Bug 153901 - net-zope/plone 2.5 and 2.5.1 security hotfix 20061031 released (CVE-2006-4249)
Bug#: 153901 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaba@mikrobitti.fi
Component: Vulnerabilities
URL:  http://plone.org/products/plone-hotfix/releases/20061031
Summary: net-zope/plone 2.5 and 2.5.1 security hotfix 20061031 released (CVE-2006-4249)
Keywords:  
Status Whiteboard: ~4? [noglsa] jaervosz
Opened: 2006-11-02 23:56 0000
Description:   Opened: 2006-11-02 23:56 0000 
Since this is couple of days old and haven't seen this here yet mentioned at
all, I thought I could as well inform you. 

Plone versions 2.5 and 2.5.1 has a potential vulnerability that allows user to
masquerade as a group. More information & patch available at the URL I put
above.

------- Comment #1 From Matthias Geerdsen 2006-11-06 03:57:49 0000 ------- 
net-zope, pls provide an updated ebuild

btw, the affected version is in ~arch, so no GLSA will be needed

------- Comment #2 From Radoslaw Stachowiak 2006-12-19 11:05:46 0000 ------- 
Deeply sorry for the delay (I'm the only active deveolper for net-zope/*).
This one will be fixed around Dec 24th together with some version bumps.

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-12-22 00:48:25 0000 ------- 
Thx Radek. Please comment again on this bug when you commit the updated ebuild.

------- Comment #4 From Radoslaw Stachowiak 2006-12-28 17:37:02 0000 ------- 
Both plone-2.5 and plone-2.5.1 fixed to contain this hotfix upon installation.
No version bump.

------- Comment #5 From Sune Kloppenborg Jeppesen 2006-12-29 01:42:03 0000 ------- 
Thx Radoslaw.

Normally we encourage a version bump so emerge world users will pick up the
update.

------- Comment #6 From Radoslaw Stachowiak 2007-01-01 07:52:50 0000 ------- 
Update won't be picked, beacuse zope product are installed in two phase
process, while second phase (zprod-manager) is strictly manual. simply emerging
app (plone here) will just result with new plone source being on machine, but
not one which is currently used in zope instance.

one can argue, that even in such case, bump is suggested, because subsequent
plone installations can be fixed, but net-zope policy didnt do it till
recently.

So, knowing this, is Your recommendation still to revbump it? if yes, i'll do
it.

------- Comment #7 From Sune Kloppenborg Jeppesen 2007-01-06 12:51:20 0000 ------- 
I would prefer a bump with a post install message telling the user what to do.

------- Comment #8 From Radoslaw Stachowiak 2007-01-09 22:55:39 0000 ------- 
plone-2.5.1-r1.ebuild commited.

------- Comment #9 From Raphael Marichez 2007-01-12 22:32:02 0000 ------- 
the only stable ebuild (2.0.4 and 2.0.5) are not vulnerable --> closing. Feel
free to reopen if you disagree