That's BS. The disclosure has been embargoed since it report to multiple security lists in January. All of the involved parties recently settled on the March 22 date because that was the earliest date Apache OpenOffice could produce either a release or a patch in First-Quarter 2012. There is no way that Apache OpenOffice forced this as an early date. Nor did Apache OpenOffice surprise anyone. There were others (*not* LO/TDF) who wanted the embargo lifted even earlier.
It was certainly valuable to delay disclosure as long as possible to permit seeding of updates, but there was no way that could happen in the AOO case, since the production of a back-version patch to OO.o 3.3.0 would be and is an extraordinary event. Considering how easy it is to exploit the vulnerability with a maliciously-crafted ODF 1.2 document, there is always the fear that failure to disclose an important need to update also gives miscreants a head start at putting an exploit in the wild. The LO security team was fully aware of this and there was no pre-emption on the part of the Apache OpenOffice project. I personally want to acknowledge the forbearance of TDF and the LibreOffice security team in holding back so that the Apache OpenOffice team had this opportunity serve those who continue to operate with OpenOffice 3.3.0 and earlier releases. - Dennis -----Original Message----- From: lohma...@googlemail.com [mailto:lohma...@googlemail.com] On Behalf Of Christian Lohmaier Sent: Friday, March 23, 2012 05:24 To: discuss@documentfoundation.org Subject: Re: [tdf-discuss] Re: Security Advisories Hi NoOp, On Fri, Mar 23, 2012 at 2:56 AM, NoOp <gl...@sbcglobal.net> wrote: > On 03/22/2012 06:31 PM, Italo Vignoli wrote: >> NoOp wrote: >> >>> It would be nice if someone 'official' (ala TDF) could post the >>> CVE-2012-0037 notice on both the user and announce lists. The public was not supposed to know of this CVE, people should be given time to update to the fixed version before. [ ... ] But Apache-OOo made it public on their list, so we also had to make the info available. http://mail-archives.apache.org/mod_mbox/incubator-ooo-dev/201203.mbox/%3CCAP-ksoj7o5%2B2YH-E4XzR044V0e3YZfZvuef7eJuNGhdy%2Bk9kyA%40mail.gmail.com%3E > Neither do the release logs or release notes. As above - this was intentional. No details about the security fixes until the upstream project makes the CVE public (the bug is in a third-party component that is shipped along with LibreOffice). That of course doesn't mean it shouldn't be added now that the CVE is public. ciao Christian -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
