Re: [board-discuss] vote on new fixed BoD call time
Le jeudi 22 mars 2012 à 09:34 +0100, Thorsten Behrens a écrit : Florian Effenberger wrote: I hereby request: That the Board of Directors will meet every two weeks on Wednesday via phone, beginning on April 4th, at 1500 UTC. The agenda will be available at the appropriate wiki page. All members of the Board of Directors and everyone interested is invited to join the calls. +1 from me -- Thorsten, who was actually asking for this change ;) +1 -- Charles-H. Schulz Co-Founder Director, The Document Foundation. -- Unsubscribe instructions: E-mail to board-discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/board-discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] Security Advisories
Why is it that security advisories such as this: https://www.libreoffice.org/advisories/CVE-2012-0037/ are not posted on the user or announce lists? The only way I found out about this was via a Redhat bug report: https://bugzilla.redhat.com/show_bug.cgi?id=791296 [Bug 791296 - (CVE-2012-0037) CVE-2012-0037 raptor: XML External Entity (XXE) attack via RDF files ] And then later on the ApacheOOO user list: http://permalink.gmane.org/gmane.comp.apache.incubator.ooo.user/866 It would be nice if someone 'official' (ala TDF) could post the CVE-2012-0037 notice on both the user and announce lists. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] Security Advisories
NoOp wrote: It would be nice if someone 'official' (ala TDF) could post the CVE-2012-0037 notice on both the user and announce lists. It is now reported on the blog post. -- Italo Vignoli - italo.vign...@gmail.com mob +39.348.5653829 - VoIP 5316...@messagenet.it skype italovignoli - gtalk italo.vign...@gmail.com -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] Re: Security Advisories
On 03/22/2012 06:31 PM, Italo Vignoli wrote: NoOp wrote: It would be nice if someone 'official' (ala TDF) could post the CVE-2012-0037 notice on both the user and announce lists. It is now reported on the blog post. Well just how many users are subscribed to a blog post? Nor do I think that they (at least I don't) check www.libreoffice.org daily: https://www.libreoffice.org/ Are these the posts that you are referring to? http://blog.documentfoundation.org/2012/03/22/tdf-announces-libreoffice-3-4-6/ http://blog.documentfoundation.org/2012/03/15/libreoffice-3-5-1-provides-additional-security-and-stability/ Neither of those blog posts contain information regarding CVE-2012-0037. Neither do the release logs or release notes. Nor is there any mention of which bug reports are related to this issue - is there one? LO 3.5.1 is showing: LibreOffice 3.5.1 Final (2012-03-15) The Redhat Bug report (Bug 791296) was dated 2012-03-16 - so LO was aware of, and patched this in 3.5.1 prior to 15 March? Lacking an LO Security Announce list, I just think that it would be nice if such announcements were posted on the user announce lists as well and the blog. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] Security Advisories
On 23 Mar 2012, at 01:26, NoOp wrote: Why is it that security advisories such as this: https://www.libreoffice.org/advisories/CVE-2012-0037/ are not posted on the user or announce lists? The only way I found out about this was via a Redhat bug report: https://bugzilla.redhat.com/show_bug.cgi?id=791296 [Bug 791296 - (CVE-2012-0037) CVE-2012-0037 raptor: XML External Entity (XXE) attack via RDF files ] And then later on the ApacheOOO user list: http://permalink.gmane.org/gmane.comp.apache.incubator.ooo.user/866 It would be nice if someone 'official' (ala TDF) could post the CVE-2012-0037 notice on both the user and announce lists. LibreOffice shares security information with other projects on a mailing list hosted neutrally at freedesktop.org. As I understand it, the embargo on mentioning this CVE was only lifted today, so you've not overlooked it up to now. S. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] Re: Security Advisories
On 23 Mar 2012, at 01:56, NoOp wrote: Are these the posts that you are referring to? http://blog.documentfoundation.org/2012/03/22/tdf-announces-libreoffice-3-4-6/ That one now has a link to the CVE as the embargo has been lifted. http://blog.documentfoundation.org/2012/03/15/libreoffice-3-5-1-provides-additional-security-and-stability/ That one was published a week ago so could not have had the link to the CVE as it was still private to the collaborative security mailing list (that I don't belong to either by the way). Personally I think that subscribing to the Announce list was enough in this case: http://listarchives.documentfoundation.org/www/announce/msg00092.html Waiting until the embargo for the CVE lifted might have been smart, but otherwise all the information has been published in the places I would expect. HTH S. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted