Re: [libreoffice-users] Heartbleed checker for websites
2014-04-18 17:15 GMT+02:00 Paul D. Mirowsky p_mirow...@bentaxna.com: http://www.theregister.co.uk/2014/04/18/netcraft_ heartbleed_browser_extension/ If the Netcraft extension determines that a site was vulnerable before news of Heartbleed broke, it checks the date on the site's SSL certificate to make sure it has been recently replaced. If it hasn't, the extension displays an alert... Netcraft's updated browser extension is available as a free download for Firefox 1.0 and later; Chrome 26 and later on Windows, OS X, and Linux; and for Opera 15 and later on OS X and Windows. Versions for other browsers aren't available, unfortunately, which means users of Internet Explorer and Safari are left in the dark. From what I can see, Paul, the Netcraft Toolbar gives libreoffice.org a clean bill of health when checked with both FF and Chrome on my main machine running 64-bit Linux Mint 16. The conclusion I draw is that that website is safe to use, at least as regards Heartbleed Henri On 4/17/2014 2:12 PM, alnuwer wrote: Any idea when the Heartbleed bug will be fixed in LibreOffice? -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Heartbleed
After hearing so many horrible scenarios related to this bug, I guess it's very easy to slip into paranoia mode. ;-) The heartbleed bug literally only ever affects web servers that communicate over a secure channel (and use libssl as the backend, obviously). The same library is used for client side as well, which is why LO is linked with it. Better safe than sorry of course, and linking with a fixed version certainly cannot do harm, but there really is no way to exploit this bug through LO (unless of course LO can be made to run as a https web server :-) ). As far as I know, uses of SSL/TLS other than on webservers don't use heartbeat as it is only relevant for remote network connections. On Fri, Apr 18, 2014 at 1:45 AM, Kracked_P_P---webmaster webmas...@krackedpress.com wrote: On 04/17/2014 04:13 PM, Cley Faye wrote: 2014-04-17 21:52 GMT+02:00 Tanstaafl tansta...@libertytrek.org: This is an OpenSSL bug, what does this have to do with Libreoffice? As far as I can tell, it's because LibreOffice was linked with a vulnerable version of openssl. It's never bad to be on the side of precautions by using the latest versions (especially if it provides bugfixes), but I'm not sure how an exploit on the server side of a TLS connection could cause issue in a client software. Better safe than sorry I suppose. Even some of MS's web based look-up for running some of their packages were affected by this bug and the certificate changes associated with the fix. At least IE is giving me those types of errors with a few support phone calls I have had in the last week or so. Any package that need to access anything that used the older version of OpenSSL for any part of its inner workings can be at issue and vulnerable. How much it is is a guessing game, according to everything I have read, since each tell me a wide range of answers. So, fixing the web sites is just the start. -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to- unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Heartbleed
Please do NOT send to me directly, I'm on the list. On 4/17/2014 4:13 PM, Cley Faye cleyf...@gmail.com wrote: 2014-04-17 21:52 GMT+02:00 Tanstaafl tansta...@libertytrek.org: This is an OpenSSL bug, what does this have to do with Libreoffice? As far as I can tell, it's because LibreOffice was linked with a vulnerable version of openssl. Again... in what way was Libreoffice 'linked' to OpenSSL??? Libreoffice is NOT a communication package utilizing TCP/UDP connections, so, in what possible way could the heartbleed bug affect Libreoffice? It's never bad to be on the side of precautions by using the latest versions (especially if it provides bugfixes), but I'm not sure how an exploit on the server side of a TLS connection could cause issue in a client software. Better safe than sorry I suppose. Are you talking about the libreoffice WEBSITE? Thatr is completely different and totally unrelated to the SOFTWARE ON the site... Of course, unless you are concerned that the available downloads were replaced with infected versions... which I guess is not impossible. -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Heartbleed
On 4/18/2014 2:54 AM, Ra ravi...@gmail.com wrote: As far as I know, uses of SSL/TLS other than on webservers don't use heartbeat as it is only relevant for remote network connections. You are wrong, so need to do a LOT more reading. But again... in what way does Libreoffice utilize TCP/UDP connectivity? What am I missing? Does it have a hidden built-in SSL client? -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Heartbleed
