Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 198357
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 198357 depends on: Show dependency tree
Bug 198357 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-11-07 13:38 0000 
FrSIRT/ADV-2007-3754:
  A vulnerability has been identified in Plone, which could be
  exploited by remote attackers to compromise a vulnerable system.
  This issue is caused by input validation errors in the
  "statusmessages" and "linkintegrity" modules that interpret unsafe
  network data as python pickles, which could be exploited by remote
  attackers to execute arbitrary commands with the privileges of the
  Zope/Plone process.

------- Comment #1 From Robert Buchholz 2007-11-07 13:40:30 0000 ------- 
"Affected versions
    * Plone 2.5 up to and including 2.5.4
    * Plone 3.0 up to and including 3.0.2

These fixes are included in the 2.5.5 and 3.0.3 releases, at which point this
hotfix can be removed."

Net-Zope, please advise.

------- Comment #2 From Radoslaw Stachowiak 2007-11-07 15:06:18 0000 ------- 
We will release 2.5.5 version bump version this weekend. Last security problem
didnt result in GLSA, so maybe this time it should be done to get some
visibilty.

------- Comment #3 From Robert Buchholz 2007-11-07 15:32:59 0000 ------- 
(In reply to comment #2)
> We will release 2.5.5 version bump version this weekend. Last security problem
> didnt result in GLSA, so maybe this time it should be done to get some
> visibilty.

Security policy is that ~arch packages are not subject to GLSAs. If version
numbers in the upstream announcement are correct, stable ebuilds are not
affected here.

------- Comment #4 From Pierre-Yves Rofes 2007-11-18 13:49:36 0000 ------- 
(In reply to comment #2)
> We will release 2.5.5 version bump version this weekend. Last security problem
> didnt result in GLSA, so maybe this time it should be done to get some
> visibilty.
> 

any news here?

------- Comment #5 From Robert Buchholz 2007-11-21 01:01:33 0000 ------- 
Zope herd, please bump.

------- Comment #6 From Robert Buchholz 2007-11-26 00:41:24 0000 ------- 
http://plone.org/products/plone-hotfix/releases/20071106-2
Version 2 of the hotfix corrects several bugs found in the original release.

Zope, what'S the status here?

------- Comment #7 From Pierre-Yves Rofes 2007-12-08 23:57:36 0000 ------- 
(In reply to comment #6)
> http://plone.org/products/plone-hotfix/releases/20071106-2
> Version 2 of the hotfix corrects several bugs found in the original release.
> 
> Zope, what'S the status here?
> 

*ping*

------- Comment #8 From Radoslaw Stachowiak 2007-12-25 23:07:00 0000 ------- 
It took our one-man-herd ;) a little bit longer. Sorry for that.
I commited corrected ebuild for version 2.5.5 to the tree.

BTW: should I change bug's Whiteboard after such action?

------- Comment #9 From Robert Buchholz 2007-12-25 23:46:13 0000 ------- 
No need to, we're monitoring comments and do the next steps.
Thanks for bumping!

This issue only affects ~arch ebuilds, so it will not result in a GLSA. If you
want the 2.5 branch to be subject to "full" security support, you need to get
this current version stable. Please remove the vulnerable 2.5 and 2.5.3 ebuilds
if you can.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug