[plonegov-br] Security vulnerability announcement: 20130611 - Multiple vectors

Gleisson Henrique gleissonbr em gmail.com
Terça Junho 4 20:35:30 BRT 2013


Olha me desculpa se pareceu que eu  fui ironico. Esta nao foi minha
intencao e este nao eh o forum para isso. Alem do mais, nao considero essa
lista tao formal assim. O dicionario do meu android nao eh dos melhores. Eu
ja configurei para que ele nao substitua as palavras automaticamente mas ha
um bug qualquer. Eu mudei para ingles para lhe responder ainda que fique
sem a acentuacao correta.

O aviso estah com um texto padrao. Se voce ver eles sugerem que a aplicacao
da correcao seja feita por pessoal proprio, por pessoal terceirizado ou por
meio do canal de ajuda sem custo algum. O fato deles indicarem uma lista de
empresas capacitadas em plone nao ha nada demais. Pelo contrario, para
aqueles usuarios que nada sabem de plone jah eh uma ajuda e tanto. Pois
mostra o caminho. Varias tecnologias, software livre ou nao, adotaram essa
pratica para custear suas operacoes. Oracle, microsoft, novell, joomla,
wordpress e por ai vai. O proprio governo Brasileiro faz isso em algumas
campanhas. Em contra partida as empresas arcam com o custo.

Abr,
Gleisson
O meu inglês está como deveria estar: mediano. Nem ligo, afinal sou
brasileiro. Já se o meu português estivesse como o seu -- que certamente
passou mais de 11 anos estudando a Língua Portuguesa -- eu ficaria
preocupado e envergonhado.

Tenho até receio se devo ou não solicitar que você defina o vocábulo
"caráter".

--
Charles Henrique


On Tue, Jun 4, 2013 at 6:46 PM, Gleisson Henrique <gleissonbr em gmail.com>wrote:

