Summary: | net-zope/plone <3.0.4 XSS in LiveSearch (CVE-2008-4571) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | net-zope+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://dev.plone.org/plone/ticket/7439 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 243270, 245786 | ||
Bug Blocks: |
Description
Stefan Behte (RETIRED)
2008-10-19 03:12:00 UTC
I'm not 100% sure if our versions in the tree are vulnerable. Zope team, can you check that, the URL has a POC. From http://www.securityfocus.com/bid/27098 it appears that none of the version that are in the tree are affected by this issue correcting title and whiteboard. Tupone, the bugtraq link lists 2.5.5 in neither of "vulnerable" nor "not vulnerable", so that is not reliable information. According to http://plone.org/products/plone/releases/2.5.5 the 2.5.5 series is not supported upstream anymore, so from a general POV I would suggest we mark stable a newer versions. Are there any blockers or regressions that have to be resolved before that? xss is b4, not b2 Working on stabilizing a newer version. I need net-zope/zope-2.10.6 for which a stabilization request as been done and net-zope/plone-3.1.{maybe 6?} for which I'd wait for 1 month without bugs before filing a request Since we are dealing with a possible security bug, I'd like to get this fixed sooner than 4 weeks away from now. The plone 3 series is in the tree for months now, so let's target 2 weeks after the 3.1.6 commit -- Nov. 6. tupone, usually we do security stablings right on the security bugs. but thanks for opening the bug anyway :-) time for GLSA decision. XSS => no. no as well |