Security vulnerabilities in AOO?

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

Security vulnerabilities in AOO?

Jörg Schmidt-2
Hello,

the following question is primarily for my information and not to start a discussion.

Is there a place where security vulnerabilities in AOO are centrally documented?(*) (Or do you have to look for it yourself in Bugzilla)?

(*)
I don't mean https://www.openoffice.org/security/bulletin.html because only fixed vulnerabilities are listed there.

Because there is criticism from LO regarding the security of AOO:
Is there even a common, fact-based basis on which this criticism is discussed between LO and AOO?


Why do I ask this?
(a)
Because I think there are security holes in AOO, but I don't have the factual knowledge.
(b)
Because I _don't_ think we should leave the public(**) discussion of vulnerabilities to LO alone.

(**)
especially the public discussion in the literal sense, i.e. the discussion with the users, the discussion that also has points of contact with marketing issues.



greetings,
Jörg


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security vulnerabilities in AOO?

Marcus (OOo)
Am 22.12.20 um 09:05 schrieb Jörg Schmidt:

> the following question is primarily for my information and not to start a discussion.
>
> Is there a place where security vulnerabilities in AOO are centrally documented?(*)

yes

Please note that we don't discuss any security related topics in the
public. We are not different than other software projects.

When you have security related points then please use the security
mailing list.

Thanks

Marcus


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security vulnerabilities in AOO?

Peter Kovacs-3

On 22.12.20 10:39, Marcus wrote:

> Am 22.12.20 um 09:05 schrieb Jörg Schmidt:
>
>> the following question is primarily for my information and not to
>> start a discussion.
>>
>> Is there a place where security vulnerabilities in AOO are centrally
>> documented?(*)
>
> yes
>
> Please note that we don't discuss any security related topics in the
> public. We are not different than other software projects.
>
> When you have security related points then please use the security
> mailing list.

I do not think that anyone on the security List will answer Jörgs
question if he tried. The lack of publicity, is why I have left the list.

I am more in the Opinion of google (0 day Security reports) and Linus
Torvalis, that we have to be open with security Issues.

But this is my personal opinion and does not need to be shared with
anyone else.

--
This is the Way! http://www.apache.org/theapacheway/index.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Security vulnerabilities in AOO?

Jörg Schmidt-2
In reply to this post by Marcus (OOo)
> -----Original Message-----
> From: Marcus [mailto:[hidden email]]
> Sent: Tuesday, December 22, 2020 10:39 AM
> To: [hidden email]
> Subject: Re: Security vulnerabilities in AOO?
>
> Am 22.12.20 um 09:05 schrieb Jörg Schmidt:
>
> > the following question is primarily for my information and
> not to start a discussion.
> >
> > Is there a place where security vulnerabilities in AOO are
> centrally documented?(*)
>
> yes
>
> Please note that we don't discuss any security related topics in the
> public. We are not different than other software projects.
>
> When you have security related points then please use the security
> mailing list.

Specifically, that would be: [hidden email]?

(Sorry, I have read https://www.apache.org/security/committers.html, but there is only apparent that the list should be called so if it exists, but not whether it exists).


greetings,
Jörg


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Security vulnerabilities in AOO?

Jörg Schmidt-2
In reply to this post by Peter Kovacs-3
> -----Original Message-----
> From: Peter Kovacs [mailto:[hidden email]]
> Sent: Tuesday, December 22, 2020 10:50 AM
> To: [hidden email]
> Subject: Re: Security vulnerabilities in AOO?
>
>
> On 22.12.20 10:39, Marcus wrote:
> > Am 22.12.20 um 09:05 schrieb Jörg Schmidt:
> >
> >> the following question is primarily for my information and not to
> >> start a discussion.
> >>
> >> Is there a place where security vulnerabilities in AOO are
> centrally
> >> documented?(*)
> >
> > yes
> >
> > Please note that we don't discuss any security related
> topics in the
> > public. We are not different than other software projects.
> >
> > When you have security related points then please use the security
> > mailing list.
>
> I do not think that anyone on the security List will answer Jörgs
> question if he tried. The lack of publicity, is why I have
> left the list.

Perhaps I may write a few explanatory words again:

I am confronted with criticism regarding the security of AOO, which reaches me via PM.
This relates to both my perspective as an AOO community member and my professional perspective as a service provider.

It is therefore of interest to me to consider how to answer such questions correctly (in the interest of the AOO project and in my own professional interest).
To do this, I need to acquire factual knowledge, and also understand which criticism is based on facts and which is (possibly) just based on anti-AOO marketing.



Jörg


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security vulnerabilities in AOO?

