[plonegov-br] Security vulnerability announcement: 20130611 - Multiple vectors

Gleisson Henrique gleissonbr em gmail.com
Terça Junho 4 18:46:18 BRT 2013


Tá pegando pro seu inglês e conhecimento do carácter da Plone Foundation.

On Jun 4, 2013 5:33 PM, "Fabio Rizzo" <fabiorizzo em liberiun.com> wrote:

> Olá Charles,
> Acho que não foi essa a pegada. Ele mais quis dizer que se você não sabe
> fazer, alguém faz para você.
> Abraços
> ---
> Fábio Rizzo Matos
> Co-Founder / CEO Liberiun.com
> +55 11 2325-2662
> Vindula Intranet - Solução de Intranet Corporativa
> www.vindula.com.br
> Siga o Vindula no twitter: @vindulaintranet<http://www.twitter.com/vindulaintranet>
> 2013/6/4 Charles Henrique <charleshenrique em pgr.mpf.gov.br>
>>  Prezados,
>> Mais uma correção de grave vulnerabilidade prevista para o dia *11/6/**
>> 2013*, que alcança todas as versões do Plone. Estou começando a achar
>> que tais falhas são propositais, pois na mensagem existem orientações de
>> onde contratar consultoria especializada, caso a empresa não tenha um ninja
>> em Plone. Talvez os *cores developers* não estejam tão bem
>> intencionados, como pensamos.
>>  Atenciosamente,
>> Charles Henrique G. Santos
>> Procuradoria Geral da República
>> Ministério Público Federal(61) 3105-6795
>> "Ambiente limpo não é o que mais se limpa
>>  e sim o que menos se suja."
>> -------- Mensagem original --------  Assunto: Security vulnerability
>> announcement: 20130611 - Multiple vectors  Data: Fri, 31 May 2013
>> 10:26:24 GMT  De: <Matthew Wilkes>
>>  CVE numbers not yet issued.
>> *Versions Affected:* All current Plone versions.
>> *Versions Not Affected:* None.
>> *This is a pre-announcement.* Due to the severity of some of these
>> issues, we are providing an advance warning of an upcoming patch. The patch
>> will be released on this page<http://plone.org/products/plone-hotfix/releases/20121106>at
>> *2013-06-11 15:00 UTC<http://www.timeanddate.com/worldclock/fixedtime.html?msg=Plone+security+patch+release&iso=20130611T15>
>> *.
>>  What You Should Do in Advance of Patch Availability
>> Due to the nature of the vulnerability, the security team has decided to
>> pre-announce that a fix is upcoming before disclosing the details. This is
>> to ensure that concerned users can plan around the release.  As the fix
>> being published will make the details of the vulnerability public, we are
>> recommending that all users plan a maintenance window for the 60 minutes
>> following the announcement in which to install the fix.
>> Meanwhile, we STRONGLY recommend that you take the following steps to
>> protect your site:
>>    1. Make sure that the Zope/Plone service is running with with minimum
>>    privileges. Ideally, the Zope and ZEO services should be able to write only
>>    to log and data directories.
>>    2. Use an intrusion detection system that monitors key system
>>    resources for unauthorized changes.
>>    3. Monitor your Zope, reverse-proxy request and system logs for
>>    unusual activity.
>>  These are standard precautions that should be employed on any production
>> system.
>>  Extra Help
>> Should you not have in-house server administrators or a service agreement
>> looking after your website, you can find consulting companies on
>> plone.net.
>> There is also free support <http://plone.org/support> available online
>> via Plone mailing lists and the Plone IRC channels.
>> *Q: When will the patch be made available?
>> *A: The Plone Security Team will release the patch at 2013-06-11 15:00
>> UTC.
>> *Q. What will be involved in applying the patch?
>> *A. Patches are made available as tarball-style archives that may be
>> unpacked into the products folder of a buildout installation and as
>> Python packages that may be installed by editing a buildout configuration
>> file and running buildout. Patching is generally easy and quick to
>> accomplish.
>> *Q: How were these vulnerability found?
>> *A: The majority of issues were found as part of audits performed by the
>> Plone Security team. A subset were reported by users. More details will be
>> available upon release of the patch.
>> *Q: My site is highly visible and mission-critical. I hear the patch has
>> already been developed. Can I get the fix before the release date?*
>> A: No. The patch will be made available to *all users at the same time*.
>> There are no exceptions.
>> *Q: If the patch has been developed already, why isn't it made available
>> to the public now?
>> *A: The Security Team is still testing the patch and running various
>> scenarios thoroughly. The team is also making sure everybody has
>> appropriate time to plan to patch their Plone installation(s). Some
>> consultancy organizations have hundreds of sites to patch and need the
>> extra time to coordinate their efforts with their clients.
>> *Q: How does one exploit the vulnerability?
>> *A: This information will not be made public until after the patch is
>> made available.
>> *General questions* *about this announcement*, Plone patching
>> procedures, and availability of support may be addressed to the Plone
>> support forums <http://plone.org/support>. If you have *specific
>> questions* about this vulnerability or its handling, contact the Plone
>> Security Team <security em plone.org>.
>> *To report potentially security-related issues**,* e-mail the Plone
>> Security Team at security em plone.org. We are always happy to credit
>> individuals and companies who make responsible disclosures.
>>  Information for Vulnerability Database Maintainers
>> We will issue individual advice on each issue, including CVSS2 and CWE
>> identifiers when the patch is released. We currently do not have CVE
>> numbers assigned, but are in the process of applying.
>> _______________________________________________
>> Comunidade Plone no Governo
>> Site: http://www.softwarelivre.gov.br/plone
>> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
>> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
> _______________________________________________
> Comunidade Plone no Governo
> Site: http://www.softwarelivre.gov.br/plone
> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.interlegis.gov.br/pipermail/plonegov-br/attachments/20130604/0d744dee/attachment.htm 

Mais detalhes sobre a lista de discussão PloneGov-BR