[plonegov-br] Security vulnerability announcement: 20130611 - Multiple vectors

Leonardo Rocha leonardorochajr em gmail.com
Quarta Junho 5 11:23:29 BRT 2013


O que o colega falou é de pura verdade, tem muitos softwares open source
que é tratado desta forma. Só quem trabalha com eles é quem sabe disso.

Se é necessário comprovar o que está dizendo, acho que seria legal começar
a trabalhar com o software mencionado e tirar as devidas dúvidas.


2013/6/5 Rafael Bruno Cavalhero de Oliveira <
rafael-bruno.oliveira em serpro.gov.br>

> Desculpe, mas eu não achei nenhuma referência sobre falhas introduzidas
> propositalmente nesse software. Você poderia enviar um link de uma notícia
> sobre o assunto ?
>
>
> Rafael Oliveira - #31-7108
> SERPRO/SUPDE/DEBHE/DE6WE
>
> Em 05/06/2013 às 11:10 horas, plonegov-br em listas.interlegis.gov.brescreveu:
>
>  <http://www.zenoss.org>www.zenoss.org
> --
> Charles Henrique
>
>
> On Wed, Jun 5, 2013 at 10:16 AM, Rafael Bruno Cavalhero de Oliveira
> <rafael-bruno.oliveira em serpro.gov.br <http://mailto:rafael-bruno.oliveira@serpro.gov.br>> wrote:
> > Charles,
> >
> > Fiquei curioso, em qual "open source" você já viu falhas propositais serem
> > introduzidas ?
> >
> > Att,
> >
> > Rafael Oliveira - #31-7108
> > SERPRO/SUPDE/DEBHE/DE6WE
> >
> > Em 04/06/2013 às 18:51 horas, plonegov-br em listas.interlegis.gov.br <http://mailto:plonegov-br@listas.interlegis.gov.br> escreveu:
> >
> > Não tão infeliz quanto o ato, se verdadeiro o comentário.
> >
> > Já vi isso em outros open sources... quem pode dizer que não ou que
> > sim no Plone?
> > --
> > Charles Henrique
> >
> >
> > On Tue, Jun 4, 2013 at 5:24 PM, Luís Flávio Loreto da Rocha
> > <luis.rocha em ebc.com.br <http://mailto:luis.rocha@ebc.com.br>> wrote:
> >> Nossa, que comentário infeliz!
> >>
> >>
> >> Luis Flávio Loreto da Rocha
> >> Coordenador de Projetos Digitais
> >> Gerência de Criação - DICAP
> >> EBC - Empresa Brasil de Comunicação
> >> (61) 3799-5437
> >>
> >> ----- Mensagem original -----
> >>> De: "Charles Henrique" <charleshenrique em pgr.mpf.gov.br <http://mailto:charleshenrique@pgr.mpf.gov.br>>
> >>> Para: "Comunidade Plone no Governo"
> >>> <plonegov-br em listas.interlegis.gov.br <http://mailto:plonegov-br@listas.interlegis.gov.br>>
> >>> Enviadas: Terça-feira, 4 de Junho de 2013 14:18:23
> >>> Assunto: [plonegov-br] Security vulnerability announcement: 20130611 -
> >>> Multiple vectors
> >>> Prezados,
> >>>
> >>> Mais uma correção de grave vulnerabilidade prevista para o dia 11/6/
> >>> 2013 , que alcança todas as versões do Plone. Estou começando a achar
> >>> que tais falhas são propositais, pois na mensagem existem orientações
> >>> de onde contratar consultoria especializada, caso a empresa não tenha
> >>> um ninja em Plone. Talvez os cores developers não estejam tão bem
> >>> intencionados, como pensamos.
> >>>
> >>>
> >>> Atenciosamente,
> >>>
> >>> Charles Henrique G. Santos
> >>> Procuradoria Geral da República
> >>> Ministério Público Federal
> >>> (61) 3105-6795
> >>>
> >>> "Ambiente limpo não é o que mais se limpa
> >>> e sim o que menos se suja."
> >>>
> >>> -------- Mensagem original --------
> >>> Assunto: Security vulnerability announcement: 20130611 - Multiple
> >>> vectors
> >>> Data: Fri, 31 May 2013 10:26:24 GMT
> >>> De: <Matthew Wilkes>
> >>>
> >>> Security vulnerability announcement: 20130611 - Multiple vectors
> >>>
> >>> CVE numbers not yet issued.
> >>>
> >>> Versions Affected: All current Plone versions.
> >>>
> >>> Versions Not Affected: None.
> >>>
> >>> This is a pre-announcement. Due to the severity of some of these
> >>> issues, we are providing an advance warning of an upcoming patch. The
> >>> patch will be released on this page at 2013-06-11 15:00 UTC . What You
> >>> Should Do in Advance of Patch Availability
> >>>
> >>>
> >>> Due to the nature of the vulnerability, the security team has decided
> >>> to pre-announce that a fix is upcoming before disclosing the details.
> >>> This is to ensure that concerned users can plan around the release. As
> >>> the fix being published will make the details of the vulnerability
> >>> public, we are recommending that all users plan a maintenance window
> >>> for the 60 minutes following the announcement in which to install the
> >>> fix.
> >>>
> >>> Meanwhile, we STRONGLY recommend that you take the following steps to
> >>> protect your site:
> >>>
> >>> 1. Make sure that the Zope/Plone service is running with with minimum
> >>> privileges. Ideally, the Zope and ZEO services should be able to write
> >>> only to log and data directories.
> >>> 2. Use an intrusion detection system that monitors key system
> >>> resources for unauthorized changes.
> >>> 3. Monitor your Zope, reverse-proxy request and system logs for
> >>> unusual activity.
> >>>
> >>>
> >>> These are standard precautions that should be employed on any
> >>> production system. Extra Help
> >>>
> >>>
> >>> Should you not have in-house server administrators or a service
> >>> agreement looking after your website, you can find consulting
> >>> companies on plone.net .
> >>>
> >>> There is also free support available online via Plone mailing lists
> >>> and the Plone IRC channels.
> >>>
> >>> Q: When will the patch be made available?
> >>> A: The Plone Security Team will release the patch at 2013-06-11 15:00
> >>> UTC.
> >>>
> >>> Q. What will be involved in applying the patch?
> >>> A. Patches are made available as tarball-style archives that may be
> >>> unpacked into the products folder of a buildout installation and as