> Charles,
>
> Tá pegando pro seu inglês e conhecimento do carácter da Plone Foundation.
>
> Abraço,
> Gleisson
> On Jun 4, 2013 5:33 PM, "Fabio Rizzo" <fabiorizzo em liberiun.com> wrote:
>
>> Olá Charles,
>>
>> Acho que não foi essa a pegada. Ele mais quis dizer que se você não sabe
>> fazer, alguém faz para você.
>>
>> Abraços
>>
>>
>> ---
>> Fábio Rizzo Matos
>> Co-Founder / CEO Liberiun.com
>> +55 11 2325-2662
>>
>> Vindula Intranet - Solução de Intranet Corporativa
>> www.vindula.com.br
>> Siga o Vindula no twitter: @vindulaintranet<http://www.twitter.com/vindulaintranet>
>>
>>
>> 2013/6/4 Charles Henrique <charleshenrique em pgr.mpf.gov.br>
>>
>>>  Prezados,
>>>
>>> Mais uma correção de grave vulnerabilidade prevista para o dia *11/6/**
>>> 2013*, que alcança todas as versões do Plone. Estou começando a achar
>>> que tais falhas são propositais, pois na mensagem existem orientações de
>>> onde contratar consultoria especializada, caso a empresa não tenha um ninja
>>> em Plone. Talvez os *cores developers* não estejam tão bem
>>> intencionados, como pensamos.
>>>
>>>  Atenciosamente,
>>>
>>> Charles Henrique G. Santos
>>> Procuradoria Geral da República
>>> Ministério Público Federal(61) 3105-6795
>>>
>>> "Ambiente limpo não é o que mais se limpa
>>>  e sim o que menos se suja."
>>>
>>>
>>>
>>> -------- Mensagem original --------  Assunto: Security vulnerability
>>> announcement: 20130611 - Multiple vectors  Data: Fri, 31 May 2013
>>> 10:26:24 GMT  De: <Matthew Wilkes>
>>>
>>>  CVE numbers not yet issued.
>>>
>>> *Versions Affected:* All current Plone versions.
>>>
>>> *Versions Not Affected:* None.
>>>
>>> *This is a pre-announcement.* Due to the severity of some of these
>>> issues, we are providing an advance warning of an upcoming patch. The patch
>>> will be released on this page<http://plone.org/products/plone-hotfix/releases/20121106>at
>>> *2013-06-11 15:00 UTC<http://www.timeanddate.com/worldclock/fixedtime.html?msg=Plone+security+patch+release&iso=20130611T15>
>>> *.
>>>  What You Should Do in Advance of Patch Availability
>>>
>>> Due to the nature of the vulnerability, the security team has decided to
>>> pre-announce that a fix is upcoming before disclosing the details. This is
>>> to ensure that concerned users can plan around the release.  As the fix
>>> being published will make the details of the vulnerability public, we are
>>> recommending that all users plan a maintenance window for the 60 minutes
>>> following the announcement in which to install the fix.
>>>
>>> Meanwhile, we STRONGLY recommend that you take the following steps to
>>> protect your site:
>>>
>>>    1. Make sure that the Zope/Plone service is running with with
>>>    minimum privileges. Ideally, the Zope and ZEO services should be able to
>>>    write only to log and data directories.
>>>    2. Use an intrusion detection system that monitors key system
>>>    resources for unauthorized changes.
>>>    3. Monitor your Zope, reverse-proxy request and system logs for
>>>    unusual activity.
>>>
>>>  These are standard precautions that should be employed on any
>>> production system.
>>>  Extra Help
>>>
>>> Should you not have in-house server administrators or a service
>>> agreement looking after your website, you can find consulting companies on
>>> plone.net.
>>>
>>> There is also free support <http://plone.org/support> available online
>>> via Plone mailing lists and the Plone IRC channels.
>>>
>>> *Q: When will the patch be made available?
>>> *A: The Plone Security Team will release the patch at 2013-06-11 15:00
>>> UTC.
>>>
>>> *Q. What will be involved in applying the patch?
>>> *A. Patches are made available as tarball-style archives that may be
>>> unpacked into the products folder of a buildout installation and as
>>> Python packages that may be installed by editing a buildout configuration
>>> file and running buildout. Patching is generally easy and quick to
>>> accomplish.
>>>
>>> *Q: How were these vulnerability found?
>>> *A: The majority of issues were found as part of audits performed by
>>> the Plone Security team. A subset were reported by users. More details will
>>> be available upon release of the patch.
>>>
>>> *Q: My site is highly visible and mission-critical. I hear the patch
>>> has already been developed. Can I get the fix before the release date?*
>>> A: No. The patch will be made available to *all users at the same time*.
>>> There are no exceptions.
>>>
>>> *Q: If the patch has been developed already, why isn't it made
>>> available to the public now?
>>> *A: The Security Team is still testing the patch and running various
>>> scenarios thoroughly. The team is also making sure everybody has
>>> appropriate time to plan to patch their Plone installation(s). Some
>>> consultancy organizations have hundreds of sites to patch and need the
>>> extra time to coordinate their efforts with their clients.
>>>
>>> *Q: How does one exploit the vulnerability?
>>> *A: This information will not be made public until after the patch is
>>> made available.
>>>
>>> *General questions* *about this announcement*, Plone patching
>>> procedures, and availability of support may be addressed to the Plone
>>> support forums <http://plone.org/support>. If you have *specific
>>> questions* about this vulnerability or its handling, contact the Plone
>>> Security Team <security em plone.org>.
>>>
>>> *To report potentially security-related issues**,* e-mail the Plone
>>> Security Team at security em plone.org. We are always happy to credit
>>> individuals and companies who make responsible disclosures.
>>>  Information for Vulnerability Database Maintainers
>>>
>>> We will issue individual advice on each issue, including CVSS2 and CWE
>>> identifiers when the patch is released. We currently do not have CVE
>>> numbers assigned, but are in the process of applying.
>>>
>>>
>>>
>>> _______________________________________________
>>> Comunidade Plone no Governo
>>> Site: http://www.softwarelivre.gov.br/plone
>>> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
>>> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>>
>>>
>>
>> _______________________________________________
>> Comunidade Plone no Governo
>> Site: http://www.softwarelivre.gov.br/plone
>> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
>> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>
>>
> _______________________________________________
> Comunidade Plone no Governo
> Site: http://www.softwarelivre.gov.br/plone
> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>
>

_______________________________________________
Comunidade Plone no Governo
Site: http://www.softwarelivre.gov.br/plone
Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.interlegis.gov.br/pipermail/plonegov-br/attachments/20130604/c4b2c623/attachment.htm 


Mais detalhes sobre a lista de discussão PloneGov-BR