|Summary:||net-zope/plone < 2.5.5 statusmessages linkintegrity Command Execution (CVE-2007-5741)|
|Product:||Gentoo Security||Reporter:||Robert Buchholz (RETIRED) <rbu>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Robert Buchholz (RETIRED) 2007-11-07 13:38:58 UTC
FrSIRT/ADV-2007-3754: A vulnerability has been identified in Plone, which could be exploited by remote attackers to compromise a vulnerable system. This issue is caused by input validation errors in the "statusmessages" and "linkintegrity" modules that interpret unsafe network data as python pickles, which could be exploited by remote attackers to execute arbitrary commands with the privileges of the Zope/Plone process.
Comment 1 Robert Buchholz (RETIRED) 2007-11-07 13:40:30 UTC
"Affected versions * Plone 2.5 up to and including 2.5.4 * Plone 3.0 up to and including 3.0.2 These fixes are included in the 2.5.5 and 3.0.3 releases, at which point this hotfix can be removed." Net-Zope, please advise.
Comment 2 Radoslaw Stachowiak (RETIRED) 2007-11-07 15:06:18 UTC
We will release 2.5.5 version bump version this weekend. Last security problem didnt result in GLSA, so maybe this time it should be done to get some visibilty.
Comment 3 Robert Buchholz (RETIRED) 2007-11-07 15:32:59 UTC
(In reply to comment #2) > We will release 2.5.5 version bump version this weekend. Last security problem > didnt result in GLSA, so maybe this time it should be done to get some > visibilty. Security policy is that ~arch packages are not subject to GLSAs. If version numbers in the upstream announcement are correct, stable ebuilds are not affected here.
Comment 4 Pierre-Yves Rofes (RETIRED) 2007-11-18 13:49:36 UTC
(In reply to comment #2) > We will release 2.5.5 version bump version this weekend. Last security problem > didnt result in GLSA, so maybe this time it should be done to get some > visibilty. > any news here?
Comment 5 Robert Buchholz (RETIRED) 2007-11-21 01:01:33 UTC
Zope herd, please bump.
Comment 6 Robert Buchholz (RETIRED) 2007-11-26 00:41:24 UTC
http://plone.org/products/plone-hotfix/releases/20071106-2 Version 2 of the hotfix corrects several bugs found in the original release. Zope, what'S the status here?
Comment 7 Pierre-Yves Rofes (RETIRED) 2007-12-08 23:57:36 UTC
(In reply to comment #6) > http://plone.org/products/plone-hotfix/releases/20071106-2 > Version 2 of the hotfix corrects several bugs found in the original release. > > Zope, what'S the status here? > *ping*
Comment 8 Radoslaw Stachowiak (RETIRED) 2007-12-25 23:07:00 UTC
It took our one-man-herd ;) a little bit longer. Sorry for that. I commited corrected ebuild for version 2.5.5 to the tree. BTW: should I change bug's Whiteboard after such action?
Comment 9 Robert Buchholz (RETIRED) 2007-12-25 23:46:13 UTC
No need to, we're monitoring comments and do the next steps. Thanks for bumping! This issue only affects ~arch ebuilds, so it will not result in a GLSA. If you want the 2.5 branch to be subject to "full" security support, you need to get this current version stable. Please remove the vulnerable 2.5 and 2.5.3 ebuilds if you can.