> >>> Python packages that may be installed by editing a buildout
> >>> configuration file and running buildout. Patching is generally easy
> >>> and quick to accomplish.
> >>>
> >>> Q: How were these vulnerability found?
> >>> A: The majority of issues were found as part of audits performed by
> >>> the Plone Security team. A subset were reported by users. More details
> >>> will be available upon release of the patch.
> >>>
> >>> Q: My site is highly visible and mission-critical. I hear the patch
> >>> has already been developed. Can I get the fix before the release date?
> >>> A: No. The patch will be made available to all users at the same time
> >>> . There are no exceptions.
> >>>
> >>> Q: If the patch has been developed already, why isn't it made
> >>> available to the public now?
> >>> A: The Security Team is still testing the patch and running various
> >>> scenarios thoroughly. The team is also making sure everybody has
> >>> appropriate time to plan to patch their Plone installation(s). Some
> >>> consultancy organizations have hundreds of sites to patch and need the
> >>> extra time to coordinate their efforts with their clients.
> >>>
> >>> Q: How does one exploit the vulnerability?
> >>> A: This information will not be made public until after the patch is
> >>> made available.
> >>>
> >>> General questions about this announcement , Plone patching procedures,
> >>> and availability of support may be addressed to the Plone support
> >>> forums . If you have specific questions about this vulnerability or
> >>> its handling, contact the Plone Security Team .
> >>>
> >>> To report potentially security-related issues , e-mail the Plone
> >>> Security Team at security em plone.org <http://mailto:security@plone.org> . We are always happy to credit
> >>> individuals and companies who make responsible disclosures.
> >>> Information for Vulnerability Database Maintainers
> >>>
> >>>
> >>> We will issue individual advice on each issue, including CVSS2 and CWE
> >>> identifiers when the patch is released. We currently do not have CVE
> >>> numbers assigned, but are in the process of applying.
> >>>
> >>>
> >>> _______________________________________________
> >>> Comunidade Plone no Governo
> >>> Site:  <http://www.softwarelivre.gov.br/plone>www.softwarelivre.gov.br/plone
> >>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
> >>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
> >> _______________________________________________
> >> Comunidade Plone no Governo
> >> Site:  <http://www.softwarelivre.gov.br/plone>www.softwarelivre.gov.br/plone
> >> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
> >> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
> > _______________________________________________
> > Comunidade Plone no Governo
> > Site:  <http://www.softwarelivre.gov.br/plone>www.softwarelivre.gov.br/plone
> > Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
> > Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
> >
> > -
> >
> >
> > "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
> > empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
> > enviada exclusivamente a seu destinatário e pode conter informações
> > confidenciais, protegidas por sigilo profissional. Sua utilização
> > desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
> > recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
> > esclarecendo o equívoco."
> >
> > "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
> > government company established under Brazilian law (5.615/70) -- is directed
> > exclusively to its addressee and may contain confidential data, protected
> > under professional secrecy rules. Its unauthorized use is illegal and may
> > subject the transgressor to the law's penalties. If you're not the
> > addressee, please send it back, elucidating the failure."
> >
> > _______________________________________________
> > Comunidade Plone no Governo
> > Site:  <http://www.softwarelivre.gov.br/plone>www.softwarelivre.gov.br/plone
> > Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
> > Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
> >
> _______________________________________________
> Comunidade Plone no Governo
> Site:  <http://www.softwarelivre.gov.br/plone>www.softwarelivre.gov.br/plone
> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>
>  -
>
>
> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
> empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
> enviada exclusivamente a seu destinatário e pode conter informações
> confidenciais, protegidas por sigilo profissional. Sua utilização
> desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
> recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
> esclarecendo o equívoco."
>
> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
> government company established under Brazilian law (5.615/70) -- is
> directed exclusively to its addressee and may contain confidential data,
> protected under professional secrecy rules. Its unauthorized use is illegal
> and may subject the transgressor to the law's penalties. If you're not the
> addressee, please send it back, elucidating the failure."
>
> _______________________________________________
> Comunidade Plone no Governo
> Site: http://www.softwarelivre.gov.br/plone
> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>
>
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.interlegis.gov.br/pipermail/plonegov-br/attachments/20130605/744993bb/attachment.htm 


Mais detalhes sobre a lista de discussão PloneGov-BR