[plonegov-br] Security vulnerability announcement: 20130611 - Multiple vectors

Charles Henrique thyarles em gmail.com
Quarta Junho 5 11:28:31 BRT 2013


É... infelizmente isso não está no Google.

Mas se quer achar, procure mais um pouco ;)
--
Charles Henrique


On Wed, Jun 5, 2013 at 11:19 AM, Rafael Bruno Cavalhero de Oliveira
<rafael-bruno.oliveira em serpro.gov.br> wrote:
> Desculpe, mas eu não achei nenhuma referência sobre falhas introduzidas
> propositalmente nesse software. Você poderia enviar um link de uma notícia
> sobre o assunto ?
>
> Rafael Oliveira - #31-7108
> SERPRO/SUPDE/DEBHE/DE6WE
>
> Em 05/06/2013 às 11:10 horas, plonegov-br em listas.interlegis.gov.br escreveu:
>
> www.zenoss.org
> --
> Charles Henrique
>
>
> On Wed, Jun 5, 2013 at 10:16 AM, Rafael Bruno Cavalhero de Oliveira
> <rafael-bruno.oliveira em serpro.gov.br> wrote:
>> Charles,
>>
>> Fiquei curioso, em qual "open source" você já viu falhas propositais serem
>> introduzidas ?
>>
>> Att,
>>
>> Rafael Oliveira - #31-7108
>> SERPRO/SUPDE/DEBHE/DE6WE
>>
>> Em 04/06/2013 às 18:51 horas, plonegov-br em listas.interlegis.gov.br
>> escreveu:
>>
>> Não tão infeliz quanto o ato, se verdadeiro o comentário.
>>
>> Já vi isso em outros open sources... quem pode dizer que não ou que
>> sim no Plone?
>> --
>> Charles Henrique
>>
>>
>> On Tue, Jun 4, 2013 at 5:24 PM, Luís Flávio Loreto da Rocha
>> <luis.rocha em ebc.com.br> wrote:
>>> Nossa, que comentário infeliz!
>>>
>>>
>>> Luis Flávio Loreto da Rocha
>>> Coordenador de Projetos Digitais
>>> Gerência de Criação - DICAP
>>> EBC - Empresa Brasil de Comunicação
>>> (61) 3799-5437
>>>
>>> ----- Mensagem original -----
>>>> De: "Charles Henrique" <charleshenrique em pgr.mpf.gov.br>
>>>> Para: "Comunidade Plone no Governo"
>>>> <plonegov-br em listas.interlegis.gov.br>
>>>> Enviadas: Terça-feira, 4 de Junho de 2013 14:18:23
>>>> Assunto: [plonegov-br] Security vulnerability announcement: 20130611 -
>>>> Multiple vectors
>>>> Prezados,
>>>>
>>>> Mais uma correção de grave vulnerabilidade prevista para o dia 11/6/
>>>> 2013 , que alcança todas as versões do Plone. Estou começando a achar
>>>> que tais falhas são propositais, pois na mensagem existem orientações
>>>> de onde contratar consultoria especializada, caso a empresa não tenha
>>>> um ninja em Plone. Talvez os cores developers não estejam tão bem
>>>> intencionados, como pensamos.
>>>>
>>>>
>>>> Atenciosamente,
>>>>
>>>> Charles Henrique G. Santos
>>>> Procuradoria Geral da República
>>>> Ministério Público Federal
>>>> (61) 3105-6795
>>>>
>>>> "Ambiente limpo não é o que mais se limpa
>>>> e sim o que menos se suja."
>>>>
>>>> -------- Mensagem original --------
>>>> Assunto: Security vulnerability announcement: 20130611 - Multiple
>>>> vectors
>>>> Data: Fri, 31 May 2013 10:26:24 GMT
>>>> De: <Matthew Wilkes>
>>>>
>>>> Security vulnerability announcement: 20130611 - Multiple vectors
>>>>
>>>> CVE numbers not yet issued.
>>>>
>>>> Versions Affected: All current Plone versions.
>>>>
>>>> Versions Not Affected: None.
>>>>
>>>> This is a pre-announcement. Due to the severity of some of these
>>>> issues, we are providing an advance warning of an upcoming patch. The
>>>> patch will be released on this page at 2013-06-11 15:00 UTC . What You
>>>> Should Do in Advance of Patch Availability
>>>>
>>>>
>>>> Due to the nature of the vulnerability, the security team has decided
>>>> to pre-announce that a fix is upcoming before disclosing the details.
>>>> This is to ensure that concerned users can plan around the release. As
>>>> the fix being published will make the details of the vulnerability
>>>> public, we are recommending that all users plan a maintenance window
>>>> for the 60 minutes following the announcement in which to install the
>>>> fix.
>>>>
>>>> Meanwhile, we STRONGLY recommend that you take the following steps to
>>>> protect your site:
>>>>
>>>> 1. Make sure that the Zope/Plone service is running with with minimum
>>>> privileges. Ideally, the Zope and ZEO services should be able to write
>>>> only to log and data directories.
>>>> 2. Use an intrusion detection system that monitors key system
>>>> resources for unauthorized changes.
>>>> 3. Monitor your Zope, reverse-proxy request and system logs for
>>>> unusual activity.
>>>>
>>>>
>>>> These are standard precautions that should be employed on any
>>>> production system. Extra Help
>>>>
>>>>
>>>> Should you not have in-house server administrators or a service
>>>> agreement looking after your website, you can find consulting
>>>> companies on plone.net .
>>>>
>>>> There is also free support available online via Plone mailing lists
>>>> and the Plone IRC channels.
>>>>
>>>> Q: When will the patch be made available?
>>>> A: The Plone Security Team will release the patch at 2013-06-11 15:00
>>>> UTC.
>>>>
>>>> Q. What will be involved in applying the patch?
>>>> A. Patches are made available as tarball-style archives that may be
