[plonegov-br] Security vulnerability announcement: 20130611 - Multiple vectors

Fabio Rizzo fabiorizzo em liberiun.com
Terça Junho 4 18:01:10 BRT 2013

Olá Charles,

Acho que não foi essa a pegada. Ele mais quis dizer que se você não sabe
fazer, alguém faz para você.


Fábio Rizzo Matos
Co-Founder / CEO Liberiun.com
+55 11 2325-2662

Vindula Intranet - Solução de Intranet Corporativa
Siga o Vindula no twitter:

2013/6/4 Charles Henrique <charleshenrique em pgr.mpf.gov.br>

>  Prezados,
> Mais uma correção de grave vulnerabilidade prevista para o dia *11/6/**
> 2013*, que alcança todas as versões do Plone. Estou começando a achar que
> tais falhas são propositais, pois na mensagem existem orientações de onde
> contratar consultoria especializada, caso a empresa não tenha um ninja em
> Plone. Talvez os *cores developers* não estejam tão bem intencionados,
> como pensamos.
>  Atenciosamente,
> Charles Henrique G. Santos
> Procuradoria Geral da República
> Ministério Público Federal(61) 3105-6795
> "Ambiente limpo não é o que mais se limpa
>  e sim o que menos se suja."
> -------- Mensagem original --------  Assunto: Security vulnerability
> announcement: 20130611 - Multiple vectors  Data: Fri, 31 May 2013
> 10:26:24 GMT  De: <Matthew Wilkes>
>  CVE numbers not yet issued.
> *Versions Affected:* All current Plone versions.
> *Versions Not Affected:* None.
> *This is a pre-announcement.* Due to the severity of some of these
> issues, we are providing an advance warning of an upcoming patch. The patch
> will be released on this page<http://plone.org/products/plone-hotfix/releases/20121106>at
> *2013-06-11 15:00 UTC<http://www.timeanddate.com/worldclock/fixedtime.html?msg=Plone+security+patch+release&iso=20130611T15>
> *.
>  What You Should Do in Advance of Patch Availability
> Due to the nature of the vulnerability, the security team has decided to
> pre-announce that a fix is upcoming before disclosing the details. This is
> to ensure that concerned users can plan around the release.  As the fix
> being published will make the details of the vulnerability public, we are
> recommending that all users plan a maintenance window for the 60 minutes
> following the announcement in which to install the fix.
> Meanwhile, we STRONGLY recommend that you take the following steps to
> protect your site:
>    1. Make sure that the Zope/Plone service is running with with minimum
>    privileges. Ideally, the Zope and ZEO services should be able to write only
>    to log and data directories.
>    2. Use an intrusion detection system that monitors key system
>    resources for unauthorized changes.
>    3. Monitor your Zope, reverse-proxy request and system logs for
>    unusual activity.
>  These are standard precautions that should be employed on any production
> system.
>  Extra Help
> Should you not have in-house server administrators or a service agreement
> looking after your website, you can find consulting companies on plone.net.
> There is also free support <http://plone.org/support> available online
> via Plone mailing lists and the Plone IRC channels.
> *Q: When will the patch be made available?
> *A: The Plone Security Team will release the patch at 2013-06-11 15:00
> UTC.
> *Q. What will be involved in applying the patch?
> *A. Patches are made available as tarball-style archives that may be
> unpacked into the products folder of a buildout installation and as
> Python packages that may be installed by editing a buildout configuration
> file and running buildout. Patching is generally easy and quick to
> accomplish.
> *Q: How were these vulnerability found?
> *A: The majority of issues were found as part of audits performed by the
> Plone Security team. A subset were reported by users. More details will be
> available upon release of the patch.
> *Q: My site is highly visible and mission-critical. I hear the patch has
> already been developed. Can I get the fix before the release date?*
> A: No. The patch will be made available to *all users at the same time*.
> There are no exceptions.
> *Q: If the patch has been developed already, why isn't it made available
> to the public now?
> *A: The Security Team is still testing the patch and running various
> scenarios thoroughly. The team is also making sure everybody has
> appropriate time to plan to patch their Plone installation(s). Some
> consultancy organizations have hundreds of sites to patch and need the
> extra time to coordinate their efforts with their clients.
> *Q: How does one exploit the vulnerability?
> *A: This information will not be made public until after the patch is
> made available.
> *General questions* *about this announcement*, Plone patching procedures,
> and availability of support may be addressed to the Plone support forums<http://plone.org/support>.
> If you have *specific questions* about this vulnerability or its
> handling, contact the Plone Security Team <security em plone.org>.
> *To report potentially security-related issues**,* e-mail the Plone
> Security Team at security em plone.org. We are always happy to credit
> individuals and companies who make responsible disclosures.
>  Information for Vulnerability Database Maintainers
> We will issue individual advice on each issue, including CVSS2 and CWE
> identifiers when the patch is released. We currently do not have CVE
> numbers assigned, but are in the process of applying.
> _______________________________________________
> Comunidade Plone no Governo
> Site: http://www.softwarelivre.gov.br/plone
> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.interlegis.gov.br/pipermail/plonegov-br/attachments/20130604/f00d2e22/attachment.htm 

Mais detalhes sobre a lista de discussão PloneGov-BR