Summary: | net-zope/plone < 2.5.5 statusmessages linkintegrity Command Execution (CVE-2007-5741) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | net-zope+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://plone.org/about/security/advisories/cve-2007-5741 | ||
Whiteboard: | ~1 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2007-11-07 13:38:58 UTC
"Affected versions * Plone 2.5 up to and including 2.5.4 * Plone 3.0 up to and including 3.0.2 These fixes are included in the 2.5.5 and 3.0.3 releases, at which point this hotfix can be removed." Net-Zope, please advise. We will release 2.5.5 version bump version this weekend. Last security problem didnt result in GLSA, so maybe this time it should be done to get some visibilty. (In reply to comment #2) > We will release 2.5.5 version bump version this weekend. Last security problem > didnt result in GLSA, so maybe this time it should be done to get some > visibilty. Security policy is that ~arch packages are not subject to GLSAs. If version numbers in the upstream announcement are correct, stable ebuilds are not affected here. (In reply to comment #2) > We will release 2.5.5 version bump version this weekend. Last security problem > didnt result in GLSA, so maybe this time it should be done to get some > visibilty. > any news here? Zope herd, please bump. http://plone.org/products/plone-hotfix/releases/20071106-2 Version 2 of the hotfix corrects several bugs found in the original release. Zope, what'S the status here? (In reply to comment #6) > http://plone.org/products/plone-hotfix/releases/20071106-2 > Version 2 of the hotfix corrects several bugs found in the original release. > > Zope, what'S the status here? > *ping* It took our one-man-herd ;) a little bit longer. Sorry for that. I commited corrected ebuild for version 2.5.5 to the tree. BTW: should I change bug's Whiteboard after such action? No need to, we're monitoring comments and do the next steps. Thanks for bumping! This issue only affects ~arch ebuilds, so it will not result in a GLSA. If you want the 2.5 branch to be subject to "full" security support, you need to get this current version stable. Please remove the vulnerable 2.5 and 2.5.3 ebuilds if you can. |