openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <orc...@apache.org>
Subject [REPORT] CVE-2016-1513 Security Advisory
Date Thu, 21 Jul 2016 16:43:13 GMT
[BCC AOO Users; BCC AOO PMC]

Today, advisory CVE-2016-1513 has been published with regard to disclosure of a potentially-exploitable
defect in crafted Impress documents.  The advisory can be found at <http://www.openoffice.org/security/cves/CVE-2016-1513.html>.

There is no updated release at this time.  There is action underway.  We can now discuss those
actions and also seek assistance in the wider community.

NEXT STEPS

As indicated in the advisory, a patch is already known and available for developer use.

In addition, the Apache OpenOffice security team has developed candidate "hot fix" binaries.
 These are single shared-library files that can be manually installed by users in place of
the same file in the program directory of their Apache OpenOffice 4.1.2 installation.

There are two crucial concerns for the eventual release of a hotfix in this manner.  First,
we must have more testing of the hotfix substitution to ensure that there is no regression
of any kind.  Secondly, the introduction of a hotfix is something that casual users must be
able to perform with confidence and reliability.  For that, we need to ensure that the procedures
provided are complete and reliable (and that users have a way to recover from any misstep).
 So we also require community assistance in reviewing, applying, and revising the procedure.

Ultimately, the preferable solution is to have an automatic installer for the hotfix that
does not require manual manipulations in operating-system file locations.  Because localization
does not appear to be relevant to this fix, that is easier than producing complete localized
distributions for all platforms and languages.

Additional information and details for participating in the assurance of the available hotfix
replacements will be provided over the next couple of days.

Thank you for your continuing support and reliance on Apache OpenOffice.

 - Dennis E. Hamilton
   Chair, Apache OpenOfice Project Management Committee




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message