[plonegov-br] Security vulnerability announcement: 20130611 - Multiple vectors

Davi Lima davilima6 em gmail.com
Quarta Junho 5 01:11:10 BRT 2013


"Nesse tipo de comunidade os laços entre as pessoas e a diversidade inibem
condutas ruins."

Muito bem colocado! Responde com bastante contemporaneidade à pergunta "quem
pode dizer que não ou que sim no Plone?" A resposta é distribuída, P2P. A
moeda é a reputação entre os pares.

No mais, cuidado com os flames :-)

[]s
Davi


2013/6/4 Marcio Mazza <marciomazza em gmail.com>

> Charles,
>
> Geralmente a instalação destes patches consiste em colocar uma linha em um
> arquivo de configuração, rodar o buildout e reiniciar.
> É simples mesmo. As instruções que vc leu são padronizadas pensando em um
> público muito amplo, que inclui clientes. Por exemplo, o dono de um site
> pode ler isso e ter de contatar quem fez o site para ele. Mas quem fez não
> terá nenhum problema.
>
> Um dos grandes diferenciais do Plone é justamente ter uma comunidade
> ampla, antiga e distribuída entre países e segmentos diferentes de mercado.
> Nesse tipo de comunidade os laços entre as pessoas e a diversidade inibem
> condutas ruins.
>
> Abraço,
>
>
>
> On 4 June 2013 19:57, Charles Henrique <thyarles em gmail.com> wrote:
>
>> O meu inglês está como deveria estar: mediano. Nem ligo, afinal sou
>> brasileiro. Já se o meu português estivesse como o seu -- que certamente
>> passou mais de 11 anos estudando a Língua Portuguesa -- eu ficaria
>> preocupado e envergonhado.
>>
>> Tenho até receio se devo ou não solicitar que você defina o vocábulo
>> "caráter".
>>
>> --
>> Charles Henrique
>>
>>
>> On Tue, Jun 4, 2013 at 6:46 PM, Gleisson Henrique <gleissonbr em gmail.com>wrote:
>>
>>> Charles,
>>>
>>> Tá pegando pro seu inglês e conhecimento do carácter da Plone
>>> Foundation.
>>>
>>> Abraço,
>>> Gleisson
>>> On Jun 4, 2013 5:33 PM, "Fabio Rizzo" <fabiorizzo em liberiun.com> wrote:
>>>
>>>> Olá Charles,
>>>>
>>>> Acho que não foi essa a pegada. Ele mais quis dizer que se você não
>>>> sabe fazer, alguém faz para você.
>>>>
>>>> Abraços
>>>>
>>>>
>>>> ---
>>>> Fábio Rizzo Matos
>>>> Co-Founder / CEO Liberiun.com
>>>> +55 11 2325-2662
>>>>
>>>> Vindula Intranet - Solução de Intranet Corporativa
>>>> www.vindula.com.br
>>>> Siga o Vindula no twitter: @vindulaintranet<http://www.twitter.com/vindulaintranet>
>>>>
>>>>
>>>> 2013/6/4 Charles Henrique <charleshenrique em pgr.mpf.gov.br>
>>>>
>>>>>  Prezados,
>>>>>
>>>>> Mais uma correção de grave vulnerabilidade prevista para o dia *11/6/*
>>>>> *2013*, que alcança todas as versões do Plone. Estou começando a
>>>>> achar que tais falhas são propositais, pois na mensagem existem orientações
>>>>> de onde contratar consultoria especializada, caso a empresa não tenha um
>>>>> ninja em Plone. Talvez os *cores developers* não estejam tão bem
>>>>> intencionados, como pensamos.
>>>>>
>>>>>  Atenciosamente,
>>>>>
>>>>> Charles Henrique G. Santos
>>>>> Procuradoria Geral da República
>>>>> Ministério Público Federal(61) 3105-6795
>>>>>
>>>>> "Ambiente limpo não é o que mais se limpa
>>>>>  e sim o que menos se suja."
>>>>>
>>>>>
>>>>>
>>>>> -------- Mensagem original --------  Assunto: Security vulnerability
>>>>> announcement: 20130611 - Multiple vectors  Data: Fri, 31 May 2013
>>>>> 10:26:24 GMT  De: <Matthew Wilkes>
>>>>>
>>>>>  CVE numbers not yet issued.
>>>>>
>>>>> *Versions Affected:* All current Plone versions.
>>>>>
>>>>> *Versions Not Affected:* None.
>>>>>
>>>>> *This is a pre-announcement.* Due to the severity of some of these
>>>>> issues, we are providing an advance warning of an upcoming patch. The patch
>>>>> will be released on this page<http://plone.org/products/plone-hotfix/releases/20121106>at
>>>>> *2013-06-11 15:00 UTC<http://www.timeanddate.com/worldclock/fixedtime.html?msg=Plone+security+patch+release&iso=20130611T15>
>>>>> *.
>>>>>  What You Should Do in Advance of Patch Availability
>>>>>
>>>>> Due to the nature of the vulnerability, the security team has decided
>>>>> to pre-announce that a fix is upcoming before disclosing the details. This
>>>>> is to ensure that concerned users can plan around the release.  As the fix
>>>>> being published will make the details of the vulnerability public, we are
>>>>> recommending that all users plan a maintenance window for the 60 minutes
>>>>> following the announcement in which to install the fix.
>>>>>
>>>>> Meanwhile, we STRONGLY recommend that you take the following steps to
>>>>> protect your site:
>>>>>
>>>>>    1. Make sure that the Zope/Plone service is running with with
