On 23 Mar 2012, at 01:26, NoOp wrote: > Why is it that "security advisories" such as this: > > https://www.libreoffice.org/advisories/CVE-2012-0037/ > > are not posted on the user or announce lists? > > The only way I found out about this was via a Redhat bug report: > https://bugzilla.redhat.com/show_bug.cgi?id=791296 > [Bug 791296 - (CVE-2012-0037) CVE-2012-0037 raptor: XML External Entity > (XXE) attack via RDF files ] > And then later on the ApacheOOO user list: > <http://permalink.gmane.org/gmane.comp.apache.incubator.ooo.user/866> > > It would be nice if someone 'official' (ala TDF) could post the > CVE-2012-0037 notice on both the user and announce lists.
LibreOffice shares security information with other projects on a mailing list hosted neutrally at freedesktop.org. As I understand it, the embargo on mentioning this CVE was only lifted today, so you've not overlooked it up to now. S. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