Matthias Seidel
In reply to this post by Peter Kovacs-3
Hi Peter,

Am 22.12.20 um 10:49 schrieb Peter Kovacs:
>
> But this is my personal opinion and does not need to be shared with
> anyone else.

And that's why you posted this on a public mailing list? ;-)

Regards,

   Matthias



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security vulnerabilities in AOO?

Peter Kovacs-3

On 22.12.20 11:11, Matthias Seidel wrote:
> Hi Peter,
>
> Am 22.12.20 um 10:49 schrieb Peter Kovacs:
>> But this is my personal opinion and does not need to be shared with
>> anyone else.
> And that's why you posted this on a public mailing list? ;-)
I frased a bad sentence. I meant that you do not need to share my opinion.
>
> Regards,
>
>     Matthias
>
>
--
This is the Way! http://www.apache.org/theapacheway/index.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security vulnerabilities in AOO?

Marcus (OOo)
In reply to this post by Jörg Schmidt-2
Am 22.12.20 um 10:59 schrieb Jörg Schmidt:

>> -----Original Message-----
>> From: Marcus [mailto:[hidden email]]
>> Sent: Tuesday, December 22, 2020 10:39 AM
>> To: [hidden email]
>> Subject: Re: Security vulnerabilities in AOO?
>>
>> Am 22.12.20 um 09:05 schrieb Jörg Schmidt:
>>
>>> the following question is primarily for my information and
>> not to start a discussion.
>>>
>>> Is there a place where security vulnerabilities in AOO are
>> centrally documented?(*)
>>
>> yes
>>
>> Please note that we don't discuss any security related topics in the
>> public. We are not different than other software projects.
>>
>> When you have security related points then please use the security
>> mailing list.
>
> Specifically, that would be: [hidden email]?

yes

Marcus


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security vulnerabilities in AOO?

Marcus (OOo)
In reply to this post by Jörg Schmidt-2
Am 22.12.20 um 11:08 schrieb Jörg Schmidt:

>> -----Original Message-----
>> From: Peter Kovacs [mailto:[hidden email]]
>> Sent: Tuesday, December 22, 2020 10:50 AM
>> To: [hidden email]
>> Subject: Re: Security vulnerabilities in AOO?
>>
>> On 22.12.20 10:39, Marcus wrote:
>>> Am 22.12.20 um 09:05 schrieb Jörg Schmidt:
>>>
>>>> the following question is primarily for my information and not to
>>>> start a discussion.
>>>>
>>>> Is there a place where security vulnerabilities in AOO are
>> centrally
>>>> documented?(*)
>>>
>>> yes
>>>
>>> Please note that we don't discuss any security related
>> topics in the
>>> public. We are not different than other software projects.
>>>
>>> When you have security related points then please use the security
>>> mailing list.
>>
>> I do not think that anyone on the security List will answer Jörgs
>> question if he tried. The lack of publicity, is why I have
>> left the list.
>
> Perhaps I may write a few explanatory words again:
>
> I am confronted with criticism regarding the security of AOO, which reaches me via PM.
> This relates to both my perspective as an AOO community member and my professional perspective as a service provider.
>
> It is therefore of interest to me to consider how to answer such questions correctly (in the interest of the AOO project and in my own professional interest).
> To do this, I need to acquire factual knowledge, and also understand which criticism is based on facts and which is (possibly) just based on anti-AOO marketing.

I don't understand why you try to answer these things. It's absolutely
OK when you go the easy way and just point them to the security@ mailing
list.

Thanks

Marcus


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Security vulnerabilities in AOO?

Jörg Schmidt-2
> -----Original Message-----
> From: Marcus [mailto:[hidden email]]
> Sent: Tuesday, December 22, 2020 12:37 PM
> To: [hidden email]
> Subject: Re: Security vulnerabilities in AOO?

> > To do this, I need to acquire factual knowledge, and also
> understand which criticism is based on facts and which is
> (possibly) just based on anti-AOO marketing.
>
> I don't understand why you try to answer these things. It's
> absolutely
> OK when you go the easy way and just point them to the
> security@ mailing
> list.

1.
Especially because I'm paid professionally as an IT consultant to answer questions like this for my customers.
Do you think customers who hear from others that AOO is supposedly insecure because it doesn't fix security problems quickly, would be pleased if I referred them to security@?

2.
What is the point of recommending that third parties refer to security@ when it says on https://www.apache.org/security/committers.html:

"They are _not intended to be used as a third-party notification system_ and non-committers should not be subscribed to the lists."


greetings,
Jörg


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security vulnerabilities in AOO?