>>>>>    minimum privileges. Ideally, the Zope and ZEO services should be able to
>>>>>    write only to log and data directories.
>>>>>    2. Use an intrusion detection system that monitors key system
>>>>>    resources for unauthorized changes.
>>>>>    3. Monitor your Zope, reverse-proxy request and system logs for
>>>>>    unusual activity.
>>>>>
>>>>>  These are standard precautions that should be employed on any
>>>>> production system.
>>>>>  Extra Help
>>>>>
>>>>> Should you not have in-house server administrators or a service
>>>>> agreement looking after your website, you can find consulting companies on
>>>>> plone.net.
>>>>>
>>>>> There is also free support <http://plone.org/support> available
>>>>> online via Plone mailing lists and the Plone IRC channels.
>>>>>
>>>>> *Q: When will the patch be made available?
>>>>> *A: The Plone Security Team will release the patch at 2013-06-11
>>>>> 15:00 UTC.
>>>>>
>>>>> *Q. What will be involved in applying the patch?
>>>>> *A. Patches are made available as tarball-style archives that may be
>>>>> unpacked into the products folder of a buildout installation and as
>>>>> Python packages that may be installed by editing a buildout configuration
>>>>> file and running buildout. Patching is generally easy and quick to
>>>>> accomplish.
>>>>>
>>>>> *Q: How were these vulnerability found?
>>>>> *A: The majority of issues were found as part of audits performed by
>>>>> the Plone Security team. A subset were reported by users. More details will
>>>>> be available upon release of the patch.
>>>>>
>>>>> *Q: My site is highly visible and mission-critical. I hear the patch
>>>>> has already been developed. Can I get the fix before the release date?
>>>>> *
>>>>> A: No. The patch will be made available to *all users at the same time
>>>>> *. There are no exceptions.
>>>>>
>>>>> *Q: If the patch has been developed already, why isn't it made
>>>>> available to the public now?
>>>>> *A: The Security Team is still testing the patch and running various
>>>>> scenarios thoroughly. The team is also making sure everybody has
>>>>> appropriate time to plan to patch their Plone installation(s). Some
>>>>> consultancy organizations have hundreds of sites to patch and need the
>>>>> extra time to coordinate their efforts with their clients.
>>>>>
>>>>> *Q: How does one exploit the vulnerability?
>>>>> *A: This information will not be made public until after the patch is
>>>>> made available.
>>>>>
>>>>> *General questions* *about this announcement*, Plone patching
>>>>> procedures, and availability of support may be addressed to the Plone
>>>>> support forums <http://plone.org/support>. If you have *specific
>>>>> questions* about this vulnerability or its handling, contact the Plone
>>>>> Security Team <security em plone.org>.
>>>>>
>>>>> *To report potentially security-related issues**,* e-mail the Plone
>>>>> Security Team at security em plone.org. We are always happy to credit
>>>>> individuals and companies who make responsible disclosures.
>>>>>  Information for Vulnerability Database Maintainers
>>>>>
>>>>> We will issue individual advice on each issue, including CVSS2 and CWE
>>>>> identifiers when the patch is released. We currently do not have CVE
>>>>> numbers assigned, but are in the process of applying.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Comunidade Plone no Governo
>>>>> Site: http://www.softwarelivre.gov.br/plone
>>>>> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
>>>>> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Comunidade Plone no Governo
>>>> Site: http://www.softwarelivre.gov.br/plone
>>>> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
>>>> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>>>
>>>>
>>> _______________________________________________
>>> Comunidade Plone no Governo
>>> Site: http://www.softwarelivre.gov.br/plone
>>> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
>>> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>>
>>>
>>
>> _______________________________________________
>> Comunidade Plone no Governo
>> Site: http://www.softwarelivre.gov.br/plone
>> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
>> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>
>>
>
> _______________________________________________
> Comunidade Plone no Governo
> Site: http://www.softwarelivre.gov.br/plone
> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>
>
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.interlegis.gov.br/pipermail/plonegov-br/attachments/20130605/a0b50203/attachment.htm 


Mais detalhes sobre a lista de discussão PloneGov-BR