On 29/04/15 21:53, Marcus wrote: > Am 04/29/2015 05:39 PM, schrieb jan i: >> On 29 April 2015 at 15:07, Simon Phipps<si...@webmink.com> wrote: >> >>> On Wed, Apr 29, 2015 at 2:00 PM, Andrea Pescetti<pesce...@apache.org> >>> wrote: >>> >>>> Simon Phipps wrote: >>>> >>>>> Given this problem is not fixed in the current download, should the >>>>> project >>>>> suspend downloads until it can be addressed? >>>>> >>>> >>>> This looks like a very extreme measure to take. The severity of the >>>> issue >>>> would not justify it. >>> >>> >>> Can you explain that please? The CVE says "Severity: Important" and the >>> effects are "a denial of service or possibly execution of arbitrary >>> code by >>> preparing specially crafted documents in the HWP document format." >>> >>> The fact we are unaware of current exploits does not mitigate the risk >>> arising from distributing the software, and the rarity of the file >>> format >>> does not reduce the likelihood of it being used in an exploit. Maybe >>> I am >>> missing some of the context from the private security list? >>> >> It seems to be an extremely seldom used feature, that makes the exploit >> unlikely. >> >> I am with Andrea, stopping downloads would not be right in this case. > > +1 I also don't see this as a reason to stop to offer downloads.
stopping the downloads is completely exaggerated. I personally never have seen such a file besides test documents in real life. We have a simple and effective work around in place. Even Korean community members on our l10n list have mentioned that the format is no longer relevant. And of course we have analyzed the exploit and have decided to either fix it for the next release or as currently discussed to drop it completely to get away a further obsolete format. Why I don't wonder from whom this idea is coming ;-) And Simon to be serious we take security issues very serious. So for every one who want to write something about security in AOO, security issues were and still are a serious and important topic for AOO and we analyze and decide what to do for every single security issue. Juergen --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
