There has been comment in various blogs about new security vulnerabilities in OpenOffice.org. Some of these posts and the comments on them are completely bizarre. So here’s the real story.

The OpenOffice.org security team were alerted to a couple of potential vulnerabilities in the code. I’ve blogged about this process many times before – there’s no suggestion that anyone has ever tried to exploit these vulnerabilities, or even that it is possible to do so. But we went ahead and fixed the code – as you do.

As the security bulletin states, the recently released OpenOffice.org 3.0 isn’t affected. However, there are people out there who haven’t moved on to 3.0 – maybe they are using some add-on that isn’t yet available for 3.0; maybe they just don’t use version n.0 of anything on principle. Anyway, to cater for these users, we decided to do a new release 2.4.2 which fixes the vulnerabilities and has a pile of miscellaneous fixes in it for good measure.

We were all set to announce 2.4.2 this morning at the same time as announcing the vulnerabilities (that’s the recommended way of doing these things). Unfortunately the Bouncer service that we use to redirect downloads to local mirrors hasn’t picked up the new version, so people can’t actually download 2.4.2 from our download page.

So, please bear with us. As soon as the good people who run the Bouncer for us (and for several other open-source projects like Mozilla) have got it fixed, we’ll make the public announcement that 2.4.2 is available.

This entry was posted on Wednesday, October 29th, 2008 at 6:29 pm and is filed under OpenOffice.org. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.