[oi-dev] Security update: Update to LibreOffice 4.4.7

Bob Friesenhahn bfriesen at simple.dallas.tx.us
Sat Dec 26 17:26:34 UTC 2015


On Fri, 25 Dec 2015, Nikola M wrote:
>
> Also, information about CVEs that are not released yet does not requre to be 
> public before package maintainer fixes it.
> That is what I think understand thus far, am I right?

This depends on who reports and manages it.  To get advance notice of 
CVEs then one must agree to the terms of whomever is proving the 
advance notice.  For a "zero-day" type exploit which can be expected 
to exploited immediately (but are not publically known), it is common 
for fixes to be intentionally held back so that they are released to 
all operating systems on the same day.

Many/most CVS are assigned for issues which are already publically 
known.

Many security issues are found and fixed without any formal security 
report.  For example, the application developer might find that 
reading a particular file causes the application to core dump.  So 
they fix the bug and move on.  If someone else had noticed the 
problem, it may have been formally reported, with an assigned CVE id.

Bob
-- 
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/




More information about the oi-dev mailing list