RE: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability

Sun, 26 Apr 2015 07:31:52 -0700 

What do you expect to find that would have you be more satisfied the email is 
legitimate?

1. The mail is from the e-mail address of an Apache Committer and member of 
the Apache OpenOffice PMC.  You can verify that.
2. The mail was signed using a PGP key associated with that email address and 
there are means to verify that.
3. There have been no subsequent messages indicating that there is an error or 
any sort of malicious activity here.

The difference between this CVE notice and others is this.  Usually the notice 
is not made until there is a fix in a current release.  In the case of 
CVD-2015-1774 and Apache OpenOffice, there is a mitigation recommendation and 
no fix at this time.  This is not uncommon in the industry, it is simply a 
variation that has arisen for the first time with Apache OpenOffice.

April 25, 2015 is the agreed date at which notifications on this CVE are being 
made from those parties impacted by the defect.  This is coordinated on 
private lists employed by the security community.  That community and the 
original party have also been notified of the specific Apache OpenOffice 
status with respect to the vulnerability and the mitigation that is being 
announced.

You can find out more about CVE 2015-1774 by conducting an Internet Search. 
The disclosure information may trickle out and be posted in various places. 
The official reservation is here,
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1774>.  Other notices 
will appear, such as this one:
<https://security-tracker.debian.org/tracker/CVE-2015-1774>.

You can expect to see more information at OpenOffice.org as well.


 -- Dennis E. Hamilton
    orc...@apache.org
    dennis.hamil...@acm.org    +1-206-779-9430
    https://keybase.io/orcmid  PGP F96E 89FF D456 628A
    X.509 certs used and requested for signed e-mail







 - - - - - - - - - - - - - -
From: Ken/Danuta McAdam [mailto:kenmca...@sympatico.ca]
Sent: Saturday, April 25, 2015 15:24
To: users@openoffice.apache.org
Subject: Fw: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS 
Vulnerability

Hello Apache

Is this mail legitimate?

Regards

Ken McAdam


-----Original Message----- 
From: Herbert Duerr
Sent: Saturday, April 25, 2015 3:13 PM
To: annou...@openoffice.apache.org ; d...@openoffice.apache.org ; 
users@openoffice.apache.org
Subject: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS 
Vulnerability

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to