Heartbleed

Any idea when the Heartbleed bug will be fixed in LibreOffice?

Hi,

Any idea when the Heartbleed bug will be fixed in LibreOffice?

It's already done in 4.2.3.3 branch. The 4.1.x versions are not concerned.
Kind regards
Sophie

???

This is an OpenSSL bug, what does this have to do with Libreoffice?

​As far as I can tell, it's because LibreOffice was linked with a
"vulnerable" version of openssl.

It's never bad to be on the side of precautions by using the latest
versions (especially if it provides bugfixes), but I'm not sure how an
exploit on the server side of a TLS connection could cause issue in a
client software. Better safe than sorry I suppose.

Even some of MS's web based look-up for running some of their packages were affected by this bug and the certificate changes associated with the "fix". At least IE is giving me those types of errors with a few support phone calls I have had in the last week or so.

Any package that need to access "anything" that used the older version of OpenSSL for any part of its inner workings can be at issue and vulnerable. How much it is is a guessing game, according to everything I have read, since each tell me a wide range of answers.

So, fixing the web sites is just the start.

After hearing so many horrible scenarios related to this bug, I guess it's
very easy to slip into paranoia mode.

The heartbleed bug literally only ever affects web servers that communicate
over a secure channel (and use libssl as the backend, obviously). The same
library is used for client side as well, which is why LO is linked with it.
Better safe than sorry of course, and linking with a fixed version
certainly cannot do harm, but there really is no way to exploit this bug
through LO (unless of course LO can be made to run as a https web server
). As far as I know, uses of SSL/TLS other than on webservers don't use
heartbeat as it is only relevant for remote network connections.

Please do NOT send to me directly, I'm on the list.

This is an OpenSSL bug, what does this have to do with Libreoffice?

​As far as I can tell, it's because LibreOffice was linked with a
"vulnerable" version of openssl.

Again… in what way was Libreoffice 'linked' to OpenSSL???

Libreoffice is NOT a communication package utilizing TCP/UDP connections, so, in what possible way could the heartbleed bug affect Libreoffice?

It's never bad to be on the side of precautions by using the latest
versions (especially if it provides bugfixes), but I'm not sure how an
exploit on the server side of a TLS connection could cause issue in a
client software. Better safe than sorry I suppose.

Are you talking about the libreoffice WEBSITE? Thatr is completely different and totally unrelated to the SOFTWARE ON the site...

Of course, unless you are concerned that the available downloads were replaced with infected versions... which I guess is not impossible.

You are wrong, so need to do a LOT more reading.

But again... in what way does Libreoffice utilize TCP/UDP connectivity? What am I missing? Does it have a hidden built-in SSL client?

Hi all,

I'm looking for a solution to a problem with Calc similar to many requests I read googling around.
Here the question:
I have an activity by month table and I want to write in every row the hours employed by some people on that job.
I need a way to get a quick look to the entire table so I can visually realize the people/day assignments and redistribute the next activities.
There are only few peoples, so I assign a color to everyone and set a background color for the day that person made the job.

Example (only 9 days for briefness):
Anna: red
Marco: green
Laura: yellow

I need to have as a result the sums based on the background color:

Day
  1
  2
  3
  4
  5
  6
  7
  8
  9
  
  Anna
  Marco
  Laura
Jan
  4
  8
  6
  4
  7
  6
  8
  4
  6
  
  19
  14
  20
Feb
  6
  8
  5
  7
  5
  6
  8
  6
  
  21
  17
  19
Mar
  5
  6
  8
  6
  7
  5
  6
  7
  6
  
  18
  16
  22

Any hint please?
Thank you all.

Franco

​Ahem. Some *hidden* features, like, retrieving data from URL maybe? URL
that may or may not contain the "https" protocol, thus needing some form of
SSL/TLS handling?​ Like images, or custom data sources?

Looks like a lot of peoples need to do a LOT more reading.

Back in the days of StarOffice it did.
Vestiges of it were in OOo 1.x.
I don't know how much of it remains in LibO 4.x.

The email client is long gone, but some of the structure it required is still present, and used.
The web browser was never independently available. It is still present, and as primitive as it ever was.

jonathon

Errmm, when it is used in server (headless) mode and accepts connections
? I don't know whether this allows for SSL connections though.

Alex

I don't know any way to perform a calculation depending on the background colour of relevant cells. The CELL() function returns many properties, but not that one.

But you may be able to achieve what you need another way. Create cells styles with the chosen background colours. Instead of applying the background colour manually, enter the employee's name (or perhaps just an initial letter?) into a suitable column. You may even already have such a column. Then set the background colour of relevant cells using conditional formatting (Format | Conditional Formatting...) - though I think this would restrict you to three employees. Now create your sum formula - probably using SUMIF() - depending on the name data, not the background colours directly.

I trust this helps.

Brian Barker

http://www.theregister.co.uk/2014/04/18/netcraft_heartbleed_browser_extension/

"If the Netcraft extension determines that a site was vulnerable before news of Heartbleed broke, it checks the date on the site's SSL certificate to make sure it has been recently replaced. If it hasn't, the extension displays an alert.......

Netcraft's updated browser extension is available as a free download for Firefox 1.0 and later; Chrome 26 and later on Windows, OS X, and Linux; and for Opera 15 and later on OS X and Windows. Versions for other browsers aren't available, unfortunately, which means users of Internet Explorer and Safari are left in the dark."

So I guess I have 3 choices:
Do nothing - I'm running version 4.2.2.1 (I have it set to auto update)
Go "back" to 4.1.5. Will I be giving up functionality?
Go to 4.2.3.3. But the release notes say it "remains targeted for early
adopters and private power users," which I'm not!

