Date: prev next · Thread: first prev next last
2014 Archives by date, by thread · List index


Hi :)
From what i heard most of this is a case of the solution being more of a
hindrance than the actual problem was in the first place.

There is a LOT of politics at play here because openSSL was OpenSource.
Apparently it was running on donations of about $2k/yr and less than
minimal staffing.  If all the companies using it donated 0.1% of their
income towards the project then it would be raking in millions.  So, it's
carefully being ignored that the last time openSSL had a problem was 15
years ago.

Taking advantage of this problem would have required an extreme amount of
skill and a huge amount of patience.  Each successful attack on a website
would scrape something like 64kb, or was it 16?  So getting anything useful
would take millions of attacks, which would probably have been noticed as a
sudden increase in network traffic and caused the website to crouch down in
defensive mode (or maybe even start counter-attacks in a tiny number of
cases).

The question is are you storing valuable data on whichever website?  Is
your password to that site likely to give-away all, or a lot of, the
passwords you use on other sites? How about the security question for when
you forget your password?  How much personal information does whichever
site hold about you and could that data be used to cause you some bother?
Even where the answers to all but q1 are "yes" you have to bear in mind
that they would have to be quick to deal with the tons of other people's
information they had scraped at the same time and could the criminal
process all that fast enough?

So most of the threat has been blown out of all proportion.  Of course we
still have to fix it but that has probably already been done and now we
just sit&wait for external recognition of that fact.  The people who verify
that are swamped so it might be a bit of a wait.

It might be a good idea to step-up your own security over the next few
months.  Anyone continuing to use Internet Explorer deserves whatever they
get now more than ever.

Regards from
Tom :)







On 18 April 2014 19:51, Sophie <gautier.sophie@gmail.com> wrote:

Hi,
Le 18/04/2014 20:33, alnuwer a écrit :

Hi all,

To answer you specific question now:
Le 18/04/2014 17:37, alnuwer a écrit :
So I guess I have 3 choices:
Do nothing  - I'm running version 4.2.2.1  (I have it set to auto
update)
Go "back" to 4.1.5. Will I be giving up functionality?
Go to 4.2.3.3. But the release notes say it "remains targeted for early
adopters and private power users," which I'm not!

Each of the 4.2.x.x releases are for early adopters because the version
is still quite new and needs more tests to be said "Stable". If you use
version of this branch you should always update to the last available.

So in layman terms, what is the difference between 4.2.2.1 and 4.1.5?

See above, the 4.1.5 version is stable and has been tested for a long
time now. I you want to use it for your daily work, you should always
stay with this branch 4.1.x, until the 4.2.x branch is said stable and
for all users.

Kind regards
Sophie

Thanks Sophie - I am updating to 4.2.3.3.
Recall, I started this thread because my password manager, LastPass,
flagged
the site openoffice.org as vulnerable. The discussion took on a life of
it's
own regarding the OpenOffice application. I believe this was goodness,
but
now, what about the openoffice.org site? Is it indeed vulnerable? And
if so,
when will it get fixed?

Hey, you are on the LibreOffice list, so I don't know, may be they need
to wait for the new certificate to be in place :) A lot of sites have
been affected and not all of them have been able to add the new
certificate quickly however they patched the OpenSSL security thing and
the site by itself was safe, only the new certificate needed to be
issued, at least that's what we've done on the LibreOffice
infrastructure side.

Kind regards
Sophie


--
To unsubscribe e-mail to: users+unsubscribe@global.libreoffice.org
Problems?
http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be
deleted


-- 
To unsubscribe e-mail to: users+unsubscribe@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.