> -Original Message-
> From: Don Lewis [mailto:truck...@apache.org]
> Sent: Friday, August 12, 2016 14:09
> To: dev@openoffice.apache.org
> Cc: dennis.hamil...@acm.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
> On 12 Aug, Dennis E.
il...@acm.org]
>> Sent: Sunday, July 24, 2016 15:45
>> To: dev@openoffice.apache.org
>> Subject: RE: Officially releasing a patch for CVE-2016-1513
>>
>> The patched DLL is shipped with an external digital signature. I
>> guess we could ask that to be installed alo
e.apache.org
> Subject: RE: Officially releasing a patch for CVE-2016-1513
>
> The patched DLL is shipped with an external digital signature. I guess
> we could ask that to be installed alongside it. That would be a good
> tell-tale.
>
> The web site where the patch is downl
gmail.com]
>>>> Sent: Monday, August 1, 2016 15:43
>>>> To: dev@openoffice.apache.org
>>>> Subject: Re: Officially releasing a patch for CVE-2016-1513
>>>>
>>>>
>>>> On 07/31/2016 05:17 PM, Dennis E. Hamilton wrote:
>>>&g
-1513
On 07/31/2016 05:17 PM, Dennis E. Hamilton wrote:
-Original Message-
From: Kay sch...@apache.org [mailto:ksch...@apache.org]
Sent: Sunday, July 31, 2016 14:42
To: dev@openoffice.apache.org
Subject: Re: Officially releasing a patch for CVE-2016-1513
OK, I think I'm done wit
On 08/01/2016 07:38 PM, Dennis E. Hamilton wrote:
>
>
>> -Original Message-
>> From: Kay Schenk [mailto:kay.sch...@gmail.com]
>> Sent: Monday, August 1, 2016 15:43
>> To: dev@openoffice.apache.org
>> Subject: Re: Officially releasing a patch for CVE
> -Original Message-
> From: Kay Schenk [mailto:kay.sch...@gmail.com]
> Sent: Monday, August 1, 2016 15:43
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
>
> On 07/31/2016 05:17 PM, Dennis E. Hamilton wrote:
&g
On 07/31/2016 05:17 PM, Dennis E. Hamilton wrote:
>
>
>> -Original Message-
>> From: Kay sch...@apache.org [mailto:ksch...@apache.org]
>> Sent: Sunday, July 31, 2016 14:42
>> To: dev@openoffice.apache.org
>> Subject: Re: Officially releasing a patch
> -Original Message-
> From: Patricia Shanahan [mailto:p...@acm.org]
> Sent: Sunday, July 31, 2016 21:37
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
>
>
> On 7/31/2016 5:17 PM, Dennis E. Hamilton wrote:
Patricia Shanahan wrote:
For the end user, this is incredibly, painfully more complicated than
downloading and installing a new version.
It is. We must make clear that this is a "convenience" update made
available to power users, but at the same time state clearly that this
(non-critical) vul
On 7/31/2016 5:17 PM, Dennis E. Hamilton wrote:
-Original Message-
From: Kay sch...@apache.org [mailto:ksch...@apache.org]
Sent: Sunday, July 31, 2016 14:42
To: dev@openoffice.apache.org
Subject: Re: Officially releasing a patch for CVE-2016-1513
OK, I think I'm done wit
> -Original Message-
> From: Kay sch...@apache.org [mailto:ksch...@apache.org]
> Sent: Sunday, July 31, 2016 14:42
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
> OK, I think I'm done with the LInux64 bit area a
;
>>> Kay, if you are going to do the uploads of the initial ones for the
>>> dev/openoffice/4.1.2-patch1/binary/ area, let me know. I will not do
>>> anything about added documentation for any of them until they are in
>>> the SVN.
>>>
>>> If you do
016 05:26
To: dev@openoffice.apache.org
Subject: Re: Officially releasing a patch for CVE-2016-1513
On 30/07/2016 Kay Schenk wrote:
duplicate fixed
libraries for Linux-32, and Linux-64 based on submissions from Carl,
Damjan, and Ariel. I'd be happy to move these somewhere in the next
day or
so,
> -Original Message-
> From: Kay Schenk [mailto:kay.sch...@gmail.com]
> Sent: Sunday, July 31, 2016 11:53
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
[ ... ]
>
> I won't be doing anything with the Windows ar
documentation.
>
> - Dennis
>
>> -Original Message-
>> From: Andrea Pescetti [mailto:pesce...@apache.org]
>> Sent: Sunday, July 31, 2016 05:26
>> To: dev@openoffice.apache.org
>> Subject: Re: Officially releasing a patch for CVE-2016-1513
&g
rom: Andrea Pescetti [mailto:pesce...@apache.org]
> Sent: Sunday, July 31, 2016 05:26
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
> On 30/07/2016 Kay Schenk wrote:
> > duplicate fixed
> > libraries for Linux-32, and L
On 07/31/2016 05:55 AM, Carl Marcum wrote:
> On 07/31/2016 08:25 AM, Andrea Pescetti wrote:
>> On 30/07/2016 Kay Schenk wrote:
>>> duplicate fixed
>>> libraries for Linux-32, and Linux-64 based on submissions from Carl,
>>> Damjan, and Ariel. I'd be happy to move these somewhere in the next
>>> da
On 07/31/2016 08:25 AM, Andrea Pescetti wrote:
On 30/07/2016 Kay Schenk wrote:
duplicate fixed
libraries for Linux-32, and Linux-64 based on submissions from Carl,
Damjan, and Ariel. I'd be happy to move these somewhere in the next
day or
so, but I don't know what versions we want to use.
