[plonegov-br] Security vulnerability announcement: 20130611 - Multiple vectors

Charles Henrique thyarles em gmail.com
Quarta Junho 5 11:39:41 BRT 2013


Isso ai. Entendeu corretamente.
--
Charles Henrique


On Wed, Jun 5, 2013 at 11:38 AM, Rafael Bruno Cavalhero de Oliveira
<rafael-bruno.oliveira em serpro.gov.br> wrote:
> Charles,
>
> Só para confirmar se eu entendi corretamente. Você está afirmando que:
>
> 1. Em algum momento os desenvolvedores do Zenoss introduziram
> propositalmente uma falha no softwre.
> 2. Essa informação não será encontrada no Google. Portanto não é uma
> informação pública.
>
> Seria isso ?
>
> Rafael Oliveira - #31-7108
> SERPRO/SUPDE/DEBHE/DE6WE
>
> Em 05/06/2013 às 11:29 horas, plonegov-br em listas.interlegis.gov.br escreveu:
>
> É... infelizmente isso não está no Google.
>
> Mas se quer achar, procure mais um pouco ;)
> --
> Charles Henrique
>
>
> On Wed, Jun 5, 2013 at 11:19 AM, Rafael Bruno Cavalhero de Oliveira
> <rafael-bruno.oliveira em serpro.gov.br> wrote:
>> Desculpe, mas eu não achei nenhuma referência sobre falhas introduzidas
>> propositalmente nesse software. Você poderia enviar um link de uma notícia
>> sobre o assunto ?
>>
>> Rafael Oliveira - #31-7108
>> SERPRO/SUPDE/DEBHE/DE6WE
>>
>> Em 05/06/2013 às 11:10 horas, plonegov-br em listas.interlegis.gov.br
>> escreveu:
>>
>> www.zenoss.org
>> --
>> Charles Henrique
>>
>>
>> On Wed, Jun 5, 2013 at 10:16 AM, Rafael Bruno Cavalhero de Oliveira
>> <rafael-bruno.oliveira em serpro.gov.br> wrote:
>>> Charles,
>>>
>>> Fiquei curioso, em qual "open source" você já viu falhas propositais
>>> serem
>>> introduzidas ?
>>>
>>> Att,
>>>
>>> Rafael Oliveira - #31-7108
>>> SERPRO/SUPDE/DEBHE/DE6WE
>>>
>>> Em 04/06/2013 às 18:51 horas, plonegov-br em listas.interlegis.gov.br
>>> escreveu:
>>>
>>> Não tão infeliz quanto o ato, se verdadeiro o comentário.
>>>
>>> Já vi isso em outros open sources... quem pode dizer que não ou que
>>> sim no Plone?
>>> --
>>> Charles Henrique
>>>
>>>
>>> On Tue, Jun 4, 2013 at 5:24 PM, Luís Flávio Loreto da Rocha
>>> <luis.rocha em ebc.com.br> wrote:
>>>> Nossa, que comentário infeliz!
>>>>
>>>>
>>>> Luis Flávio Loreto da Rocha
>>>> Coordenador de Projetos Digitais
>>>> Gerência de Criação - DICAP
>>>> EBC - Empresa Brasil de Comunicação
>>>> (61) 3799-5437
>>>>
>>>> ----- Mensagem original -----
>>>>> De: "Charles Henrique" <charleshenrique em pgr.mpf.gov.br>
>>>>> Para: "Comunidade Plone no Governo"
>>>>> <plonegov-br em listas.interlegis.gov.br>
>>>>> Enviadas: Terça-feira, 4 de Junho de 2013 14:18:23
>>>>> Assunto: [plonegov-br] Security vulnerability announcement: 20130611 -
>>>>> Multiple vectors
>>>>> Prezados,
>>>>>
>>>>> Mais uma correção de grave vulnerabilidade prevista para o dia 11/6/
>>>>> 2013 , que alcança todas as versões do Plone. Estou começando a achar
>>>>> que tais falhas são propositais, pois na mensagem existem orientações
>>>>> de onde contratar consultoria especializada, caso a empresa não tenha
>>>>> um ninja em Plone. Talvez os cores developers não estejam tão bem
>>>>> intencionados, como pensamos.
>>>>>
>>>>>
>>>>> Atenciosamente,
>>>>>
>>>>> Charles Henrique G. Santos
>>>>> Procuradoria Geral da República
>>>>> Ministério Público Federal
>>>>> (61) 3105-6795
>>>>>
>>>>> "Ambiente limpo não é o que mais se limpa
>>>>> e sim o que menos se suja."
>>>>>
>>>>> -------- Mensagem original --------
>>>>> Assunto: Security vulnerability announcement: 20130611 - Multiple
>>>>> vectors
>>>>> Data: Fri, 31 May 2013 10:26:24 GMT
>>>>> De: <Matthew Wilkes>
>>>>>
>>>>> Security vulnerability announcement: 20130611 - Multiple vectors
>>>>>
>>>>> CVE numbers not yet issued.
>>>>>
>>>>> Versions Affected: All current Plone versions.
>>>>>
>>>>> Versions Not Affected: None.
>>>>>
>>>>> This is a pre-announcement. Due to the severity of some of these
>>>>> issues, we are providing an advance warning of an upcoming patch. The
>>>>> patch will be released on this page at 2013-06-11 15:00 UTC . What You
>>>>> Should Do in Advance of Patch Availability
>>>>>
>>>>>
>>>>> Due to the nature of the vulnerability, the security team has decided
>>>>> to pre-announce that a fix is upcoming before disclosing the details.
>>>>> This is to ensure that concerned users can plan around the release. As
>>>>> the fix being published will make the details of the vulnerability
>>>>> public, we are recommending that all users plan a maintenance window
>>>>> for the 60 minutes following the announcement in which to install the
>>>>> fix.
>>>>>
>>>>> Meanwhile, we STRONGLY recommend that you take the following steps to
>>>>> protect your site:
>>>>>
>>>>> 1. Make sure that the Zope/Plone service is running with with minimum
>>>>> privileges. Ideally, the Zope and ZEO services should be able to write
>>>>> only to log and data directories.
>>>>> 2. Use an intrusion detection system that monitors key system
>>>>> resources for unauthorized changes.
>>>>> 3. Monitor your Zope, reverse-proxy request and system logs for
>>>>> unusual activity.
>>>>>
>>>>>
>>>>> These are standard precautions that should be employed on any
>>>>> production system. Extra Help
>>>>>
>>>>>
