153901 2006-11-02 23:56 0000 net-zope/plone 2.5 and 2.5.1 security hotfix 20061031 released (CVE-2006-4249) 2007-01-12 22:32:02 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://plone.org/products/plone-hotfix/releases/20061031 ~4? [noglsa] jaervosz P2 normal --- 1 jaba@mikrobitti.fi security@gentoo.org net-zope@gentoo.org jaba@mikrobitti.fi 2006-11-02 23:56:11 0000 Since this is couple of days old and haven't seen this here yet mentioned at all, I thought I could as well inform you. Plone versions 2.5 and 2.5.1 has a potential vulnerability that allows user to masquerade as a group. More information & patch available at the URL I put above. vorlon@gentoo.org 2006-11-06 03:57:49 0000 net-zope, pls provide an updated ebuild btw, the affected version is in ~arch, so no GLSA will be needed radek@gentoo.org 2006-12-19 11:05:46 0000 Deeply sorry for the delay (I'm the only active deveolper for net-zope/*). This one will be fixed around Dec 24th together with some version bumps. jaervosz@gentoo.org 2006-12-22 00:48:25 0000 Thx Radek. Please comment again on this bug when you commit the updated ebuild. radek@gentoo.org 2006-12-28 17:37:02 0000 Both plone-2.5 and plone-2.5.1 fixed to contain this hotfix upon installation. No version bump. jaervosz@gentoo.org 2006-12-29 01:42:03 0000 Thx Radoslaw. Normally we encourage a version bump so emerge world users will pick up the update. radek@gentoo.org 2007-01-01 07:52:50 0000 Update won't be picked, beacuse zope product are installed in two phase process, while second phase (zprod-manager) is strictly manual. simply emerging app (plone here) will just result with new plone source being on machine, but not one which is currently used in zope instance. one can argue, that even in such case, bump is suggested, because subsequent plone installations can be fixed, but net-zope policy didnt do it till recently. So, knowing this, is Your recommendation still to revbump it? if yes, i'll do it. jaervosz@gentoo.org 2007-01-06 12:51:20 0000 I would prefer a bump with a post install message telling the user what to do. radek@gentoo.org 2007-01-09 22:55:39 0000 plone-2.5.1-r1.ebuild commited. falco@gentoo.org 2007-01-12 22:32:02 0000 the only stable ebuild (2.0.4 and 2.0.5) are not vulnerable --> closing. Feel free to reopen if you disagree