Dave Fisher-2
Hi -

> On Dec 22, 2020, at 7:37 AM, Jörg Schmidt <[hidden email]> wrote:
>
>> -----Original Message-----
>> From: Marcus [mailto:[hidden email]]
>> Sent: Tuesday, December 22, 2020 12:37 PM
>> To: [hidden email]
>> Subject: Re: Security vulnerabilities in AOO?
>
>>> To do this, I need to acquire factual knowledge, and also
>> understand which criticism is based on facts and which is
>> (possibly) just based on anti-AOO marketing.
>>
>> I don't understand why you try to answer these things. It's
>> absolutely
>> OK when you go the easy way and just point them to the
>> security@ mailing
>> list.
>
> 1.
> Especially because I'm paid professionally as an IT consultant to answer questions like this for my customers.
> Do you think customers who hear from others that AOO is supposedly insecure because it doesn't fix security problems quickly, would be pleased if I referred them to security@?

The purpose of [hidden email] <mailto:[hidden email]> is for security issues to be reported so that AOO PMC members are aware of the issue and can discuss the bug and fix with the reporter. The discussion includes the timing of disclosure.

AOO shares a security list with the TDF - [hidden email] <mailto:[hidden email]> - we see any discussions there on security@openoffice. LOs security issues are not always ours.

The best way to increase the frequency of any security fixes is to increase the frequency of minor releases.

>
> 2.
> What is the point of recommending that third parties refer to security@ when it says on https://www.apache.org/security/committers.html:
>
> "They are _not intended to be used as a third-party notification system_ and non-committers should not be subscribed to the lists."

This means that security@apache mailing lists are not for announcing CVEs. Users are notified of security fixes via announce@apache mailing lists. These notifications happen with or just after a release.

The security@ mailing lists are for detailed predisclosure discussion of reported security issues. These must be private. The PMC will privately determine if someone should be allowed to subscribe to [hidden email] <mailto:[hidden email]> and any ASF member can look to see what’s going on.

Should a security issue already be publicly disclosed, you can bring it up here on dev@. The developers can decide how much to keep more secret about the fix. It will depend on the exploit. For example, an exploit may actually expose a larger problem with additional not publicly known exploits.

I hope this helps.

Regards,
Dave

>
>
> greetings,
> Jörg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

Reply | Threaded
Open this post in threaded view
|

RE: Security vulnerabilities in AOO?

Jörg Schmidt-2
Hello,

> -----Original Message-----
> From: Dave Fisher [mailto:[hidden email]]
> Sent: Tuesday, December 22, 2020 8:25 PM
> To: dev
> Subject: Re: Security vulnerabilities in AOO?

> The purpose of [hidden email]
> <mailto:[hidden email]> is for security
> issues to be reported so that AOO PMC members are aware of
> the issue and can discuss the bug and fix with the reporter.
> The discussion includes the timing of disclosure.
>
> AOO shares a security list with the TDF -
> [hidden email]
> <mailto:[hidden email]> - we see any
> discussions there on security@openoffice. LOs security issues
> are not always ours.

short question:
So it is correct that if I subscribe to [hidden email] I can read all the security related things from AOO and LO on one list?


> The best way to increase the frequency of any security fixes
> is to increase the frequency of minor releases.

This is an interesting piece of information because it is, obviously, suitable to explain the release behavior of LO.

(A release behavior that I have been criticizing for years, because it causes a disproportionate number of practical problems.)

> I hope this helps.

yes, thank you.



greetings,
Jörg


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security vulnerabilities in AOO?

Peter Kovacs-3
In reply to this post by Dave Fisher-2
Hi all,

On 22.12.20 20:24, Dave Fisher wrote:

> Hi -
>
>> On Dec 22, 2020, at 7:37 AM, Jörg Schmidt <[hidden email]> wrote:
>>
>>> -----Original Message-----
>>> From: Marcus [mailto:[hidden email]]
>>> Sent: Tuesday, December 22, 2020 12:37 PM
>>> To: [hidden email]
>>> Subject: Re: Security vulnerabilities in AOO?
>>>> To do this, I need to acquire factual knowledge, and also
>>> understand which criticism is based on facts and which is
>>> (possibly) just based on anti-AOO marketing.
>>>
>>> I don't understand why you try to answer these things. It's
>>> absolutely
>>> OK when you go the easy way and just point them to the
>>> security@ mailing
>>> list.
>> 1.
>> Especially because I'm paid professionally as an IT consultant to answer questions like this for my customers.
>> Do you think customers who hear from others that AOO is supposedly insecure because it doesn't fix security problems quickly, would be pleased if I referred them to security@?
> The purpose of [hidden email] <mailto:[hidden email]> is for security issues to be reported so that AOO PMC members are aware of the issue and can discuss the bug and fix with the reporter. The discussion includes the timing of disclosure.
>
> AOO shares a security list with the TDF - [hidden email] <mailto:[hidden email]> - we see any discussions there on security@openoffice. LOs security issues are not always ours.
>
> The best way to increase the frequency of any security fixes is to increase the frequency of minor releases.

