Reference to vulns suddenly vanishes after El Reg probe
The open-source productivity suite has been referred to as “a shambling corpse” by those appalled at its languid update schedule and those skeptical that its skeleton crew of volunteers can keep it animated.
Apache OpenOffice 4.1.3 – the latest available version, and released in October – contains at least one undisclosed and so-far unpatched security issue: this is mentioned but not explained in the minutes of a meeting of the Apache Foundation Board of Directors in January.
As of Wednesday this week, the board minutes included the following line, explaining that the, now late, OpenOffice 4.1.4 release will patch one or more mysterious vulnerabilities:
However, a day later, while The Register was investigating the state of OpenOffice, someone within the software foundation got wise to our probe, and modified the meeting minutes – quietly removing this reference to security problems in OpenOffice.
In other words, Apache changed its public records to hide the fact it has been sitting on security patches for months. The latest version of the document is here. Bear in mind the minutes were published in March, and were modified this week, on Thursday, April 27, after we contacted the Apache foundation.
Jim Jagielski, a member of the Apache OpenOffice Project Management Committee, dismissed talk of the death of the productivity suite as “typical FUD that is spread by the ‘usual suspects.’” We take that to mean those who prefer competing software, such as LibreOffice, or who have expressed concern about OpenOffice’s ongoing viability.
History buffs may recall Jagielski himself expressed such a view in distant 2016, remarking: “As noted over the last few months, it has become obvious to the board that AOO [Apache Open Office] has not been a healthy project for some time.” Indeed, less than a handful of coders appear to be working on the software.
In a statement to The Register today, Jagielski offered reassurances that OpenOffice will live to see another update. “The AOO PMC [Project Management Committee] is working hard on the 4.1.4 release which will provide fixes to the analyzed and validated security items,” he said. “Expected timeframe is likely either during or right after ApacheCon.”
The next ApacheCon is scheduled for May 16 to 18 in Miami, Florida. Version 4.1.4 was due to arrive in the first quarter of 2017, meaning it will be about a month and a half late if it lands mid-May.
On the subject of the mystery security fixes mentioned in January, Jagielski insists it’s normal that sensitive details are withheld from public versions of the PMC board’s meeting minutes.
“There is nothing nefarious, or devious or even secretive about this,” Jagielski said. “Some items we are required to keep private, due to legal concerns; others we keep private until such issues can be officially analyzed, such as whether or not a reported security issue is valid, or an issue for the PMC (occasionally, such a report is due to a vulnerability with an external, 3rd party codebase, and we must coordinate with them).”
Jagielski said such practices provide the board with insight into potential issues, most of which turn not to be matters of real concern. “We know that board reports are studiously read by people for both good and ill, and the spreading of unfounded ill that might be present in most of the private sections benefit no one, other than detractors,” he said.
Acknowledging that most OpenOffice users depend on downloaded community-provided builds, Jagielski emphasized that rushing out fixes to a complex application without careful testing would likely do more harm than good.
And so we wait. Let’s just hope details of those unexplained security flaws stay secret, and out of the hands of exploit writers, until version 4.1.4 lands. ®