[plonegov-br] Security vulnerability announcement: 20130611 - Multiple vectors

Charles Henrique thyarles em gmail.com
Quarta Junho 5 11:10:19 BRT 2013


www.zenoss.org
--
Charles Henrique


On Wed, Jun 5, 2013 at 10:16 AM, Rafael Bruno Cavalhero de Oliveira
<rafael-bruno.oliveira em serpro.gov.br> wrote:
> Charles,
>
> Fiquei curioso, em qual "open source" você já viu falhas propositais serem
> introduzidas ?
>
> Att,
>
> Rafael Oliveira - #31-7108
> SERPRO/SUPDE/DEBHE/DE6WE
>
> Em 04/06/2013 às 18:51 horas, plonegov-br em listas.interlegis.gov.br escreveu:
>
> Não tão infeliz quanto o ato, se verdadeiro o comentário.
>
> Já vi isso em outros open sources... quem pode dizer que não ou que
> sim no Plone?
> --
> Charles Henrique
>
>
> On Tue, Jun 4, 2013 at 5:24 PM, Luís Flávio Loreto da Rocha
> <luis.rocha em ebc.com.br> wrote:
>> Nossa, que comentário infeliz!
>>
>>
>> Luis Flávio Loreto da Rocha
>> Coordenador de Projetos Digitais
>> Gerência de Criação - DICAP
>> EBC - Empresa Brasil de Comunicação
>> (61) 3799-5437
>>
>> ----- Mensagem original -----
>>> De: "Charles Henrique" <charleshenrique em pgr.mpf.gov.br>
>>> Para: "Comunidade Plone no Governo"
>>> <plonegov-br em listas.interlegis.gov.br>
>>> Enviadas: Terça-feira, 4 de Junho de 2013 14:18:23
>>> Assunto: [plonegov-br] Security vulnerability announcement: 20130611 -
>>> Multiple vectors
>>> Prezados,
>>>
>>> Mais uma correção de grave vulnerabilidade prevista para o dia 11/6/
>>> 2013 , que alcança todas as versões do Plone. Estou começando a achar
>>> que tais falhas são propositais, pois na mensagem existem orientações
>>> de onde contratar consultoria especializada, caso a empresa não tenha
>>> um ninja em Plone. Talvez os cores developers não estejam tão bem
>>> intencionados, como pensamos.
>>>
>>>
>>> Atenciosamente,
>>>
>>> Charles Henrique G. Santos
>>> Procuradoria Geral da República
>>> Ministério Público Federal
>>> (61) 3105-6795
>>>
>>> "Ambiente limpo não é o que mais se limpa
>>> e sim o que menos se suja."
>>>
>>> -------- Mensagem original --------
>>> Assunto: Security vulnerability announcement: 20130611 - Multiple
>>> vectors
>>> Data: Fri, 31 May 2013 10:26:24 GMT
>>> De: <Matthew Wilkes>
>>>
>>> Security vulnerability announcement: 20130611 - Multiple vectors
>>>
>>> CVE numbers not yet issued.
>>>
>>> Versions Affected: All current Plone versions.
>>>
>>> Versions Not Affected: None.
>>>
>>> This is a pre-announcement. Due to the severity of some of these
>>> issues, we are providing an advance warning of an upcoming patch. The
>>> patch will be released on this page at 2013-06-11 15:00 UTC . What You
>>> Should Do in Advance of Patch Availability
>>>
>>>
>>> Due to the nature of the vulnerability, the security team has decided
>>> to pre-announce that a fix is upcoming before disclosing the details.
>>> This is to ensure that concerned users can plan around the release. As
>>> the fix being published will make the details of the vulnerability
>>> public, we are recommending that all users plan a maintenance window
>>> for the 60 minutes following the announcement in which to install the
>>> fix.
>>>
>>> Meanwhile, we STRONGLY recommend that you take the following steps to
>>> protect your site:
>>>
>>> 1. Make sure that the Zope/Plone service is running with with minimum
>>> privileges. Ideally, the Zope and ZEO services should be able to write
>>> only to log and data directories.
>>> 2. Use an intrusion detection system that monitors key system
>>> resources for unauthorized changes.
>>> 3. Monitor your Zope, reverse-proxy request and system logs for
>>> unusual activity.
>>>
>>>
>>> These are standard precautions that should be employed on any
>>> production system. Extra Help
>>>
>>>
>>> Should you not have in-house server administrators or a service
>>> agreement looking after your website, you can find consulting
>>> companies on plone.net .
>>>
>>> There is also free support available online via Plone mailing lists
