[plonegov-br] Security vulnerability announcement: 20130611 - Multiple vectors

Marcio Mazza marciomazza em gmail.com
Terça Junho 4 20:36:25 BRT 2013


Charles,

Geralmente a instalação destes patches consiste em colocar uma linha em um
arquivo de configuração, rodar o buildout e reiniciar.
É simples mesmo. As instruções que vc leu são padronizadas pensando em um
público muito amplo, que inclui clientes. Por exemplo, o dono de um site
pode ler isso e ter de contatar quem fez o site para ele. Mas quem fez não
terá nenhum problema.

Um dos grandes diferenciais do Plone é justamente ter uma comunidade ampla,
antiga e distribuída entre países e segmentos diferentes de mercado. Nesse
tipo de comunidade os laços entre as pessoas e a diversidade inibem
condutas ruins.

Abraço,



On 4 June 2013 19:57, Charles Henrique <thyarles em gmail.com> wrote:

> O meu inglês está como deveria estar: mediano. Nem ligo, afinal sou
> brasileiro. Já se o meu português estivesse como o seu -- que certamente
> passou mais de 11 anos estudando a Língua Portuguesa -- eu ficaria
> preocupado e envergonhado.
>
> Tenho até receio se devo ou não solicitar que você defina o vocábulo
> "caráter".
>
> --
> Charles Henrique
>
>
> On Tue, Jun 4, 2013 at 6:46 PM, Gleisson Henrique <gleissonbr em gmail.com>wrote:
>
>> Charles,
>>
>> Tá pegando pro seu inglês e conhecimento do carácter da Plone Foundation.
>>
>> Abraço,
>> Gleisson
>> On Jun 4, 2013 5:33 PM, "Fabio Rizzo" <fabiorizzo em liberiun.com> wrote:
>>
>>> Olá Charles,
>>>
>>> Acho que não foi essa a pegada. Ele mais quis dizer que se você não sabe
>>> fazer, alguém faz para você.
>>>
>>> Abraços
>>>
>>>
>>> ---
>>> Fábio Rizzo Matos
>>> Co-Founder / CEO Liberiun.com
>>> +55 11 2325-2662
>>>
>>> Vindula Intranet - Solução de Intranet Corporativa
>>> www.vindula.com.br
>>> Siga o Vindula no twitter: @vindulaintranet<http://www.twitter.com/vindulaintranet>
>>>
>>>
>>> 2013/6/4 Charles Henrique <charleshenrique em pgr.mpf.gov.br>
>>>
>>>>  Prezados,
>>>>
>>>> Mais uma correção de grave vulnerabilidade prevista para o dia *11/6/**
>>>> 2013*, que alcança todas as versões do Plone. Estou começando a achar
>>>> que tais falhas são propositais, pois na mensagem existem orientações de
>>>> onde contratar consultoria especializada, caso a empresa não tenha um ninja
>>>> em Plone. Talvez os *cores developers* não estejam tão bem
>>>> intencionados, como pensamos.
>>>>
>>>>  Atenciosamente,
>>>>
>>>> Charles Henrique G. Santos
>>>> Procuradoria Geral da República
>>>> Ministério Público Federal(61) 3105-6795
>>>>
>>>> "Ambiente limpo não é o que mais se limpa
>>>>  e sim o que menos se suja."
>>>>
>>>>
>>>>
>>>> -------- Mensagem original --------  Assunto: Security vulnerability
>>>> announcement: 20130611 - Multiple vectors  Data: Fri, 31 May 2013
>>>> 10:26:24 GMT  De: <Matthew Wilkes>
>>>>
>>>>  CVE numbers not yet issued.
>>>>
>>>> *Versions Affected:* All current Plone versions.
>>>>
>>>> *Versions Not Affected:* None.
>>>>
>>>> *This is a pre-announcement.* Due to the severity of some of these
>>>> issues, we are providing an advance warning of an upcoming patch. The patch
>>>> will be released on this page<http://plone.org/products/plone-hotfix/releases/20121106>at
>>>> *2013-06-11 15:00 UTC<http://www.timeanddate.com/worldclock/fixedtime.html?msg=Plone+security+patch+release&iso=20130611T15>
>>>> *.
>>>>  What You Should Do in Advance of Patch Availability
>>>>
>>>> Due to the nature of the vulnerability, the security team has decided
>>>> to pre-announce that a fix is upcoming before disclosing the details. This
>>>> is to ensure that concerned users can plan around the release.  As the fix
>>>> being published will make the details of the vulnerability public, we are
>>>> recommending that all users plan a maintenance window for the 60 minutes
>>>> following the announcement in which to install the fix.
>>>>
>>>> Meanwhile, we STRONGLY recommend that you take the following steps to
>>>> protect your site:
>>>>
>>>>    1. Make sure that the Zope/Plone service is running with with
>>>>    minimum privileges. Ideally, the Zope and ZEO services should be able to
>>>>    write only to log and data directories.
