You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@openoffice.apache.org by "Dennis E. Hamilton" <de...@acm.org> on 2011/12/12 19:21:33 UTC

Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)

Well, the Apache practice is clear.

Putting a CVE number in a patch is probably not the way to execute on that practice, but that is not an Apache patch you are looking at.

Red Hat also has a very large list of CVEs that you can find in their issue tracker and elsewhere.  I am not clear when and how those show up and I don't know what it means when such an issue is shown as unresolved, either.

LibreOffice might want to take a page from the time-tested ASF Security procedures with regard to avoiding premature disclosure, etc.

Having said that, we are all learning on the job with regard to security issues surrounding the OpenOffice.org family.  As the product becomes a more-profitable target for culprits, I am certain that there will be more to learn.

 - Dennis

PS: It might be nice to have a single public place to discuss just these practices across the family without deflecting the reporting lists from their focused purpose with regard to receiving and assessing vulnerability and exploit reports.  Although I think one would be useful to have, there does not seem to be much interest on the part of the various security teams.

-----Original Message-----
From: Andrea Pescetti [mailto:pescetti@openoffice.org] 
Sent: Monday, December 12, 2011 07:14
To: ooo-dev@incubator.apache.org
Subject: Re: Proposal: ooo-announce list

On 11/12/2011 Rob Weir wrote:
> Tthe practice is to check in such fixes without making it evident to
> the observer that it is security-related.  So don't expect SVN
> comments to give it away.

Like this?
http://cgit.freedesktop.org/libreoffice/core/commit/?id=cf5d0e20f2ba5a71f9ca2ed78a1b24841c97bb06

I know the example is from LibreOffice (even though the bug might be 
shared with OpenOffice.org or Apache OpenOffice) but I just happened to 
spot it and it doesn't seem particularly hidden... Such a policy would 
have to apply to all related projects (again, I totally don't know if 
this bug is related to Apache OpenOffice too, I'm just discussing the 
issue in general).

Regards,
   Andrea.

Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)

Posted by Rob Weir <ro...@apache.org>.

On Mon, Dec 12, 2011 at 7:07 PM, Dennis E. Hamilton
<de...@acm.org> wrote:
> I meant an inter-project list, not an intra-project list.
>

You said, "OpenOffice-ecosystem public discuss list"  That is
perfectly fine for ooo-dev.

Any other project that is serious about the "OpenOffice ecosystem"
will already have members subscribed to ooo-dev.  This is where the
project has its grand conversation.  This is where the work happens.
This is where consensus is reached.

-Rob

> -----Original Message-----
> From: Rob Weir [mailto:robweir@apache.org]
> Sent: Monday, December 12, 2011 14:05
> To: ooo-dev@incubator.apache.org
> Subject: Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)
>
> On Mon, Dec 12, 2011 at 4:54 PM, Dennis E. Hamilton
> <de...@acm.org> wrote:
>> I don't have any doubts about Apache-wide handling of CVEs, and guidance to security teams within Apache projects is complete and comprehensive.
>>
>> I was thinking more about an OpenOffice-ecosystem public discuss list where the various security teams for OPenOffice.org code-based products can work out mutual agreements on security issues and the CVEs that impact common features. It should be separate from the private, sensitive lists that are only for reports of security issues.
>>
>
> If it is not private, then how about here on ooo-dev?
>
> Although one could imagine a set of additional list for every dev
> specialization in the project, I'm not sure we really need a separate
> public list for security.   But once you get started, it is hard to
> stop: security, then qa, localization, performance, accessibility, UI,
> doc, help, install, etc..  Creating lists and putting boxes around
> things is very clean and logical.  I assume that is how OOo ended up
> with 300+ of them.
>
>>  - Dennis
>>
>> -----Original Message-----
>> From: Daniel Shahaf [mailto:d.s@daniel.shahaf.name]
>> Sent: Monday, December 12, 2011 11:27
>> To: Dennis E. Hamilton
>> Cc: ooo-dev@incubator.apache.org
>> Subject: Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)
>>
>> Dennis E. Hamilton wrote on Mon, Dec 12, 2011 at 10:21:33 -0800:
>>> PS: It might be nice to have a single public place to discuss just
>>> these practices across the family without deflecting the reporting
>>> lists from their focused purpose with regard to receiving and
>>> assessing vulnerability and exploit reports.  Although I think one
>>> would be useful to have, there does not seem to be much interest on
>>> the part of the various security teams.
>>>
>>
>> If you want to have an Apache-wide discussion about how to handle CVE's
>> I'm sure there's an existing list appropriate for that.
>> [ ... ]
>>
>