>>> and the Plone IRC channels.
>>>
>>> Q: When will the patch be made available?
>>> A: The Plone Security Team will release the patch at 2013-06-11 15:00
>>> UTC.
>>>
>>> Q. What will be involved in applying the patch?
>>> A. Patches are made available as tarball-style archives that may be
>>> unpacked into the products folder of a buildout installation and as
>>> Python packages that may be installed by editing a buildout
>>> configuration file and running buildout. Patching is generally easy
>>> and quick to accomplish.
>>>
>>> Q: How were these vulnerability found?
>>> A: The majority of issues were found as part of audits performed by
>>> the Plone Security team. A subset were reported by users. More details
>>> will be available upon release of the patch.
>>>
>>> Q: My site is highly visible and mission-critical. I hear the patch
>>> has already been developed. Can I get the fix before the release date?
>>> A: No. The patch will be made available to all users at the same time
>>> . There are no exceptions.
>>>
>>> Q: If the patch has been developed already, why isn't it made
>>> available to the public now?
>>> A: The Security Team is still testing the patch and running various
>>> scenarios thoroughly. The team is also making sure everybody has
>>> appropriate time to plan to patch their Plone installation(s). Some
>>> consultancy organizations have hundreds of sites to patch and need the
>>> extra time to coordinate their efforts with their clients.
>>>
>>> Q: How does one exploit the vulnerability?
>>> A: This information will not be made public until after the patch is
>>> made available.
>>>
>>> General questions about this announcement , Plone patching procedures,
>>> and availability of support may be addressed to the Plone support
>>> forums . If you have specific questions about this vulnerability or
>>> its handling, contact the Plone Security Team .
>>>
>>> To report potentially security-related issues , e-mail the Plone
>>> Security Team at security em plone.org . We are always happy to credit
>>> individuals and companies who make responsible disclosures.
>>> Information for Vulnerability Database Maintainers
>>>
>>>
>>> We will issue individual advice on each issue, including CVSS2 and CWE
>>> identifiers when the patch is released. We currently do not have CVE
>>> numbers assigned, but are in the process of applying.
>>>
>>>
>>> _______________________________________________
>>> Comunidade Plone no Governo
>>> Site: www.softwarelivre.gov.br/plone
>>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>> _______________________________________________
>> Comunidade Plone no Governo
>> Site: www.softwarelivre.gov.br/plone
>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
> _______________________________________________
> Comunidade Plone no Governo
> Site: www.softwarelivre.gov.br/plone
> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>
> -
>
>
> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
> empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
> enviada exclusivamente a seu destinatário e pode conter informações
> confidenciais, protegidas por sigilo profissional. Sua utilização
> desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
> recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
> esclarecendo o equívoco."
>
> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
> government company established under Brazilian law (5.615/70) -- is directed
> exclusively to its addressee and may contain confidential data, protected
> under professional secrecy rules. Its unauthorized use is illegal and may
> subject the transgressor to the law's penalties. If you're not the
> addressee, please send it back, elucidating the failure."
>
> _______________________________________________
> Comunidade Plone no Governo
> Site: http://www.softwarelivre.gov.br/plone
> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>


Mais detalhes sobre a lista de discussão PloneGov-BR