files/
>>>>>>> The directory is staged (invisible) until we do the release.
>>>>>> Great. Just checking.
>>>>>>
>>>>>> BTW - What time will the “release” happen? Today or tomorrow morning? I
>>>>>> need to ask security to publish the two CVEs and plan to be out this
>>>>>> afternoon and evening.
>>>>>
>>>>> I would prefer later today (European time). Marcus, what do you think?
>>>>
>>>> I don't care. My preparations are nearly finished. I can commit the
>>>> changes whenever we want. :-)
>>>>
>>>> However, more important is that the blog announcement and release notes
>>>> are also ready. I can take care for the release notes.
>>>
>>> I filled in some improvement bullet points but feel free to add/change as
>>> needed.
>>
>> I've finished (so far) the release notes. You can copy & paste the bugfixes
>> and enhancements from there:
>> https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.11+Release+Notes
>>
>
> We have these two that are already public and could be listed.
> CVE-2021-33035 Buffer overflow from a crafted DBF file
I’ve just asked Apache Security to republish this one with the information that
4.1.11 fixes the issue.
> CVE-2021-40439 Billion Laughs
Should also be published to Mitre soon.
>
> CVE 2021-30245 - Code execution in Apache OpenOffice via non-http(s) schemes
> in Hyperlinks
> We fixed in 4.1.10 although a little to aggressively and improved the
> handling in this one.
> Should we list it again?
It can’t hurt.
Also, I noticed we never published this one for the DEB flaw in 4.1.8. I’ve
asked for this to be published too.
CVE-2021-28129 DEB packaging for Apache OpenOffice 4.1.8 installed with a
non-root userid and groupid
Regards,
Dave
>
> Thanks,
> Carl
>
>
>>
>>> I saw the date for Patricia joining the project was missing. I searched the
>>> archives and came up with a this post as about the oldest I could find so I
>>> used that year.
>>> https://lists.apache.org/thread.html/9f5c7bbe9c2e46b800ad1dda5a1068a64ff26ab830ff9a9134c3b398%401446081722%40%3Cdev.openoffice.apache.org%3E
>>>
>>
>>
>> Ah, great.
>>
>>>> And of cause the security texts and webpages. I can also take over this
>>>> but need the texts.
>>>>
>>>> Dave, can you please help with the texts?
>>>> Carl, can you please finalize the blog post?
>>>
>>> If were good with the text I'm ready to publish.
>>> Just say the word.
>>>
>>> Also on the announce email draft I'm ready if nobody wants a change..
>>>
>>> What time are we thinking?
>>
>> Let's say at 20:00 CET which is in ~ 45 minutes.
>> Is this OK for all?
>>
>> Marcus
>>
>>
>>
>>>>>>>>> Am 05.10.21 um 20:58 schrieb Matthias Seidel:
>>>>>>>>>> Hi Jim,
>>>>>>>>>>
>>>>>>>>>> Uploads to SourceForge are running.
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>>
>>>>>>>>>> Matthias
>>>>>>>>>>
>>>>>>>>>> Am 05.10.21 um 13:14 schrieb Jim Jagielski:
>>>>>>>>>>> The vote on releasing AOO 4.1.11-RC1 as GA is CLOSED.
>>>>>>>>>>>
>>>>>>>>>>> The vote has PASSED.
>>>>>>>>>>>
>>>>>>>>>>>> On Oct 4, 2021, at 12:01 PM, Matthias Seidel
>>>>>>>>>>>> <matthias.sei...@hamburg.de> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi Jim,
>>>>>>>>>>>>
>>>>>>>>>>>> Am 04.10.21 um 13:09 schrieb Jim Jagielski:
>>>>>>>>>>>>> Agreed!
>>>>>>>>>>>> Marcus already casted his vote.
>>>>>>>>>>>>
>>>>>>>>>>>> Maybe it is time to close the vote and move on?
>>>>>>>>>>>>
>>>>>>>>>>>> Regards,
>>>>>>>>>>>>
>>>>>>>>>>>> Matthias
>>>>>>>>>>>>
>>>>>>>>>>>>>> On Oct 1, 2021, at 2:45 PM, Marcus <marcus.m...@wtnet.de> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jim, is it possible to extent the vote for 12 hours (which will
>>>>>>>>>>>>>> be Midnight European time)?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Then I've a much better chance with testing *and* to take part
>>>>>>>>>>>>>> of this vote.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Marcus
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Am 30.09.21 um 12:37 schrieb Jim Jagielski:
>>>>>>>>>>>>>>> I am calling a VOTE on releasing the source and complimentary
>>>>>>>>>>>>>>> community builds of
>>>>>>>>>>>>>>> Apache OpenOffice 4.1.11-RC1 as GA.
>>>>>>>>>>>>>>> [...]
>>>>>>>>>>>>>>> This vote will be open for the normal 72hrs.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
>> For additional commands, e-mail: dev-h...@openoffice.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