RE: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)

Posted by "Dennis E. Hamilton" <de...@acm.org>.

I meant an inter-project list, not an intra-project list.  

-----Original Message-----
From: Rob Weir [mailto:robweir@apache.org] 
Sent: Monday, December 12, 2011 14:05
To: ooo-dev@incubator.apache.org
Subject: Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)

On Mon, Dec 12, 2011 at 4:54 PM, Dennis E. Hamilton
<de...@acm.org> wrote:
> I don't have any doubts about Apache-wide handling of CVEs, and guidance to security teams within Apache projects is complete and comprehensive.
>
> I was thinking more about an OpenOffice-ecosystem public discuss list where the various security teams for OPenOffice.org code-based products can work out mutual agreements on security issues and the CVEs that impact common features. It should be separate from the private, sensitive lists that are only for reports of security issues.
>

If it is not private, then how about here on ooo-dev?

Although one could imagine a set of additional list for every dev
specialization in the project, I'm not sure we really need a separate
public list for security.   But once you get started, it is hard to
stop: security, then qa, localization, performance, accessibility, UI,
doc, help, install, etc..  Creating lists and putting boxes around
things is very clean and logical.  I assume that is how OOo ended up
with 300+ of them.

>  - Dennis
>
> -----Original Message-----
> From: Daniel Shahaf [mailto:d.s@daniel.shahaf.name]
> Sent: Monday, December 12, 2011 11:27
> To: Dennis E. Hamilton
> Cc: ooo-dev@incubator.apache.org
> Subject: Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)
>
> Dennis E. Hamilton wrote on Mon, Dec 12, 2011 at 10:21:33 -0800:
>> PS: It might be nice to have a single public place to discuss just
>> these practices across the family without deflecting the reporting
>> lists from their focused purpose with regard to receiving and
>> assessing vulnerability and exploit reports.  Although I think one
>> would be useful to have, there does not seem to be much interest on
>> the part of the various security teams.
>>
>
> If you want to have an Apache-wide discussion about how to handle CVE's
> I'm sure there's an existing list appropriate for that.
> [ ... ]
>

Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)

Posted by Rob Weir <ro...@apache.org>.

On Mon, Dec 12, 2011 at 4:54 PM, Dennis E. Hamilton
<de...@acm.org> wrote:
> I don't have any doubts about Apache-wide handling of CVEs, and guidance to security teams within Apache projects is complete and comprehensive.
>
> I was thinking more about an OpenOffice-ecosystem public discuss list where the various security teams for OPenOffice.org code-based products can work out mutual agreements on security issues and the CVEs that impact common features. It should be separate from the private, sensitive lists that are only for reports of security issues.
>

If it is not private, then how about here on ooo-dev?

Although one could imagine a set of additional list for every dev
specialization in the project, I'm not sure we really need a separate
public list for security.   But once you get started, it is hard to
stop: security, then qa, localization, performance, accessibility, UI,
doc, help, install, etc..  Creating lists and putting boxes around
things is very clean and logical.  I assume that is how OOo ended up
with 300+ of them.