So in layman terms, what is the difference between 4.2.2.1 and 4.1.5?

Hi all,

Top posting to answer to all, the risk for LibreOffice users was when
using remote location like webdav or cmis. But again, LibreOffice 4.1.x
branch is not touched by Hearbleed because the OpenSSL library used
doesn't have the bug. In the LibreOffice 4.2.x branch, the last 4.2.3.3
fixes the OpenSSl library used, so if you use this branch, you should
update to the last released version. But again the risk for LO was
rather low.

To answer you specific question now:

So I guess I have 3 choices:
Do nothing - I'm running version 4.2.2.1 (I have it set to auto update)
Go "back" to 4.1.5. Will I be giving up functionality?
Go to 4.2.3.3. But the release notes say it "remains targeted for early
adopters and private power users," which I'm not!

Each of the 4.2.x.x releases are for early adopters because the version
is still quite new and needs more tests to be said "Stable". If you use
version of this branch you should always update to the last available.

So in layman terms, what is the difference between 4.2.2.1 and 4.1.5?

See above, the 4.1.5 version is stable and has been tested for a long
time now. I you want to use it for your daily work, you should always
stay with this branch 4.1.x, until the 4.2.x branch is said stable and
for all users.

Kind regards
Sophie

Hi all,

To answer you specific question now:

So I guess I have 3 choices:
Do nothing - I'm running version 4.2.2.1 (I have it set to auto update)
Go "back" to 4.1.5. Will I be giving up functionality?
Go to 4.2.3.3. But the release notes say it "remains targeted for early
adopters and private power users," which I'm not!

Each of the 4.2.x.x releases are for early adopters because the version
is still quite new and needs more tests to be said "Stable". If you use
version of this branch you should always update to the last available.

So in layman terms, what is the difference between 4.2.2.1 and 4.1.5?

See above, the 4.1.5 version is stable and has been tested for a long
time now. I you want to use it for your daily work, you should always
stay with this branch 4.1.x, until the 4.2.x branch is said stable and
for all users.

Kind regards
Sophie

Thanks Sophie - I am updating to 4.2.3.3.
Recall, I started this thread because my password manager, LastPass, flagged
the site openoffice.org as vulnerable. The discussion took on a life of it's
own regarding the OpenOffice application. I believe this was goodness, but
now, what about the openoffice.org site? Is it indeed vulnerable? And if so,
when will it get fixed?

Hi,

Hi all,

To answer you specific question now:

So I guess I have 3 choices:
Do nothing - I'm running version 4.2.2.1 (I have it set to auto update)
Go "back" to 4.1.5. Will I be giving up functionality?
Go to 4.2.3.3. But the release notes say it "remains targeted for early
adopters and private power users," which I'm not!

Each of the 4.2.x.x releases are for early adopters because the version
is still quite new and needs more tests to be said "Stable". If you use
version of this branch you should always update to the last available.

So in layman terms, what is the difference between 4.2.2.1 and 4.1.5?

See above, the 4.1.5 version is stable and has been tested for a long
time now. I you want to use it for your daily work, you should always
stay with this branch 4.1.x, until the 4.2.x branch is said stable and
for all users.

Kind regards
Sophie

Thanks Sophie - I am updating to 4.2.3.3.
Recall, I started this thread because my password manager, LastPass, flagged
the site openoffice.org as vulnerable. The discussion took on a life of it's
own regarding the OpenOffice application. I believe this was goodness, but
now, what about the openoffice.org site? Is it indeed vulnerable? And if so,
when will it get fixed?

Hey, you are on the LibreOffice list, so I don't know, may be they need
to wait for the new certificate to be in place A lot of sites have
been affected and not all of them have been able to add the new
certificate quickly however they patched the OpenSSL security thing and
the site by itself was safe, only the new certificate needed to be
issued, at least that's what we've done on the LibreOffice
infrastructure side.

Kind regards
Sophie

Hi
Ok, so since you are already using 4.2.2 you are already an "early adopter
or private power-user" even if you don't feel confident about that label.
The 4.2.3 fixes a few things that would normally need a "private power
user" to handle. Since you've not had any problems with the 4.2.2 you can
comfortably update to the 4.2.3.
Regards from
Tom

Hi
From what i heard most of this is a case of the solution being more of a
hindrance than the actual problem was in the first place.

There is a LOT of politics at play here because openSSL was OpenSource.
Apparently it was running on donations of about $2k/yr and less than
minimal staffing. If all the companies using it donated 0.1% of their
income towards the project then it would be raking in millions. So, it's
carefully being ignored that the last time openSSL had a problem was 15
years ago.

Taking advantage of this problem would have required an extreme amount of
skill and a huge amount of patience. Each successful attack on a website
would scrape something like 64kb, or was it 16? So getting anything useful
would take millions of attacks, which would probably have been noticed as a
sudden increase in network traffic and caused the website to crouch down in
defensive mode (or maybe even start counter-attacks in a tiny number of
cases).

The question is are you storing valuable data on whichever website? Is
your password to that site likely to give-away all, or a lot of, the
passwords you use on other sites? How about the security question for when
you forget your password? How much personal information does whichever
site hold about you and could that data be used to cause you some bother?
Even where the answers to all but q1 are "yes" you have to bear in mind
that they would have to be quick to deal with the tons of other people's
information they had scraped at the same time and could the criminal
process all that fast enough?

So most of the threat has been blown out of all proportion. Of course we
still have to fix it but that has probably already been done and now we
just sit&wait for external recognition of that fact. The people who verify
that are swamped so it might be a bit of a wait.

It might be a good idea to step-up your own security over the next few
months. Anyone continuing to use Internet Explorer deserves whatever they
get now more than ever.

Regards from
Tom