[tdf-discuss] Invitation to the LibreOffice Hackfest 2012 in Hamburg
Hi all, Let me take this opportunity to shamelessly plug the LibreOffice Hamburg Hackfest 2012. The city of Hamburg has throughout history taken its freedom and independence as a high treasure -- as can be seen from its motto: Libertatem quam peperere maiores digne studeat servare posteritas. Thus it is a great place for an event of a project that takes freedom as serious as LibreOffice does. https://wiki.documentfoundation.org/Hackfest/Hamburg2012 As a proud local, I also decided to guide some sightseeing on Friday afternoon for people interested, so if you arrive early you might get to see some of the beautiful corners of Hamburg. After that we will meet up with everyone in the Schachcafe close to the Hackfest location for a beer event. Saturday and Sunday then will be two days of hacking, learning, teaching, connecting and implementing great ideas at the Attaktor, one of the homebases of the Chaos Computer Club, which has an interesting history starting with tales of international spionage during the cold war and much more (see Wikipedia and links on the Hackfest page). They have become older, wiser and tamer at least a bit since then, but still originate cool projects like Project Blinkenlights. Nerdshirt.de kindly sponsors us ten T-shirts for the participants. We just decided to give those to the first ten people, who added themselves to the participant list completely with their name and shirtsize(*). First come, first serve here as is with travel bursaries and couch surfing, which is kindly provided by some of the Hamburg Hackers. So please add yourself as a participant to the Hackfest at: https://wiki.documentfoundation.org/Hackfest/Hamburg2012 and add topics that you would like to discuss or work on -- we will try to find a mentor for you then. Looking forward to see you all in Hamburg! Bjoern (*) If you think this is some evil plot to get you to register early, you might be onto something, but please do not tell anybody! -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] Re: [libreoffice-projects] Invitation to the LibreOffice Hackfest 2012 in Hamburg
Bjoern Michaelsen wrote: Nerdshirt.de kindly sponsors us ten T-shirts for the participants. We just decided to give those to the first ten people, who added themselves to the participant list completely with their name and shirtsize(*). First come, first serve here as is with travel bursaries and couch surfing, which is kindly provided by some of the Hamburg Hackers. So, first T-Shirt is going to be mine. -- Italo Vignoli - italo.vign...@gmail.com mob +39.348.5653829 - VoIP 5316...@messagenet.it skype italovignoli - gtalk italo.vign...@gmail.com -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] Security Advisories
NoOp wrote: Why is it that security advisories such as this: https://www.libreoffice.org/advisories/CVE-2012-0037/ are not posted on the user or announce lists? The only way I found out about this was via a Redhat bug report: https://bugzilla.redhat.com/show_bug.cgi?id=791296 [Bug 791296 - (CVE-2012-0037) CVE-2012-0037 raptor: XML External Entity (XXE) attack via RDF files ] And then later on the ApacheOOO user list: http://permalink.gmane.org/gmane.comp.apache.incubator.ooo.user/866 It would be nice if someone 'official' (ala TDF) could post the CVE-2012-0037 notice on both the user and announce lists. +1 -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] Re: Security Advisories
NoOp wrote: On 03/22/2012 06:31 PM, Italo Vignoli wrote: NoOp wrote: It would be nice if someone 'official' (ala TDF) could post the CVE-2012-0037 notice on both the user and announce lists. It is now reported on the blog post. Well just how many users are subscribed to a blog post? Nor do I think that they (at least I don't) check www.libreoffice.org daily: https://www.libreoffice.org/ Are these the posts that you are referring to? http://blog.documentfoundation.org/2012/03/22/tdf-announces-libreoffice-3-4-6/ http://blog.documentfoundation.org/2012/03/15/libreoffice-3-5-1-provides-additional-security-and-stability/ Neither of those blog posts contain information regarding CVE-2012-0037. Neither do the release logs or release notes. Nor is there any mention of which bug reports are related to this issue - is there one? LO 3.5.1 is showing: LibreOffice 3.5.1 Final (2012-03-15) The Redhat Bug report (Bug 791296) was dated 2012-03-16 - so LO was aware of, and patched this in 3.5.1 prior to 15 March? Lacking an LO Security Announce list, I just think that it would be nice if such announcements were posted on the user announce lists as well and the blog. Also the Discuss list! -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
RE: [tdf-discuss] Re: Security Advisories
That's BS. The disclosure has been embargoed since it report to multiple security lists in January. All of the involved parties recently settled on the March 22 date because that was the earliest date Apache OpenOffice could produce either a release or a patch in First-Quarter 2012. There is no way that Apache OpenOffice forced this as an early date. Nor did Apache OpenOffice surprise anyone. There were others (*not* LO/TDF) who wanted the embargo lifted even earlier. It was certainly valuable to delay disclosure as long as possible to permit seeding of updates, but there was no way that could happen in the AOO case, since the production of a back-version patch to OO.o 3.3.0 would be and is an extraordinary event. Considering how easy it is to exploit the vulnerability with a maliciously-crafted ODF 1.2 document, there is always the fear that failure to disclose an important need to update also gives miscreants a head start at putting an exploit in the wild. The LO security team was fully aware of this and there was no pre-emption on the part of the Apache OpenOffice project. I personally want to acknowledge the forbearance of TDF and the LibreOffice security team in holding back so that the Apache OpenOffice team had this opportunity serve those who continue to operate with OpenOffice 3.3.0 and earlier releases. - Dennis -Original Message- From: lohma...