>  - Dennis
>
> -----Original Message-----
> From: Daniel Shahaf [mailto:d.s@daniel.shahaf.name]
> Sent: Monday, December 12, 2011 11:27
> To: Dennis E. Hamilton
> Cc: ooo-dev@incubator.apache.org
> Subject: Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)
>
> Dennis E. Hamilton wrote on Mon, Dec 12, 2011 at 10:21:33 -0800:
>> PS: It might be nice to have a single public place to discuss just
>> these practices across the family without deflecting the reporting
>> lists from their focused purpose with regard to receiving and
>> assessing vulnerability and exploit reports.  Although I think one
>> would be useful to have, there does not seem to be much interest on
>> the part of the various security teams.
>>
>
> If you want to have an Apache-wide discussion about how to handle CVE's
> I'm sure there's an existing list appropriate for that.
> [ ... ]
>

RE: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)

Posted by "Dennis E. Hamilton" <de...@acm.org>.

I don't have any doubts about Apache-wide handling of CVEs, and guidance to security teams within Apache projects is complete and comprehensive.

I was thinking more about an OpenOffice-ecosystem public discuss list where the various security teams for OPenOffice.org code-based products can work out mutual agreements on security issues and the CVEs that impact common features. It should be separate from the private, sensitive lists that are only for reports of security issues.

 - Dennis

-----Original Message-----
From: Daniel Shahaf [mailto:d.s@daniel.shahaf.name] 
Sent: Monday, December 12, 2011 11:27
To: Dennis E. Hamilton
Cc: ooo-dev@incubator.apache.org
Subject: Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)

Dennis E. Hamilton wrote on Mon, Dec 12, 2011 at 10:21:33 -0800:
> PS: It might be nice to have a single public place to discuss just
> these practices across the family without deflecting the reporting
> lists from their focused purpose with regard to receiving and
> assessing vulnerability and exploit reports.  Although I think one
> would be useful to have, there does not seem to be much interest on
> the part of the various security teams.
> 

If you want to have an Apache-wide discussion about how to handle CVE's
I'm sure there's an existing list appropriate for that.
[ ... ]

Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)

Posted by Daniel Shahaf <d....@daniel.shahaf.name>.

Dennis E. Hamilton wrote on Mon, Dec 12, 2011 at 10:21:33 -0800:
> Well, the Apache practice is clear.
> 
> Putting a CVE number in a patch is probably not the way to execute on that practice, but that is not an Apache patch you are looking at.
> 
> Red Hat also has a very large list of CVEs that you can find in their issue tracker and elsewhere.  I am not clear when and how those show up and I don't know what it means when such an issue is shown as unresolved, either.
> 
> LibreOffice might want to take a page from the time-tested ASF Security procedures with regard to avoiding premature disclosure, etc.
> 
> Having said that, we are all learning on the job with regard to security issues surrounding the OpenOffice.org family.  As the product becomes a more-profitable target for culprits, I am certain that there will be more to learn.
> 
>  - Dennis
> 
> PS: It might be nice to have a single public place to discuss just
> these practices across the family without deflecting the reporting
> lists from their focused purpose with regard to receiving and
> assessing vulnerability and exploit reports.  Although I think one
> would be useful to have, there does not seem to be much interest on
> the part of the various security teams.
> 

If you want to have an Apache-wide discussion about how to handle CVE's
I'm sure there's an existing list appropriate for that.

> 
> 
> -----Original Message-----
> From: Andrea Pescetti [mailto:pescetti@openoffice.org] 
> Sent: Monday, December 12, 2011 07:14
> To: ooo-dev@incubator.apache.org
> Subject: Re: Proposal: ooo-announce list
> 
> On 11/12/2011 Rob Weir wrote:
> > Tthe practice is to check in such fixes without making it evident to
> > the observer that it is security-related.  So don't expect SVN
> > comments to give it away.
> 
> Like this?
> http://cgit.freedesktop.org/libreoffice/core/commit/?id=cf5d0e20f2ba5a71f9ca2ed78a1b24841c97bb06
> 
> I know the example is from LibreOffice (even though the bug might be 
> shared with OpenOffice.org or Apache OpenOffice) but I just happened to 
> spot it and it doesn't seem particularly hidden... Such a policy would 
> have to apply to all related projects (again, I totally don't know if 
> this bug is related to Apache OpenOffice too, I'm just discussing the 
> issue in general).
> 
> Regards,
>    Andrea.
>