What do you expect to find that would have you be more satisfied the email is legitimate?
1. The mail is from the e-mail address of an Apache Committer and member of the Apache OpenOffice PMC. You can verify that. 2. The mail was signed using a PGP key associated with that email address and there are means to verify that. 3. There have been no subsequent messages indicating that there is an error or any sort of malicious activity here. The difference between this CVE notice and others is this. Usually the notice is not made until there is a fix in a current release. In the case of CVD-2015-1774 and Apache OpenOffice, there is a mitigation recommendation and no fix at this time. This is not uncommon in the industry, it is simply a variation that has arisen for the first time with Apache OpenOffice. April 25, 2015 is the agreed date at which notifications on this CVE are being made from those parties impacted by the defect. This is coordinated on private lists employed by the security community. That community and the original party have also been notified of the specific Apache OpenOffice status with respect to the vulnerability and the mitigation that is being announced. You can find out more about CVE 2015-1774 by conducting an Internet Search. The disclosure information may trickle out and be posted in various places. The official reservation is here, <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1774>. Other notices will appear, such as this one: <https://security-tracker.debian.org/tracker/CVE-2015-1774>. You can expect to see more information at OpenOffice.org as well. -- Dennis E. Hamilton orc...@apache.org dennis.hamil...@acm.org +1-206-779-9430 https://keybase.io/orcmid PGP F96E 89FF D456 628A X.509 certs used and requested for signed e-mail - - - - - - - - - - - - - - From: Ken/Danuta McAdam [mailto:kenmca...@sympatico.ca] Sent: Saturday, April 25, 2015 15:24 To: users@openoffice.apache.org Subject: Fw: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability Hello Apache Is this mail legitimate? Regards Ken McAdam -----Original Message----- From: Herbert Duerr Sent: Saturday, April 25, 2015 3:13 PM To: annou...@openoffice.apache.org ; d...@openoffice.apache.org ; users@openoffice.apache.org Subject: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability
smime.p7s
Description: S/MIME cryptographic signature