Officially releasing a patch for CVE-2016-1513

While the severity of the security bug we disclosed 
http://www.openoffice.org/security/cves/CVE-2016-1513.html is not 
particularly high (it is classified as "Medium" with no known exploits 
and anti-virus software can detect malicious documents), we should 
release an update incorporating the -already tested- patch we disclosed 
in the announcement.

I assume we will want to keep the effort minimal.

To do so, an outline would be:

1) We commit the patch to the AOO410 branch. This is the branch used for 
all the 4.1.x series. 4.2.0 isn't out yet, so 4.1.x is still our 
reference version.

2) We do not make any other changes to the AOO410 branch. This is really 
meant to be a minimal update. Even the version number in the source 
package will remain 4.1.2.

3) We tag the release as AOO4121 and build the corresponding source 
package, which will have 4.1.2.1 in its name (I mean the filename, 
nowhere else).

4) We don't prepare full end-user release binaries but we do supply 
repaired libraries for power users - remember the circumstances above. 
The bugfix modifies one library file, and we have binaries ready for 
several platforms already.

5) We vote on the source and possibly binaries. We advertise the 
availability of the new packages on our website, but we don't send out 
update notifications and we don't put the files on SourceForge.

Does this look OK?

Once this is done, we will probably want to open another discussion and 
see how we can coordinate for a release that incorporates more fixes or 
features and is made available in full form, with all localized 
installers, to end users. But the above is mostly aimed in having an 
official way to ship the existing patch.

Regards,
   Andrea.