[plonegov-br] Security vulnerability announcement: 20130611 - Multiple vectors

Luís Flávio Loreto da Rocha luis.rocha em ebc.com.br
Terça Junho 4 17:24:14 BRT 2013


Nossa, que comentário infeliz!


Luis Flávio Loreto da Rocha
Coordenador de Projetos Digitais
Gerência de Criação - DICAP
EBC - Empresa Brasil de Comunicação
(61) 3799-5437

----- Mensagem original -----
> De: "Charles Henrique" <charleshenrique em pgr.mpf.gov.br>
> Para: "Comunidade Plone no Governo" <plonegov-br em listas.interlegis.gov.br>
> Enviadas: Terça-feira, 4 de Junho de 2013 14:18:23
> Assunto: [plonegov-br] Security vulnerability announcement: 20130611 - Multiple vectors
> Prezados,
> 
> Mais uma correção de grave vulnerabilidade prevista para o dia 11/6/
> 2013 , que alcança todas as versões do Plone. Estou começando a achar
> que tais falhas são propositais, pois na mensagem existem orientações
> de onde contratar consultoria especializada, caso a empresa não tenha
> um ninja em Plone. Talvez os cores developers não estejam tão bem
> intencionados, como pensamos.
> 
> 
> Atenciosamente,
> 
> Charles Henrique G. Santos
> Procuradoria Geral da República
> Ministério Público Federal
> (61) 3105-6795
> 
> "Ambiente limpo não é o que mais se limpa
> e sim o que menos se suja."
> 
> -------- Mensagem original --------
> Assunto: Security vulnerability announcement: 20130611 - Multiple
> vectors
> Data: Fri, 31 May 2013 10:26:24 GMT
> De: <Matthew Wilkes>
> 
> Security vulnerability announcement: 20130611 - Multiple vectors
> 
> CVE numbers not yet issued.
> 
> Versions Affected: All current Plone versions.
> 
> Versions Not Affected: None.
> 
> This is a pre-announcement. Due to the severity of some of these
> issues, we are providing an advance warning of an upcoming patch. The
> patch will be released on this page at 2013-06-11 15:00 UTC . What You
> Should Do in Advance of Patch Availability
> 
> 
> Due to the nature of the vulnerability, the security team has decided
> to pre-announce that a fix is upcoming before disclosing the details.
> This is to ensure that concerned users can plan around the release. As
> the fix being published will make the details of the vulnerability
> public, we are recommending that all users plan a maintenance window
> for the 60 minutes following the announcement in which to install the
> fix.
> 
> Meanwhile, we STRONGLY recommend that you take the following steps to
> protect your site:
> 
> 1. Make sure that the Zope/Plone service is running with with minimum
> privileges. Ideally, the Zope and ZEO services should be able to write
> only to log and data directories.
> 2. Use an intrusion detection system that monitors key system
> resources for unauthorized changes.
> 3. Monitor your Zope, reverse-proxy request and system logs for
> unusual activity.
> 
> 
> These are standard precautions that should be employed on any
> production system. Extra Help
> 
> 
> Should you not have in-house server administrators or a service
> agreement looking after your website, you can find consulting
> companies on plone.net .
> 
> There is also free support available online via Plone mailing lists
> and the Plone IRC channels.
> 
> Q: When will the patch be made available?
> A: The Plone Security Team will release the patch at 2013-06-11 15:00
> UTC.
> 
> Q. What will be involved in applying the patch?
> A. Patches are made available as tarball-style archives that may be
> unpacked into the products folder of a buildout installation and as
> Python packages that may be installed by editing a buildout
> configuration file and running buildout. Patching is generally easy
> and quick to accomplish.
> 
> Q: How were these vulnerability found?
> A: The majority of issues were found as part of audits performed by
> the Plone Security team. A subset were reported by users. More details
> will be available upon release of the patch.
> 
> Q: My site is highly visible and mission-critical. I hear the patch
> has already been developed. Can I get the fix before the release date?
> A: No. The patch will be made available to all users at the same time
> . There are no exceptions.
> 
> Q: If the patch has been developed already, why isn't it made
> available to the public now?
> A: The Security Team is still testing the patch and running various
> scenarios thoroughly. The team is also making sure everybody has
> appropriate time to plan to patch their Plone installation(s). Some
> consultancy organizations have hundreds of sites to patch and need the
> extra time to coordinate their efforts with their clients.
> 
> Q: How does one exploit the vulnerability?
> A: This information will not be made public until after the patch is
> made available.
> 
> General questions about this announcement , Plone patching procedures,
> and availability of support may be addressed to the Plone support
> forums . If you have specific questions about this vulnerability or
> its handling, contact the Plone Security Team .
> 
> To report potentially security-related issues , e-mail the Plone
> Security Team at security em plone.org . We are always happy to credit
> individuals and companies who make responsible disclosures.
> Information for Vulnerability Database Maintainers
> 
> 
> We will issue individual advice on each issue, including CVSS2 and CWE
> identifiers when the patch is released. We currently do not have CVE
> numbers assigned, but are in the process of applying.
> 
> 
> _______________________________________________
> Comunidade Plone no Governo
> Site: http://www.softwarelivre.gov.br/plone
> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br


Mais detalhes sobre a lista de discussão PloneGov-BR