FrSIRT/ADV-2007-3754: A vulnerability has been identified in Plone, which could be exploited by remote attackers to compromise a vulnerable system. This issue is caused by input validation errors in the "statusmessages" and "linkintegrity" modules that interpret unsafe network data as python pickles, which could be exploited by remote attackers to execute arbitrary commands with the privileges of the Zope/Plone process.
"Affected versions * Plone 2.5 up to and including 2.5.4 * Plone 3.0 up to and including 3.0.2 These fixes are included in the 2.5.5 and 3.0.3 releases, at which point this hotfix can be removed." Net-Zope, please advise.
We will release 2.5.5 version bump version this weekend. Last security problem didnt result in GLSA, so maybe this time it should be done to get some visibilty.
(In reply to comment #2) > We will release 2.5.5 version bump version this weekend. Last security problem > didnt result in GLSA, so maybe this time it should be done to get some > visibilty. Security policy is that ~arch packages are not subject to GLSAs. If version numbers in the upstream announcement are correct, stable ebuilds are not affected here.
(In reply to comment #2) > We will release 2.5.5 version bump version this weekend. Last security problem > didnt result in GLSA, so maybe this time it should be done to get some > visibilty. > any news here?
Zope herd, please bump.
http://plone.org/products/plone-hotfix/releases/20071106-2 Version 2 of the hotfix corrects several bugs found in the original release. Zope, what'S the status here?
(In reply to comment #6) > http://plone.org/products/plone-hotfix/releases/20071106-2 > Version 2 of the hotfix corrects several bugs found in the original release. > > Zope, what'S the status here? > *ping*
It took our one-man-herd ;) a little bit longer. Sorry for that. I commited corrected ebuild for version 2.5.5 to the tree. BTW: should I change bug's Whiteboard after such action?
No need to, we're monitoring comments and do the next steps. Thanks for bumping! This issue only affects ~arch ebuilds, so it will not result in a GLSA. If you want the 2.5 branch to be subject to "full" security support, you need to get this current version stable. Please remove the vulnerable 2.5 and 2.5.3 ebuilds if you can.