[plonegov-br] Security vulnerability announcement: 20130611 - Multiple vectors

Charles Henrique thyarles em gmail.com
Terça Junho 4 18:24:38 BRT 2013

Não tão infeliz quanto o ato, se verdadeiro o comentário.

Já vi isso em outros open sources... quem pode dizer que não ou que
sim no Plone?
Charles Henrique

On Tue, Jun 4, 2013 at 5:24 PM, Luís Flávio Loreto da Rocha
<luis.rocha em ebc.com.br> wrote:
> Nossa, que comentário infeliz!
> Luis Flávio Loreto da Rocha
> Coordenador de Projetos Digitais
> Gerência de Criação - DICAP
> EBC - Empresa Brasil de Comunicação
> (61) 3799-5437
> ----- Mensagem original -----
>> De: "Charles Henrique" <charleshenrique em pgr.mpf.gov.br>
>> Para: "Comunidade Plone no Governo" <plonegov-br em listas.interlegis.gov.br>
>> Enviadas: Terça-feira, 4 de Junho de 2013 14:18:23
>> Assunto: [plonegov-br] Security vulnerability announcement: 20130611 - Multiple vectors
>> Prezados,
>> Mais uma correção de grave vulnerabilidade prevista para o dia 11/6/
>> 2013 , que alcança todas as versões do Plone. Estou começando a achar
>> que tais falhas são propositais, pois na mensagem existem orientações
>> de onde contratar consultoria especializada, caso a empresa não tenha
>> um ninja em Plone. Talvez os cores developers não estejam tão bem
>> intencionados, como pensamos.
>> Atenciosamente,
>> Charles Henrique G. Santos
>> Procuradoria Geral da República
>> Ministério Público Federal
>> (61) 3105-6795
>> "Ambiente limpo não é o que mais se limpa
>> e sim o que menos se suja."
>> -------- Mensagem original --------
>> Assunto: Security vulnerability announcement: 20130611 - Multiple
>> vectors
>> Data: Fri, 31 May 2013 10:26:24 GMT
>> De: <Matthew Wilkes>
>> Security vulnerability announcement: 20130611 - Multiple vectors
>> CVE numbers not yet issued.
>> Versions Affected: All current Plone versions.
>> Versions Not Affected: None.
>> This is a pre-announcement. Due to the severity of some of these
>> issues, we are providing an advance warning of an upcoming patch. The
>> patch will be released on this page at 2013-06-11 15:00 UTC . What You
>> Should Do in Advance of Patch Availability
>> Due to the nature of the vulnerability, the security team has decided
>> to pre-announce that a fix is upcoming before disclosing the details.
>> This is to ensure that concerned users can plan around the release. As
>> the fix being published will make the details of the vulnerability
>> public, we are recommending that all users plan a maintenance window
>> for the 60 minutes following the announcement in which to install the
>> fix.
>> Meanwhile, we STRONGLY recommend that you take the following steps to
>> protect your site:
>> 1. Make sure that the Zope/Plone service is running with with minimum
>> privileges. Ideally, the Zope and ZEO services should be able to write
>> only to log and data directories.
>> 2. Use an intrusion detection system that monitors key system
>> resources for unauthorized changes.
>> 3. Monitor your Zope, reverse-proxy request and system logs for
>> unusual activity.
>> These are standard precautions that should be employed on any
>> production system. Extra Help
>> Should you not have in-house server administrators or a service
>> agreement looking after your website, you can find consulting
>> companies on plone.net .
>> There is also free support available online via Plone mailing lists
>> and the Plone IRC channels.
>> Q: When will the patch be made available?
>> A: The Plone Security Team will release the patch at 2013-06-11 15:00
>> UTC.
>> Q. What will be involved in applying the patch?
>> A. Patches are made available as tarball-style archives that may be
>> unpacked into the products folder of a buildout installation and as
>> Python packages that may be installed by editing a buildout
>> configuration file and running buildout. Patching is generally easy
>> and quick to accomplish.
>> Q: How were these vulnerability found?
>> A: The majority of issues were found as part of audits performed by
>> the Plone Security team. A subset were reported by users. More details
>> will be available upon release of the patch.
>> Q: My site is highly visible and mission-critical. I hear the patch
>> has already been developed. Can I get the fix before the release date?
>> A: No. The patch will be made available to all users at the same time
>> . There are no exceptions.
>> Q: If the patch has been developed already, why isn't it made
>> available to the public now?
>> A: The Security Team is still testing the patch and running various
>> scenarios thoroughly. The team is also making sure everybody has
>> appropriate time to plan to patch their Plone installation(s). Some
>> consultancy organizations have hundreds of sites to patch and need the
>> extra time to coordinate their efforts with their clients.
>> Q: How does one exploit the vulnerability?
>> A: This information will not be made public until after the patch is
>> made available.
>> General questions about this announcement , Plone patching procedures,
>> and availability of support may be addressed to the Plone support
>> forums . If you have specific questions about this vulnerability or
>> its handling, contact the Plone Security Team .
>> To report potentially security-related issues , e-mail the Plone
>> Security Team at security em plone.org . We are always happy to credit
>> individuals and companies who make responsible disclosures.
>> Information for Vulnerability Database Maintainers
>> We will issue individual advice on each issue, including CVSS2 and CWE
>> identifiers when the patch is released. We currently do not have CVE
>> numbers assigned, but are in the process of applying.
>> _______________________________________________
>> Comunidade Plone no Governo
>> Site: http://www.softwarelivre.gov.br/plone
>> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
>> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
> _______________________________________________
> Comunidade Plone no Governo
> Site: http://www.softwarelivre.gov.br/plone
> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br

Mais detalhes sobre a lista de discussão PloneGov-BR