>>>> unpacked into the products folder of a buildout installation and as
>>>> Python packages that may be installed by editing a buildout
>>>> configuration file and running buildout. Patching is generally easy
>>>> and quick to accomplish.
>>>>
>>>> Q: How were these vulnerability found?
>>>> A: The majority of issues were found as part of audits performed by
>>>> the Plone Security team. A subset were reported by users. More details
>>>> will be available upon release of the patch.
>>>>
>>>> Q: My site is highly visible and mission-critical. I hear the patch
>>>> has already been developed. Can I get the fix before the release date?
>>>> A: No. The patch will be made available to all users at the same time
>>>> . There are no exceptions.
>>>>
>>>> Q: If the patch has been developed already, why isn't it made
>>>> available to the public now?
>>>> A: The Security Team is still testing the patch and running various
>>>> scenarios thoroughly. The team is also making sure everybody has
>>>> appropriate time to plan to patch their Plone installation(s). Some
>>>> consultancy organizations have hundreds of sites to patch and need the
>>>> extra time to coordinate their efforts with their clients.
>>>>
>>>> Q: How does one exploit the vulnerability?
>>>> A: This information will not be made public until after the patch is
>>>> made available.
>>>>
>>>> General questions about this announcement , Plone patching procedures,
>>>> and availability of support may be addressed to the Plone support
>>>> forums . If you have specific questions about this vulnerability or
>>>> its handling, contact the Plone Security Team .
>>>>
>>>> To report potentially security-related issues , e-mail the Plone
>>>> Security Team at security em plone.org . We are always happy to credit
>>>> individuals and companies who make responsible disclosures.
>>>> Information for Vulnerability Database Maintainers
>>>>
>>>>
>>>> We will issue individual advice on each issue, including CVSS2 and CWE
>>>> identifiers when the patch is released. We currently do not have CVE
>>>> numbers assigned, but are in the process of applying.
>>>>
>>>>
>>>> _______________________________________________
>>>> Comunidade Plone no Governo
>>>> Site: www.softwarelivre.gov.br/plone
>>>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>>>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>> _______________________________________________
>>> Comunidade Plone no Governo
>>> Site: www.softwarelivre.gov.br/plone
>>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>> _______________________________________________
>> Comunidade Plone no Governo
>> Site: www.softwarelivre.gov.br/plone
>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>
>> -
>>
>>
>> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
>> empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
>> enviada exclusivamente a seu destinatário e pode conter informações
>> confidenciais, protegidas por sigilo profissional. Sua utilização
>> desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
>> recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
>> esclarecendo o equívoco."
>>
>> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
>> government company established under Brazilian law (5.615/70) -- is
>> directed
>> exclusively to its addressee and may contain confidential data, protected
>> under professional secrecy rules. Its unauthorized use is illegal and may
>> subject the transgressor to the law's penalties. If you're not the
>> addressee, please send it back, elucidating the failure."
>>
>> _______________________________________________
>> Comunidade Plone no Governo
>> Site: www.softwarelivre.gov.br/plone
>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>
> _______________________________________________
> Comunidade Plone no Governo
> Site: www.softwarelivre.gov.br/plone
> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>
> -
>
>
> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
> empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
> enviada exclusivamente a seu destinatário e pode conter informações
> confidenciais, protegidas por sigilo profissional. Sua utilização
> desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
> recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
> esclarecendo o equívoco."
>
> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
> government company established under Brazilian law (5.615/70) -- is directed
> exclusively to its addressee and may contain confidential data, protected
> under professional secrecy rules. Its unauthorized use is illegal and may
> subject the transgressor to the law's penalties. If you're not the
> addressee, please send it back, elucidating the failure."
>
> _______________________________________________
> Comunidade Plone no Governo
> Site: http://www.softwarelivre.gov.br/plone
> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>


Mais detalhes sobre a lista de discussão PloneGov-BR