-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings:
I have been following this thread with interest. When I got to the download that you clearly listed in your message, I got the following message, " 403 Forbidden, you do not have permission to access...on this server" and then it gave the mirror site name where I have the dots. I then tried to use other mirror sites and I got the same message. The first time I tried downloading the instructions, I wondered what all the sites were for. I didn't work through all the sites the other times, thinking that I was missing something or that I would be going to download something that either I didn't need or I might access something damaging to my computer. This time, when I started to work my way down the various http sites on the download mirrors and kept getting the "403 Forbidden..." message when I pressed the download buttons. After, four times, getting the same message, I finally found one mirror that downloaded the instructions. John was more vocal about his frustration but I experienced similar kinds of emotions in my following of your instructions... I don't know what needs to change... Thank you for your attention on this. Sincerely, Nick Kircher On 3/26/12 9:58 AM, Rob Weir wrote: > On Sun, Mar 25, 2012 at 8:13 PM, John Boyle <[email protected]> wrote: > >> On 3/25/2012 1:59 AM, Martin Groenescheij wrote: >> >>> Hi Boiling John, >>> >>> You could be a little more polite, keep in mind that Rob provide this >>> patch to protect or security. >>> The instructions are clear and I didn't had a problem to install it. >>> >>> Martin >>> >>> On 25/03/2012 5:18 PM, John Boyle wrote: >>> >>>> On 3/22/2012 6:16 AM, Rob Weir wrote: >>>> >>>>> Please note, this is the official security bulletin, targeted for >>>>> security professionals. If you are an OpenOffice.org 3.3 user, and >>>>> are able to apply the mentioned patch, then you are encouraged to do >>>>> so. If someone else supports or manages your desktop, then please >>>>> forward this information to them. >>>>> >>>>> Additional support is available on our Community Forums: >>>>> >>>>> http://user.services.**openoffice.org/<http://user.services.openoffice.org/> >>>>> >>>>> And via our ooo-users mailing list: >>>>> >>>>> http://incubator.apache.org/**openofficeorg/mailing-lists.** >>>>> html#users-mailing-list<http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list> >>>>> >>>>> Note: This security patch for OpenOffice.org is made available to >>>>> legacy OpenOffice.org users as a service by the Apache OpenOffice >>>>> Project Management Committee. The patch is made available under the >>>>> Apache License, and due to its importance, we are releasing it outside >>>>> of the standard release cycle. >>>>> >>>>> -Rob >>>>> > CVE-2012-0037: OpenOffice.org data leakage vulnerability > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms. > Earlier versions may be also affected. > > Description: An XML External Entity (XXE) attack is possible in the > above versions of OpenOffice.org. This vulnerability exploits the way > in > which external entities are processed in certain XML components of ODF > documents. By crafting an external entity to refer to other local > file system > resources, an attacker would be able to inject contents of other > locally- accessible files into the ODF document, without the user's > knowledge or permission. Data leakage then becomes possible when that > document is later distributed to other parties. > > Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the > patch at: http://www.openoffice.org/**security/cves/CVE-2012-0037.** > html <http://www.openoffice.org/security/cves/CVE-2012-0037.html> > > This vulnerability is also fixed in Apache OpenOffice 3.4 dev > snapshots since March 1st, 2012. > > Source and Building: Information on obtaining the source code for this > patch, and for porting it or adapting it to OpenOffice.org derivatives > can be found here: http://www.openoffice.org/** > security/cves/CVE-2012-0037-**src.txt<http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt> > > Credit: The Apache OpenOffice project acknowledges and thanks the > discoverer of this issue, Timothy D. Morgan of Virtual Security > Research, LLC. > > References: http://security.openoffice.org > >>>>> >>>>> ------------------------------**------------------------------** >>>>> --------- >>>>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<[email protected]> >>>>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<[email protected]> >>>>> >>>>> >>>>> To Rob Weir: I have been a user of computers since the TRS 80 from >>>> Tandy and a user of OpenOffice for I don't know how many years! The asinine >>>> patch that was put out to be installed was badly done and I cannot use it >>>> whatsoever! Now, if someone cannot get it to their heads that a patch must >>>> be a simple install from the get go, then they are going to lose users of >>>> open office for their arrogance. A four-part Idiotic message claiming to >>>> give you a patch is actually totally worthless! Have you ever heard of the >>>> DUMMIES books and method of approach to this problem?:-( :-( :-( >>>> >>>> ------------------------------**------------------------------** >>>> --------- >>>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<[email protected]> >>>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<[email protected]> >>>> >>>> >>>> >>> ------------------------------**------------------------------**--------- >>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<[email protected]> >>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<[email protected]> >>> >>> >>> To Rob and Martin: I had no intention of being Impolite, but I never >> found any third page I keep hearing about and cannot figure how to install >> the patch! I was just asking if there wasn't a simpler way or where the >> heck was the patch at? I can't figure it out from what you've gotten And I >> started with computers on a TRS 80 computer. I simply would like to get my >> OpenOffice patched correctly and am asking if it's at all possible?:-\ >> >> >> > > Hi John. > > Let's break it down. > > See the original note, where I wrote; > > "Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the > patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html"; > > Start with that page. Load that URL in your browser. > > Then on that page you will see something that says, "OpenOffice.org 3.3.0 > and 3.4 beta users can patch their installation with the following patches. > Download, unzip and follow the instructions in the enclosed readme.pdf > file." > > Right below that there are two links, one labeled "For Windows" and the > other "For MacOS". Download the appropriate one, unzip and load the > readme.pdf inside. If you are not able to unzip or read a PDF file then > let me know. > > The readme.pdf file has its own instructions, with pictures, which should > make the remaining steps clear. But let me know if you have further > questions. > > -Rob > > > > >> ------------------------------**------------------------------**--------- >> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<[email protected]> >> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<[email protected]> >> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9v1G0ACgkQFgUvDYSMGtCb5ACghWcTvKNGJQmnK5jw7KSQajw0 Vu4AoIAxWao/aZnXUXvxErCnfnTsJyB7 =z1Lf -----END PGP SIGNATURE-----
