Gentoo Bug 149602 - net-zope/{passwordresettool,plone): Plone 2.5 password reset tool vulnerability

First Last Prev Next No search results available Search page Enter new bug

Bug#:	149602
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Janne Pikkarainen <jaba@mikrobitti.fi>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 149602 depends on:			Show dependency tree Show dependency graph
Bug 149602 blocks:			Show dependency tree Show dependency graph

Additional Comments: (this is where you put emerge --info)

Add to CC list

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2006-09-30 03:39 0000

Plone 2.5 is vulnerable to password reset bug. Plone administrators are
encouraged to patch as soon as possible.

Only Plone 2.5 and Plone 2.5.1-rc's are affected, unless Password Tool v0.4.0
is separately installed to older Plone versions of Plone.

------- Comment #1 From Matthias Geerdsen 2006-09-30 13:37:10 0000 -------

net-zope, please provide updated ebuilds for the vulnerable packages

could you also comment on the affected ebuilds?

is it just:
net-zope/plone-2.5 and 2.5.1_rc1
net-zope/passwordresettool

those are all marked ~arch if i am not mistaken, aren't they?

------- Comment #2 From Radoslaw Stachowiak 2006-09-30 14:05:48 0000 -------

Net-zope reports on duty.

currently 2.5 and 2.5.1rc1 are only ~x86 so no direct threat.
I will however in comming minutes:
* remove rc1 from tree
* commit 2.5.1 (~86)

I plan to leave intact 2.5 under ~x86, and need to check passwordresettool.
Probably prt will be bumped too.

------- Comment #3 From Radoslaw Stachowiak 2006-09-30 14:25:38 0000 -------

ok, done:
plone-2.5.1 commited (~x86)
plone-2.5.1-rc1 removed from tree

passwordresettool bumped.

no glsa needed IMO.

P.S.
and someone complained on gentoo-dev about maintainers being lazy on security
bugs ;)

------- Comment #4 From Matthias Geerdsen 2006-09-30 14:37:55 0000 -------

great :)
now this was a quick bug...

closing without glsa as all packages are marked ~arch

------- Comment #5 From Janne Pikkarainen 2006-10-01 00:43:30 0000 -------

Wow. Dudes, you rock! :-) This was a very fast one. 

Thank you very much and keep up the good work!

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 149602

net-zope/{passwordresettool,plone): Plone 2.5 password reset tool vulnerability

Last modified: 2006-10-01 00:43:30 0000