2014-04-18 11:59 GMT+02:00 Tanstaafl tansta...@libertytrek.org: You are wrong, so need to do a LOT more reading. But again... in what way does Libreoffice utilize TCP/UDP connectivity? What am I missing? Does it have a hidden built-in SSL client? Ahem. Some *hidden* features, like, retrieving data from URL maybe? URL that may or may not contain the https protocol, thus needing some form of SSL/TLS handling? Like images, or custom data sources? Looks like a lot of peoples need to do a LOT more reading. -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Heartbleed
On April 18, 2014 2:59:30 AM PDT, Tanstaafl wrote: But again... in what way does Libreoffice utilize TCP/UDP connectivity? What am I missing? Does it have a hidden built-in SSL client? Back in the days of StarOffice it did. Vestiges of it were in OOo 1.x. I don't know how much of it remains in LibO 4.x. The email client is long gone, but some of the structure it required is still present, and used. The web browser was never independently available. It is still present, and as primitive as it ever was. jonathon -- Your documents, your language, your way. -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Heartbleed checker for websites
http://www.theregister.co.uk/2014/04/18/netcraft_heartbleed_browser_extension/ If the Netcraft extension determines that a site was vulnerable before news of Heartbleed broke, it checks the date on the site's SSL certificate to make sure it has been recently replaced. If it hasn't, the extension displays an alert... Netcraft's updated browser extension is available as a free download for Firefox 1.0 and later; Chrome 26 and later on Windows, OS X, and Linux; and for Opera 15 and later on OS X and Windows. Versions for other browsers aren't available, unfortunately, which means users of Internet Explorer and Safari are left in the dark. On 4/17/2014 2:12 PM, alnuwer wrote: Any idea when the Heartbleed bug will be fixed in LibreOffice? -- View this message in context: http://nabble.documentfoundation.org/Heartbleed-tp4105573.html Sent from the Users mailing list archive at Nabble.com. -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Heartbleed
Hi, Le 17 avr. 2014 20:12, alnuwer alnu...@cox.net a écrit : Any idea when the Heartbleed bug will be fixed in LibreOffice? It's already done in 4.2.3.3 branch. The 4.1.x versions are not concerned. Kind regards Sophie -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Heartbleed
On 4/17/2014 2:16 PM, Sophie Gautier gautier.sop...@gmail.com wrote: Hi, Le 17 avr. 2014 20:12, alnuweralnu...@cox.net a écrit : Any idea when the Heartbleed bug will be fixed in LibreOffice? It's already done in 4.2.3.3 branch. The 4.1.x versions are not concerned. ??? This is an OpenSSL bug, what does this have to do with Libreoffice? -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Heartbleed
2014-04-17 21:52 GMT+02:00 Tanstaafl tansta...@libertytrek.org: This is an OpenSSL bug, what does this have to do with Libreoffice? As far as I can tell, it's because LibreOffice was linked with a vulnerable version of openssl. It's never bad to be on the side of precautions by using the latest versions (especially if it provides bugfixes), but I'm not sure how an exploit on the server side of a TLS connection could cause issue in a client software. Better safe than sorry I suppose. -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Heartbleed
On 04/17/2014 04:13 PM, Cley Faye wrote: 2014-04-17 21:52 GMT+02:00 Tanstaafl tansta...@libertytrek.org: This is an OpenSSL bug, what does this have to do with Libreoffice? As far as I can tell, it's because LibreOffice was linked with a vulnerable version of openssl. It's never bad to be on the side of precautions by using the latest versions (especially if it provides bugfixes), but I'm not sure how an exploit on the server side of a TLS connection could cause issue in a client software. Better safe than sorry I suppose. Even some of MS's web based look-up for running some of their packages were affected by this bug and the certificate changes associated with the fix. At least IE is giving me those types of errors with a few support phone calls I have had in the last week or so. Any package that need to access anything that used the older version of OpenSSL for any part of its inner workings can be at issue and vulnerable. How much it is is a guessing game, according to everything I have read, since each tell me a wide range of answers. So, fixing the web sites is just the start. -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted