[plonegov-br] Security vulnerability announcement: 20130611 - Multiple vectors

Thyago Ribeiro AssunÁ„o thyago.assuncao em dprf.gov.br
Quarta Junho 5 08:41:20 BRT 2013


 

Charles, acho que você está sendo muito precipitado com sua opinião.


Antes de qualquer teoria da conspiração, tem que analisar os fatos e
se colocar no lugar das pessoas que trabalham duro para manter
ferramentas livres ativas. 

Quero ver se você me mostra algum software
perfeito, imune a vulnerabilidades. Isso n√£o existe, e quando o pessoal
que trabalha no core de uma ferramenta grande como o Plone descobre e
informa aos clientes, quem você acha que eu vou contratar para corrigir
essa falha em meu órgão, um pessoa qualquer quebra galho, ou uma empresa
certificada pelos cores developers? 
---

Atenciosamente, 

Thyago
Ribeiro ASSUNÇÃO
Policial Rodovi√°rio Federal - DIASI - Divis√£o de
Administração de Sistemas
SEPN 506 - Bloco C - Projeção 08 -
Sobreloja
Brasília/DF
Cel: (61) 8255-2107
thyago.assuncao em dprf.gov.br


Em 2013-06-05 01:11, Davi Lima escreveu: 

> "Nesse tipo de comunidade
os laços entre as pessoas e a diversidade inibem condutas ruins." 
> 
>
Muito bem colocado! Responde com bastante contemporaneidade à pergunta
"quem pode dizer que não ou que sim no Plone?" A resposta é distribuída,
P2P. A moeda é a reputação entre os pares. 
> 
> No mais, cuidado com os
flames :-)
> 
> []s 
> Davi 
> 
> 2013/6/4 Marcio Mazza
<marciomazza em gmail.com>
> 
>> Charles,
>> 
>> Geralmente a instalação
destes patches consiste em colocar uma linha em um arquivo de
configura√ß√£o, rodar o buildout e reiniciar. √Č simples mesmo. As
instru√ß√Ķes que vc leu s√£o padronizadas pensando em um p√ļblico muito
amplo, que inclui clientes. Por exemplo, o dono de um site pode ler isso
e ter de contatar quem fez o site para ele. Mas quem fez n√£o ter√° nenhum
problema. Um dos grandes diferenciais do Plone é justamente ter uma
comunidade ampla, antiga e distribuída entre países e segmentos
diferentes de mercado. Nesse tipo de comunidade os laços entre as
pessoas e a diversidade inibem condutas ruins.
>> 
>> Abraço,
>> 
>> On
4 June 2013 19:57, Charles Henrique <thyarles em gmail.com> wrote:
>> 
>>>
O meu inglês está como deveria estar: mediano. Nem ligo, afinal sou
brasileiro. Já se o meu português estivesse como o seu -- que certamente
passou mais de 11 anos estudando a Língua Portuguesa -- eu ficaria
preocupado e envergonhado. 
>>> 
>>> Tenho até receio se devo ou não
solicitar que você defina o vocábulo "caráter". 
>>> 
>>> --
>>> Charles
Henrique 
>>> 
>>> On Tue, Jun 4, 2013 at 6:46 PM, Gleisson Henrique
<gleissonbr em gmail.com> wrote:
>>> 
>>>> Charles, 
>>>> 
>>>> T√° pegando
pro seu inglês e conhecimento do carácter da Plone Foundation. 
>>>>

>>>> Abraço,
>>>> Gleisson 
>>>> On Jun 4, 2013 5:33 PM, "Fabio Rizzo"
<fabiorizzo em liberiun.com> wrote:
>>>> 
>>>>> Ol√° Charles, 
>>>>> 
>>>>>
Acho que não foi essa a pegada. Ele mais quis dizer que se você não sabe
fazer, alguém faz para você. 
>>>>> 
>>>>> Abraços 
>>>>> 
>>>>> ---

>>>>> F√°bio Rizzo Matos 
>>>>> Co-Founder / CEO Liberiun.com 
>>>>>

>>>>> +55 11 2325-2662 
>>>>> 
>>>>> Vindula Intranet - Solução de
Intranet Corporativa 
>>>>> www.vindula.com.br [9] 
>>>>> Siga o Vindula
no twitter: @vindulaintranet [10] 
>>>>> 
>>>>> 2013/6/4 Charles
Henrique <charleshenrique em pgr.mpf.gov.br>
>>>>> 
>>>>>> Prezados,
>>>>>>

>>>>>> Mais uma correção de grave vulnerabilidade prevista para o dia
11/6/2013, que alcan√ßa todas as vers√Ķes do Plone. Estou come√ßando a
achar que tais falhas s√£o propositais, pois na mensagem existem
orienta√ß√Ķes de onde contratar consultoria especializada, caso a empresa
n√£o tenha um ninja em Plone. Talvez os _cores developers_ n√£o estejam
t√£o bem intencionados, como pensamos.
>>>>>> 
>>>>>>
Atenciosamente,
>>>>>> 
>>>>>> Charles Henrique G. Santos
>>>>>>
Procuradoria Geral da Rep√ļblica
>>>>>> Minist√©rio P√ļblico Federal
>>>>>>
(61) 3105-6795 [1]
>>>>>> 
>>>>>> "Ambiente limpo não é o que mais se
limpa 
>>>>>> e sim o que menos se suja."
>>>>>> 
>>>>>> --------
Mensagem original -------- 
>>>>>> 
>>>>>> ASSUNTO:
>>>>>> Security
vulnerability announcement: 20130611 - Multiple vectors
>>>>>> 
>>>>>>
DATA:
>>>>>> Fri, 31 May 2013 10:26:24 GMT
>>>>>> 
>>>>>> DE:
>>>>>>
<Matthew Wilkes>
>>>>>> 
>>>>>> CVE numbers not yet issued. 
>>>>>>

>>>>>> VERSIONS AFFECTED: All current Plone versions. 
>>>>>> 
>>>>>>
VERSIONS NOT AFFECTED: None. 
>>>>>> 
>>>>>> THIS IS A PRE-ANNOUNCEMENT.
Due to the severity of some of these issues, we are providing an advance
warning of an upcoming patch. The patch will be released on this page
[2] at 2013-06-11 15:00 UTC [3]. 
>>>>>> 
>>>>>> WHAT YOU SHOULD DO IN
ADVANCE OF PATCH AVAILABILITY
>>>>>> 
>>>>>> Due to the nature of the
vulnerability, the security team has decided to pre-announce that a fix
is upcoming before disclosing the details. This is to ensure that
concerned users can plan around the release. As the fix being published
will make the details of the vulnerability public, we are recommending
that all users plan a maintenance window for the 60 minutes following
the announcement in which to install the fix. 
>>>>>> 
>>>>>> Meanwhile,
we STRONGLY recommend that you take the following steps to protect your
site: 
>>>>>> 
>>>>>> * Make sure that the Zope/Plone service is running
with with minimum privileges. Ideally, the Zope and ZEO services should
be able to write only to log and data directories.
>>>>>> * Use an
intrusion detection system that monitors key system resources for
unauthorized changes.
>>>>>> * Monitor your Zope, reverse-proxy request
and system logs for unusual activity.
>>>>>> 
>>>>>> These are standard
precautions that should be employed on any production system. 
>>>>>>

>>>>>> EXTRA HELP
>>>>>> 
>>>>>> Should you not have in-house server
administrators or a service agreement looking after your website, you
can find consulting companies on plone.net [4]. 
>>>>>> 
>>>>>> There is
also free support [5] available online via Plone mailing lists and the
Plone IRC channels. 
>>>>>> 
>>>>>> Q: When will the patch be made
available?
>>>>>> A: The Plone Security Team will release the patch at
2013-06-11 15:00 UTC. 
>>>>>> 
>>>>>> Q. What will be involved in
applying the patch?
>>>>>> A. Patches are made available as
tarball-style archives that may be unpacked into the products folder of
a buildout installation and as Python packages that may be installed by
editing a buildout configuration file and running buildout. Patching is
generally easy and quick to accomplish. 
>>>>>> 
>>>>>> Q: How were
these vulnerability found?
>>>>>> A: The majority of issues were found
as part of audits performed by the Plone Security team. A subset were
reported by users. More details will be available upon release of the
patch. 
>>>>>> 
>>>>>> Q: MY SITE IS HIGHLY VISIBLE AND
MISSION-CRITICAL. I HEAR THE PATCH HAS ALREADY BEEN DEVELOPED. CAN I GET
THE FIX BEFORE THE RELEASE DATE?
>>>>>> A: No. The patch will be made
available to ALL USERS AT THE SAME TIME. There are no exceptions.

>>>>>> 
>>>>>> Q: If the patch has been developed already, why isn't it
made available to the public now?
>>>>>> A: The Security Team is still
testing the patch and running various scenarios thoroughly. The team is
also making sure everybody has appropriate time to plan to patch their
Plone installation(s). Some consultancy organizations have hundreds of
sites to patch and need the extra time to coordinate their efforts with
their clients. 
>>>>>> 
>>>>>> Q: How does one exploit the
vulnerability?
>>>>>> A: This information will not be made public until
after the patch is made available. 
>>>>>> 
>>>>>> GENERAL QUESTIONS
ABOUT THIS ANNOUNCEMENT, Plone patching procedures, and availability of
support may be addressed to the Plone support forums [5]. If you have
SPECIFIC QUESTIONS about this vulnerability or its handling, contact the
Plone Security Team. 
>>>>>> 
>>>>>> TO REPORT POTENTIALLY
SECURITY-RELATED ISSUES, e-mail the Plone Security Team at
security em plone.org. We are always happy to credit individuals and
companies who make responsible disclosures. 
>>>>>> 
>>>>>> INFORMATION
FOR VULNERABILITY DATABASE MAINTAINERS
>>>>>> 
>>>>>> We will issue
individual advice on each issue, including CVSS2 and CWE identifiers
when the patch is released. We currently do not have CVE numbers
assigned, but are in the process of applying. 
>>>>>>
_______________________________________________
>>>>>> Comunidade Plone
no Governo
>>>>>> Site: http://www.softwarelivre.gov.br/plone [6]
>>>>>>
Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr [7]
>>>>>> Lista:
http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br [8]
>>>>>

>>>>> _______________________________________________
>>>>> Comunidade
Plone no Governo
>>>>> Site: http://www.softwarelivre.gov.br/plone
[6]
>>>>> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr [7]
>>>>>
Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
[8]
>>>> 
>>>> _______________________________________________
>>>>
Comunidade Plone no Governo
>>>> Site:
http://www.softwarelivre.gov.br/plone [6]
>>>> Wiki:
http://colab.interlegis.leg.br/wiki/PloneGovBr [7]
>>>> Lista:
http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br [8]
>>>

>>> _______________________________________________
>>> Comunidade
Plone no Governo
>>> Site: http://www.softwarelivre.gov.br/plone [6]
>>>
Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr [7]
>>> Lista:
http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br [8]
>> 
>>
_______________________________________________
>> Comunidade Plone no
Governo
>> Site: http://www.softwarelivre.gov.br/plone [6]
>> Wiki:
http://colab.interlegis.leg.br/wiki/PloneGovBr [7]
>> Lista:
http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br [8]
> 
>
_______________________________________________
> Comunidade Plone no
Governo
> Site: http://www.softwarelivre.gov.br/plone [6]
> Wiki:
http://colab.interlegis.leg.br/wiki/PloneGovBr [7]
> Lista:
http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br [8]



Links:
------
[1] tel:%2861%29%203105-6795
[2]
http://plone.org/products/plone-hotfix/releases/20121106
[3]
http://www.timeanddate.com/worldclock/fixedtime.html?msg=Plone+security+patch+release&amp;iso=20130611T15
[4]
http://plone.net/
[5] http://plone.org/support
[6]
http://www.softwarelivre.gov.br/plone
[7]
http://colab.interlegis.leg.br/wiki/PloneGovBr
[8]
http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
[9]
http://www.vindula.com.br/
[10] http://www.twitter.com/vindulaintranet
-------------- Průxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.interlegis.gov.br/pipermail/plonegov-br/attachments/20130605/3a06d0e5/attachment.htm 


Mais detalhes sobre a lista de discuss„o PloneGov-BR