On Thu, Apr 19, 2012 at 2:55 AM, NoOp <[email protected]> wrote: > On 03/23/2012 02:17 PM, Rob Weir wrote: >> On Fri, Mar 23, 2012 at 5:11 PM, Girvin R. Herr >> <[email protected]> wrote: >>> Dave, >>> Thanks for the quick, encouraging response. >>> I thought this security patch was part of an Apache effort and sanction. I >>> was not aware that it was produced by a 3rd party without Apache support. >> >> That's a logical leap without basis. It is possible for a small group >> at Apache to have produced the patch and for there to be no policy >> against Linux. In fact both statements are true. >> >> Remember, we're not a commercial software vendor. Apache is a >> non-profit, run by volunteers. If volunteers wish to make a Linux >> patch, then they will. And it appears they will. We've certainly >> been building and testing OpenOffice 3.4 for Linux. If there are >> volunteers for Solaris, BSD, OS/2 or whatever, those patches will also >> appear. The Apache license allows anyone to take this code and build >> it on whatever platform they want. >> >>> My apologies to all. I will still keep an eye on it, but I am relieved that >>> the Linux omission was not a result of Apache policy. >> >> Again, policy has nothing to do with this. > ... > > Really? Then perhaps you can tell us were to find the linux patch. It's > now April 18. AOO couldn't figure out a linux patch in all that time? >
AOO is a community of volunteers. It is safe to say that no volunteer has produced a Linux patch in this interval, but it is not safe to assume this is because "AOO couldn't figure out" how to do it. > Is there a different mirror than: > <http://www.eng.lsu.edu/mirrors/apache//incubator/ooo/3.3/patches/cve-2012-0037/> > with the linux patch(s)? > There are many different mirrors in the Apache mirror network. But they should all have the same files. > Seems pretty sad that AOO are unable to provide a linux patch when the > Windows and Mac patches were provided 21 March. Makes one wonder if > Apache even plan to support linux AOO. Particularly given this statement: > > "Linux and other platforms should consult their distro or OS vendor for > patch instructions." > > on <http://www.openoffice.org/security/cves/CVE-2012-0037.html>. > If you check the AOO 3.4 dev snapshots I think it is clear that we are planning to release AOO 3.4 on Linux, both 32 and 64-bits, and with two packaging formats: https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+3.4+Unofficial+Developer+Snapshots > BTW: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0037> is > still showing: > CVE-2012-0037 > (under review) > "** RESERVED ** This candidate has been reserved by an organization or > individual that will use it when announcing a new security problem. When > the candidate has been publicized, the details for this candidate will > be provided. " > Nor is there any mention of that CVE here: > <https://incubator.apache.org/openofficeorg/security.html> > So perhaps it really isn't something to worry about afterall. > That page is for Apache OpenOffice security patches. The patch we're talking about was for the pre-Apache OpenOffice.org. Those security bulletins are on the legacy OpenOffice.org security page here: http://www.openoffice.org/security/bulletin.html Regards, -Rob > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
