The Plone content management system lacks security declarations for three internal classes. This allows manipulation of user portraits by unprivileged users. The changeMemberPortrait and deletePersonalPortrait lack security declarations, enabling any anonymous internet user to change and delete portraits on Plone sites at will. Our versions 2.0.4 and 2.0.5 and 2.0.5-r1 are not patched See also DSA 1032-1 (2006-04-12)
Zope herd please bump with patch from URL
plone-2.0.5-r2 is in portage and patched. Not marked stable though. Please test and proceeed with stable and glsa.
x86 and ppc please test and mark plone-2.0.5-r2 stable, thx
Patch doesn't apply. * Applying plone-2.0.5-portrait_security.patch ... * Failed Patch: plone-2.0.5-portrait_security.patch ! * ( /home/tobias/cvs/gentoo-x86/net-zope/plone/files/plone-2.0.5-portrait_security.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/plone-2.0.5-r2/temp/plone-2.0.5-portrait_security.patch-6632.out
net-zope please fix the ebuild, thanks
Strange, just did emerge sync and tested in on data received from rsync.gentoo.org and it works: >>> Unpacking PloneBase-2.0.5.tar.gz to /var/tmp/portage/plone-2.0.5-r2/work * Applying plone-2.0.5-portrait_security.patch ... [ ok ] >>> Source unpacked. Can anyone help me here?
OK, fixed. Looks like that my patch accepts wide range of patch files, while standrad one not. I regenerated and commited fixed patch file. Please proceed. Sorry for the trobules caused.
No problem, thank you radek. Arches, you know what to do :)
ppc stable
x86 done
ready for glsa vote, i tend to a NO here.
thanks arches, not a critical element, only affects plone itself. I tend to vote no, but unsure.
Voting NO and closing.