Nononono. We have roundabout 1 security incident within one year. At
least that has been the statistical case during the time I was involved
with security (2017 - 2020). There is no hint that need we more minor
releases because of security. More minor releases would automatically
come if we would fix more stuff. However we are fixing things usually in
the second half of the year. So all ends up in this one end year release
we shedule.

There is a lot of software in the OpenSource and none OpenSource
environment which does not close all Issues within the disclosure time.
That does not make a software insecure? The type of open Issue makes a
software insecure and the ability to install it on a system. Just think
on the security discussion within the Android environment for a minute.
We have fixed all big published Issues. Maybe not within industry
expectations but they are fixed. And we roll the fix out to the
availability to over 90 percent of our users. I think in the end we
provide a good service for OpenOffice users, by our standards.

The standards the people raise can only be uphold if they are payed for.
Only then you have the resources to work on time. LO is doing this with
their substantial buiness arm. Mainly Collabora and Red Hat are
involved. If those two player would stop their engagement, it would be a
major impact on LO side. I want to loosely point here towards the
financial mail Michael Meeks has posted to the LO dev List, in order to
underline how little this is free lunch.  We can setup a security
service if there is interest / need. I have been looking into this since
Rafael tried to set up a business arm. And I have different pieces I can
follow up, all I need are interested founders for an security service
for AOO in order to see how big the funds are and what the most
efficient method is to reach the goal.

So if someone says download LO for without paying for the service
because it is more secure, then they are damaging the LO service which
is making this possible. I say if you need or want Industry promised
security you have to pay the industry. And then a sentence like
everything that does not uphold an industry security standard, is
insecure, means everything that you do not pay money is insecure. Which
has been a long standing argument against open source for times. It is
just a new flavor of an old argument.

My 2 cents.

Peter

--
This is the Way! http://www.apache.org/theapacheway/index.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security vulnerabilities in AOO?

Bidouille
Thanks Peter for this POV.

> Mainly Collabora and Red Hat are involved.
> If those two player would stop their engagement, it would
> be a major impact on LO side.
RedHat has been acquired by IBM since 2019.
IBM contribute to AOO (Lotus Symphony tribute).
So, why RedHat do not contribute to AOO?

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security vulnerabilities in AOO?

Jim Jagielski
Many years ago I worked at RedHat and asked that RedHat allow that
all contributions be dual-licensed. All people then at RedHat involved in
LO adamantly refused. Even the CTO at the time refused to get involved.

> On Dec 23, 2020, at 5:37 AM, Bidouille <[hidden email]> wrote:
>
> Thanks Peter for this POV.
>
>> Mainly Collabora and Red Hat are involved.
>> If those two player would stop their engagement, it would
>> be a major impact on LO side.
> RedHat has been acquired by IBM since 2019.
> IBM contribute to AOO (Lotus Symphony tribute).
> So, why RedHat do not contribute to AOO?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security vulnerabilities in AOO?

Matthias Seidel
In reply to this post by Peter Kovacs-3
Hi Peter,

Am 23.12.20 um 11:02 schrieb Peter Kovacs:
> Mainly Collabora and Red Hat are involved. If those two player would
> stop their engagement, it would be a major impact on LO side.
>
> Peter
>
Personally, I expect IBM to pull RedHats involvement in LO in the next year.
Collabora itself already forked LO Online and moved to GitHub.

That is the problem, when a project is totally dependent on commits from
a few commercial players...

Regards,

   Matthias




smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Security vulnerabilities in AOO?

Jörg Schmidt-2
> -----Original Message-----
> From: Matthias Seidel [mailto:[hidden email]]
> Sent: Wednesday, December 23, 2020 5:13 PM
> To: [hidden email]
> Subject: Re: Security vulnerabilities in AOO?
>
> Hi Peter,
>
> Am 23.12.20 um 11:02 schrieb Peter Kovacs:
> > Mainly Collabora and Red Hat are involved. If those two player would
> > stop their engagement, it would be a major impact on LO side.
> >
> > Peter
> >
> Personally, I expect IBM to pull RedHats involvement in LO in
> the next year.
> Collabora itself already forked LO Online and moved to GitHub.
>
> That is the problem, when a project is totally dependent on
> commits from
> a few commercial players...

And this is also an indication for the failure of the TDF, because the founding legend of the TDF was: 'we need a foundation to become independent from SUN/Oracle'


Jörg


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]