>>>>    2. Use an intrusion detection system that monitors key system
>>>>    resources for unauthorized changes.
>>>>    3. Monitor your Zope, reverse-proxy request and system logs for
>>>>    unusual activity.
>>>>
>>>>  These are standard precautions that should be employed on any
>>>> production system.
>>>>  Extra Help
>>>>
>>>> Should you not have in-house server administrators or a service
>>>> agreement looking after your website, you can find consulting companies on
>>>> plone.net.
>>>>
>>>> There is also free support <http://plone.org/support> available online
>>>> via Plone mailing lists and the Plone IRC channels.
>>>>
>>>> *Q: When will the patch be made available?
>>>> *A: The Plone Security Team will release the patch at 2013-06-11 15:00
>>>> UTC.
>>>>
>>>> *Q. What will be involved in applying the patch?
>>>> *A. Patches are made available as tarball-style archives that may be
>>>> unpacked into the products folder of a buildout installation and as
>>>> Python packages that may be installed by editing a buildout configuration
>>>> file and running buildout. Patching is generally easy and quick to
>>>> accomplish.
>>>>
>>>> *Q: How were these vulnerability found?
>>>> *A: The majority of issues were found as part of audits performed by
>>>> the Plone Security team. A subset were reported by users. More details will
>>>> be available upon release of the patch.
>>>>
>>>> *Q: My site is highly visible and mission-critical. I hear the patch
>>>> has already been developed. Can I get the fix before the release date?*
>>>> A: No. The patch will be made available to *all users at the same time*.
>>>> There are no exceptions.
>>>>
>>>> *Q: If the patch has been developed already, why isn't it made
>>>> available to the public now?
>>>> *A: The Security Team is still testing the patch and running various
>>>> scenarios thoroughly. The team is also making sure everybody has
>>>> appropriate time to plan to patch their Plone installation(s). Some
>>>> consultancy organizations have hundreds of sites to patch and need the
>>>> extra time to coordinate their efforts with their clients.
>>>>
>>>> *Q: How does one exploit the vulnerability?
>>>> *A: This information will not be made public until after the patch is
>>>> made available.
>>>>
>>>> *General questions* *about this announcement*, Plone patching
>>>> procedures, and availability of support may be addressed to the Plone
>>>> support forums <http://plone.org/support>. If you have *specific
>>>> questions* about this vulnerability or its handling, contact the Plone
>>>> Security Team <security em plone.org>.
>>>>
>>>> *To report potentially security-related issues**,* e-mail the Plone
>>>> Security Team at security em plone.org. We are always happy to credit
>>>> individuals and companies who make responsible disclosures.
>>>>  Information for Vulnerability Database Maintainers
>>>>
>>>> We will issue individual advice on each issue, including CVSS2 and CWE
>>>> identifiers when the patch is released. We currently do not have CVE
>>>> numbers assigned, but are in the process of applying.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Comunidade Plone no Governo
>>>> Site: http://www.softwarelivre.gov.br/plone
>>>> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
>>>> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Comunidade Plone no Governo
>>> Site: http://www.softwarelivre.gov.br/plone
>>> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
>>> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>>
>>>
>> _______________________________________________
>> Comunidade Plone no Governo
>> Site: http://www.softwarelivre.gov.br/plone
>> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
>> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>
>>
>
> _______________________________________________
> Comunidade Plone no Governo
> Site: http://www.softwarelivre.gov.br/plone
> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>
>
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.interlegis.gov.br/pipermail/plonegov-br/attachments/20130604/ae0a588c/attachment.htm 


Mais detalhes sobre a lista de discussão PloneGov-BR