Libre Office

Hi Team,

We are evaluating LibreOffice to use in our organization. Keeping in mind features and ease of use, we have found this product good for our requirement.

We have below queries related to security. Request your help in getting responses to these queries.

1. What is the procedure for patch updates for LibreOffice?

2. How will I get the information that any vulnerability has identified in LibreOffice?

3. How will I get the information about new updates available for LibreOffice?

4. Who will support us in case if any outbreaks happens due to any vulnerabilities?

5. What is timeline to provide the fix to any vulnerability?

Regards,
Mukesh Chaurasia
AGM - IT
Intelenet Global Services
+91-9910663158
Disclaimer: This e-mail and any attachments are for the intended addressee(s) only and may contain confidential and/or privileged material. If you are not a named addressee, do not use, retain or disclose such information. This email is not guaranteed to be free from viruses and does not bind Intelenet Global Services in any contract or obligation.

What operating systems will you deploy LibreOffice onto?

I highly suggested getting L3 support to keep your organization up to date on stuff. Absent a contract agreement, there is /no guarantee/. Volunteers do things as they want. Generally security issues are tackled quickly but if you're looking for a group of volunteers to be your personal support contractors and guarantee the product at no cost, that's not going to happen.

You can find info here: https://www.libreoffice.org/get-help/professional-support/

Best,

Joel

1. What is the procedure for patch updates for LibreOffice?

Basically, uninstall the old version of LibO, install the new version of
LibO. As a general rule, copying the /config/LibO/old-version/user
directory to /config/LibO/new-version/user migrates customizations. The
big exception is installed extensions. Those will have to be manually
done. (If LibO is compiled in-house, necessary extensions can be
included in that build process.)

The specific process depends upon the platform that is used.

Note: neither Android nor iOS on the iPhone, iPod, or iPad are currently
supported. You'll have to write a lot of code, to have a usable version
of LibO on those platforms.)

2. How will I get the information that any vulnerability has identified in LibreOffice?

https://www.libreoffice.org/about-us/security/advisories/ is a list of
fixed, known vulnerabilities.

Coverty scan results are posted to libreoffice@lists.freedesktop.org
every month.
http://nabble.documentfoundation.org/New-Defects-reported-by-Coverity-Scan-for-LibreOffice-td4191140.html
is a fairly typical report.

If you're wanting announcements, such as that described at
https://www.helpnetsecurity.com/2016/06/30/libreoffice-flaw-godsend-hackers/,
a Google Alert is your best bet. (That specific flaw was fixed in LibO
5.1.4/5.2.0.)

3. How will I get the information about new updates available for LibreOffice?

announce@documentfoundation.org: Mailing list for news and press
releases by The Document Foundation.
Subscription: announce+subscribe@documentfoundation.org
Digest subscription: announce+subscribe-digest@documentfoundation.org
Archives: http://listarchives.documentfoundation.org/www/announce/
Mail-Archive.com:
http://www.mail-archive.com/announce@documentfoundation.org/
GMANE: http://dir.gmane.org/gmane.comp.documentfoundation.announce

That is a low traffic mailing list. Roughly half the messages are about
new releases of either the program, or documentation.

4. Who will support us in case if any outbreaks happens due to any vulnerabilities?

https://www.libreoffice.org/get-help/professional-support/ is a list of
vendors of Tier 1 through Tier 3 support, that have undergone TDF
certification.

LibreOffice, as a project, and _The Document Foundation_, as an
organization, provide Tier 0 support.

5. What is timeline to provide the fix to any vulnerability?

That depends on how severe the vulnerability is, and how much other code
is affected by rewritten the vulnerable code.