| |||||||||||||
Debian & general commentDebian & general commentPosted Oct 5, 2011 21:47 UTC (Wed) by Curan (subscriber, #66186)Parent article: An odd vulnerability report for LibreOffice
As of this writing, only Debian has released a security update to address the problem, and that fix is only for OOo as Debian hasn't had a release that contains LO. Well, even though it isn't released yet as a stable release, the LO versions in testing and unstable aren't affected either as they are 3.4.3-1 and 3.4.3-3. Apart from that I really don't like the communications style. Bugs, including security issues, should be made public immediately. It would help users and administrators to take appropriate actions, including being e.g. extra careful about opening files, that might trigger the bug. I hope all LO devs and/or TDF members won't do this again. Better name a bug and allow all to take precautions than leave everybody in the dark with the risk, that some malware developer stumbles across something like this and can take advantage of it.
(Log in to post comments)
Debian & general comment Posted Oct 6, 2011 2:56 UTC (Thu) by steffen780 (guest, #68142) [Link]
3.3.4 has been in Gentoo-testing since 17Aug, stable on x86 on 4Sep *. Tho I'm not sure if Gentoo counts as a major distro.
More importantly, the LO project seriously needs to re-evaluate its policies on this. There's plenty of arguments for immediate as well as for delayed disclosure (I don't think that topic needs any further lengthy discussions), but afaik there's universal agreement that you always say when an update includes security fixes (or at least, like the kernel, say "this might include security fixes, everyone should update immediately"). Still, at least they fixed it.
Oh and if the AOO-project still can't watch its security mailbox it should probably advice people to go to LO instead until they had time to get setup with their duplicate project...
*: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/a...
|
|||||||||||||