@googlemail.com [mailto:lohma...@googlemail.com] On Behalf Of Christian Lohmaier Sent: Friday, March 23, 2012 05:24 To: discuss@documentfoundation.org Subject: Re: [tdf-discuss] Re: Security Advisories Hi NoOp, On Fri, Mar 23, 2012 at 2:56 AM, NoOp gl...@sbcglobal.net wrote: On 03/22/2012 06:31 PM, Italo Vignoli wrote: NoOp wrote: It would be nice if someone 'official' (ala TDF) could post the CVE-2012-0037 notice on both the user and announce lists. The public was not supposed to know of this CVE, people should be given time to update to the fixed version before. [ ... ] But Apache-OOo made it public on their list, so we also had to make the info available. http://mail-archives.apache.org/mod_mbox/incubator-ooo-dev/201203.mbox/%3CCAP-ksoj7o5%2B2YH-E4XzR044V0e3YZfZvuef7eJuNGhdy%2Bk9kyA%40mail.gmail.com%3E Neither do the release logs or release notes. As above - this was intentional. No details about the security fixes until the upstream project makes the CVE public (the bug is in a third-party component that is shipped along with LibreOffice). That of course doesn't mean it shouldn't be added now that the CVE is public. ciao Christian -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] Re: Security Advisories
On 03/23/2012 05:24 AM, Christian Lohmaier wrote: Hi NoOp, On Fri, Mar 23, 2012 at 2:56 AM, NoOp gl...@sbcglobal.net wrote: On 03/22/2012 06:31 PM, Italo Vignoli wrote: NoOp wrote: It would be nice if someone 'official' (ala TDF) could post the CVE-2012-0037 notice on both the user and announce lists. The public was not supposed to know of this CVE, people should be given time to update to the fixed version before. See e.g. http://blog.documentfoundation.org/2011/10/05/the-document-foundation-publishes-details-of-libreoffice-3-4-3-security-fixes/ Following industry best practice, details of security fixes are withheld until users have been given time to migrate to the new version. I think that you and Simon are missing the message I was attempting to convey. I'll repeat my original question: Why is it that security advisories such as this: https://www.libreoffice.org/advisories/CVE-2012-0037/ are not posted on the user or announce lists? So I fail to understand why you Simon seem to think that I'm complaining about not receiving the notice prior to the the LO public announcement. My posting of how I found out about the security issue (Redhat bug report AOO user list), was meant to point out that I do not check into www.libreoffice.org daily; I do however check the lists that I'm subscribed to on a regular basis (user/announce/security announce/bug/etc lists. LibreOffice/TDF does not have a 'Security Announce' list. Why so much resistance in asking that the same advisory that is posted on the web site, be posted on the User and Announce lists as well? Or at least the User list (and any official web forums if there is one) so that users are made aware can take action? Not posting such annoucements on the LO User list results in thread like this: http://listarchives.libreoffice.org/global/users/msg18326.html [libreoffice-users] CVE-2012-0337 ... -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] Re: Security Advisories
On 23 Mar 2012, at 18:13, NoOp wrote: I think that you and Simon are missing the message I was attempting to convey. I'll repeat my original question: Why is it that security advisories such as this: https://www.libreoffice.org/advisories/CVE-2012-0037/ are not posted on the user or announce lists? No, I'm getting it :-) I just happen to think that a message on the tdf-announce list stating there is a new release that fixes a security issue and pointing to the CVE would be sufficient as everyone here presumably follows that list. People can then follow up the announcement on whichever list(s) they want. I am not a fan of redundant cross-posting. In my view all that's gone wrong this time is that the CVE was not listed in the release announcement. That should probably be fixed next time. S. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] Re: Security Advisories
Simon Phipps wrote: In my view all that's gone wrong this time is that the CVE was not listed in the release announcement. That should probably be fixed next time. Hi Simon, all, well - it's not that easy. The rationale to act as we did was this: We wanted to release 3.4.6 as early as possible, announce it - and in the announcement hint at the fact that this version includes security fixes. Lifting embargoes on CVEs is customarily left to other entities rather than downstream consumers - at any rate, giving users the time to upgrade, before such a thing goes widely public with all the details, is just responsible IMO. So what we did, and will do in the future, is release a version, mention security fixes in a rather generic way (if there are any), and after our users had time to upgrade, follow-up with more details (see e.g. http://blog.documentfoundation.org/2011/10/05/the-document-foundation-publishes-details-of-libreoffice-3-4-3-security-fixes/ for how we handled that for 3.4.3) Cheers, -- Thorsten -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted