Plone 2.5 is vulnerable to password reset bug. Plone administrators are encouraged to patch as soon as possible. Only Plone 2.5 and Plone 2.5.1-rc's are affected, unless Password Tool v0.4.0 is separately installed to older Plone versions of Plone.
net-zope, please provide updated ebuilds for the vulnerable packages could you also comment on the affected ebuilds? is it just: net-zope/plone-2.5 and 2.5.1_rc1 net-zope/passwordresettool those are all marked ~arch if i am not mistaken, aren't they?
Net-zope reports on duty. currently 2.5 and 2.5.1rc1 are only ~x86 so no direct threat. I will however in comming minutes: * remove rc1 from tree * commit 2.5.1 (~86) I plan to leave intact 2.5 under ~x86, and need to check passwordresettool. Probably prt will be bumped too.
ok, done: plone-2.5.1 commited (~x86) plone-2.5.1-rc1 removed from tree passwordresettool bumped. no glsa needed IMO. P.S. and someone complained on gentoo-dev about maintainers being lazy on security bugs ;)
great :) now this was a quick bug... closing without glsa as all packages are marked ~arch
Wow. Dudes, you rock! :-) This was a very fast one. Thank you very much and keep up the good work!
