[plonegov-br] Security vulnerability announcement: 20130611 - Multiple vectors

Charles Henrique charleshenrique em pgr.mpf.gov.br
Terça Junho 4 14:18:23 BRT 2013


Mais uma correção de grave vulnerabilidade prevista para o dia 
*11/6/**2013*, que alcança todas as versões do Plone. Estou começando a 
achar que tais falhas são propositais, pois na mensagem existem 
orientações de onde contratar consultoria especializada, caso a empresa 
não tenha um ninja em Plone. Talvez os /cores developers/ não estejam 
tão bem intencionados, como pensamos.


Charles Henrique G. Santos
Procuradoria Geral da República
Ministério Público Federal
(61) 3105-6795

"Ambiente limpo não é o que mais se limpa
  e sim o que menos se suja."

-------- Mensagem original --------
Assunto: 	Security vulnerability announcement: 20130611 - Multiple vectors
Data: 	Fri, 31 May 2013 10:26:24 GMT
De: 	<Matthew Wilkes>

Security vulnerability announcement: 20130611 - Multiple vectors

CVE numbers not yet issued.

*Versions Affected:* All current Plone versions.

*Versions Not Affected:* None.

*This is a pre-announcement.* Due to the severity of some of these 
issues, we are providing an advance warning of an upcoming patch. The 
patch will be released on this page 
<http://plone.org/products/plone-hotfix/releases/20121106> at 
*2013-06-11 15:00 UTC 

    What You Should Do in Advance of Patch Availability

Due to the nature of the vulnerability, the security team has decided to 
pre-announce that a fix is upcoming before disclosing the details. This 
is to ensure that concerned users can plan around the release.  As the 
fix being published will make the details of the vulnerability public, 
we are recommending that all users plan a maintenance window for the 60 
minutes following the announcement in which to install the fix.

Meanwhile, we STRONGLY recommend that you take the following steps to 
protect your site:

 1. Make sure that the Zope/Plone service is running with with minimum
    privileges. Ideally, the Zope and ZEO services should be able to
    write only to log and data directories.
 2. Use an intrusion detection system that monitors key system resources
    for unauthorized changes.
 3. Monitor your Zope, reverse-proxy request and system logs for unusual

These are standard precautions that should be employed on any production 

      Extra Help

Should you not have in-house server administrators or a service 
agreement looking after your website, you can find consulting companies 
on plone.net <http://plone.net/>.

There is also free support <../../../../support> available online via 
Plone mailing lists and the Plone IRC channels.

*Q: When will the patch be made available?
*A: The Plone Security Team will release the patch at 2013-06-11 15:00 UTC.

*Q. What will be involved in applying the patch?
*A. Patches are made available as tarball-style archives that may be 
unpacked into the products folder of a buildout installation and as 
Python packages that may be installed by editing a buildout 
configuration file and running buildout. Patching is generally easy and 
quick to accomplish.

*Q: How were these vulnerability found?
*A: The majority of issues were found as part of audits performed by the 
Plone Security team. A subset were reported by users. More details will 
be available upon release of the patch.

*Q: My site is highly visible and mission-critical. I hear the patch has 
already been developed. Can I get the fix before the release date?*
A: No. The patch will be made available to *all users at the same time*. 
There are no exceptions.

*Q: If the patch has been developed already, why isn't it made available 
to the public now?
*A: The Security Team is still testing the patch and running various 
scenarios thoroughly. The team is also making sure everybody has 
appropriate time to plan to patch their Plone installation(s). Some 
consultancy organizations have hundreds of sites to patch and need the 
extra time to coordinate their efforts with their clients.

*Q: How does one exploit the vulnerability?
*A: This information will not be made public until after the patch is 
made available.

*General questions* *about this announcement*, Plone patching 
procedures, and availability of support may be addressed to the Plone 
support forums <../../../../support>. If you have *specific questions* 
about this vulnerability or its handling, contact the Plone Security 
Team <mailto:security em plone.org>.

*To report potentially security-related issues**,* e-mail the Plone 
Security Team at security em plone.org. We are always happy to credit 
individuals and companies who make responsible disclosures.

      Information for Vulnerability Database Maintainers

We will issue individual advice on each issue, including CVSS2 and CWE 
identifiers when the patch is released. We currently do not have CVE 
numbers assigned, but are in the process of applying.

-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.interlegis.gov.br/pipermail/plonegov-br/attachments/20130604/23a90eda/attachment.htm 

Mais detalhes sobre a lista de discussão PloneGov-BR