Ar
On 30/07/2016 Kay Schenk wrote:
duplicate fixed
libraries for Linux-32, and Linux-64 based on submissions from Carl,
Damjan, and Ariel. I'd be happy to move these somewhere in the next day or
so, but I don't know what versions we want to use.
Ariel's were built on a CentOS 5 system, so equivale
ge-
> > From: Andrea Pescetti [mailto:pesce...@apache.org]
> > Sent: Saturday, July 30, 2016 11:09
> > To: dev@openoffice.apache.org
> > Subject: Re: Officially releasing a patch for CVE-2016-1513
> >
> > Dennis E. Hamilton wrote:
> > > I would like to
> -Original Message-
> From: Andrea Pescetti [mailto:pesce...@apache.org]
> Sent: Saturday, July 30, 2016 11:09
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
> Dennis E. Hamilton wrote:
> > I would like to re
Dennis E. Hamilton wrote:
I would like to remove those three.
Sure, feel free to. As I wrote, they were meant as backup solutions in
case we had issues with the patch-only package.
I have reviewed apache-openoffice-4.1.2-patch1.zip ...
I think this is good enough to go with.
Perfect, then
> -Original Message-
> From: Andrea Pescetti [mailto:pesce...@apache.org]
> Sent: Saturday, July 30, 2016 05:54
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
> On 30/07/2016 Dennis E. Hamilton wrote:
>
On 30/07/2016 Dennis E. Hamilton wrote:
-Original Message-
From: Andrea Pescetti
So I can supply a full source package or I can give my +1 to a "patch"
package that others prepare. ...
[orcmid] I can provide the patch source package on Monday.
Since I can only work on it today, I've up
> -Original Message-
> From: Andrea Pescetti [mailto:pesce...@apache.org]
> Sent: Friday, July 29, 2016 14:23
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
> On 24/07/2016 Andrea Pescetti wrote:
> > To do so, an
On 24/07/2016 Andrea Pescetti wrote:
To do so, an outline would be:
1) We commit the patch to the AOO410 branch. This is the branch used for
all the 4.1.x series. 4.2.0 isn't out yet, so 4.1.x is still our
reference version.
This was done by Kay today (thanks!).
2) We do not make any other ch
Looks good to me.
On 07/24/2016 05:37 PM, Andrea Pescetti wrote:
While the severity of the security bug we disclosed
http://www.openoffice.org/security/cves/CVE-2016-1513.html is not
particularly high (it is classified as "Medium" with no known exploits
and anti-virus software can detect malic
On 24 Jul, Dennis E. Hamilton wrote:
> The patched DLL is shipped with an external digital signature. I
> guess we could ask that to be installed alongside it. That would be a
> good tell-tale.
>
> The web site where the patch is downloadable from will have hashes for
> the archive containing th
+1 this looks like a good plan
On 07/24/2016 02:37 PM, Andrea Pescetti wrote:
> While the severity of the security bug we disclosed
> http://www.openoffice.org/security/cves/CVE-2016-1513.html is not
> particularly high (it is classified as "Medium" with no known exploits
> and anti-virus software
...@apache.org]
Sent: Sunday, July 24, 2016 15:14
To: dev@openoffice.apache.org
Subject: Re: Officially releasing a patch for CVE-2016-1513
On 24 Jul, Don Lewis wrote:
At a minimum, we should publish the hash values of buggy and fixed
versions of the library. That might not help someone who builds and
Thanks for the list. Apart from the differences thing it looks good to me.
Marcus
Am 07/24/2016 11:37 PM, schrieb Andrea Pescetti:
While the severity of the security bug we disclosed
http://www.openoffice.org/security/cves/CVE-2016-1513.html is not
particularly high (it is classified as "Medi
Subject: Re: Officially releasing a patch for CVE-2016-1513
>
> On 24 Jul, Don Lewis wrote:
>
> > At a minimum, we should publish the hash values of buggy and fixed
> > versions of the library. That might not help someone who builds and
> > installs from source since the bu
On 24 Jul, Don Lewis wrote:
> At a minimum, we should publish the hash values of buggy and fixed
> versions of the library. That might not help someone who builds and
> installs from source since the build not be completely repeatable.
> For instance the library might contain a timestamp.
Adding
On 24 Jul, Andrea Pescetti wrote:
> While the severity of the security bug we disclosed
> http://www.openoffice.org/security/cves/CVE-2016-1513.html is not
> particularly high (it is classified as "Medium" with no known exploits
> and anti-virus software can detect malicious documents), we shoul
rg
> Subject: Officially releasing a patch for CVE-2016-1513
>
> While the severity of the security bug we disclosed
> http://www.openoffice.org/security/cves/CVE-2016-1513.html is not
> particularly high (it is classified as "Medium" with no known exploits
> and anti-virus soft
While the severity of the security bug we disclosed
http://www.openoffice.org/security/cves/CVE-2016-1513.html is not
particularly high (it is classified as "Medium" with no known exploits
and anti-virus software can detect malicious documents), we should
release an update incorporating the -al
37 matches
Mail list logo