>>>>> Should you not have in-house server administrators or a service
>>>>> agreement looking after your website, you can find consulting
>>>>> companies on plone.net .
>>>>>
>>>>> There is also free support available online via Plone mailing lists
>>>>> and the Plone IRC channels.
>>>>>
>>>>> Q: When will the patch be made available?
>>>>> A: The Plone Security Team will release the patch at 2013-06-11 15:00
>>>>> UTC.
>>>>>
>>>>> Q. What will be involved in applying the patch?
>>>>> A. Patches are made available as tarball-style archives that may be
>>>>> unpacked into the products folder of a buildout installation and as
>>>>> Python packages that may be installed by editing a buildout
>>>>> configuration file and running buildout. Patching is generally easy
>>>>> and quick to accomplish.
>>>>>
>>>>> Q: How were these vulnerability found?
>>>>> A: The majority of issues were found as part of audits performed by
>>>>> the Plone Security team. A subset were reported by users. More details
>>>>> will be available upon release of the patch.
>>>>>
>>>>> Q: My site is highly visible and mission-critical. I hear the patch
>>>>> has already been developed. Can I get the fix before the release date?
>>>>> A: No. The patch will be made available to all users at the same time
>>>>> . There are no exceptions.
>>>>>
>>>>> Q: If the patch has been developed already, why isn't it made
>>>>> available to the public now?
>>>>> A: The Security Team is still testing the patch and running various
>>>>> scenarios thoroughly. The team is also making sure everybody has
>>>>> appropriate time to plan to patch their Plone installation(s). Some
>>>>> consultancy organizations have hundreds of sites to patch and need the
>>>>> extra time to coordinate their efforts with their clients.
>>>>>
>>>>> Q: How does one exploit the vulnerability?
>>>>> A: This information will not be made public until after the patch is
>>>>> made available.
>>>>>
>>>>> General questions about this announcement , Plone patching procedures,
>>>>> and availability of support may be addressed to the Plone support
>>>>> forums . If you have specific questions about this vulnerability or
>>>>> its handling, contact the Plone Security Team .
>>>>>
>>>>> To report potentially security-related issues , e-mail the Plone
>>>>> Security Team at security em plone.org . We are always happy to credit
>>>>> individuals and companies who make responsible disclosures.
>>>>> Information for Vulnerability Database Maintainers
>>>>>
>>>>>
>>>>> We will issue individual advice on each issue, including CVSS2 and CWE
>>>>> identifiers when the patch is released. We currently do not have CVE
>>>>> numbers assigned, but are in the process of applying.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Comunidade Plone no Governo
>>>>> Site: www.softwarelivre.gov.br/plone
>>>>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>>>>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>>> _______________________________________________
>>>> Comunidade Plone no Governo
>>>> Site: www.softwarelivre.gov.br/plone
>>>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>>>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>> _______________________________________________
>>> Comunidade Plone no Governo
>>> Site: www.softwarelivre.gov.br/plone
>>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>>
>>> -
>>>
>>>
>>> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
>>> empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
>>> enviada exclusivamente a seu destinatário e pode conter informações
>>> confidenciais, protegidas por sigilo profissional. Sua utilização
>>> desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
>>> recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
>>> esclarecendo o equívoco."
>>>
>>> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) --
>>> a
>>> government company established under Brazilian law (5.615/70) -- is
>>> directed
>>> exclusively to its addressee and may contain confidential data, protected
>>> under professional secrecy rules. Its unauthorized use is illegal and may
>>> subject the transgressor to the law's penalties. If you're not the
>>> addressee, please send it back, elucidating the failure."
>>>
>>> _______________________________________________
>>> Comunidade Plone no Governo
>>> Site: www.softwarelivre.gov.br/plone
>>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>>
>> _______________________________________________
>> Comunidade Plone no Governo
>> Site: www.softwarelivre.gov.br/plone
>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>
>> -
>>
>>
>> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
>> empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
>> enviada exclusivamente a seu destinatário e pode conter informações
>> confidenciais, protegidas por sigilo profissional. Sua utilização
>> desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
>> recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
>> esclarecendo o equívoco."
>>
>> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
>> government company established under Brazilian law (5.615/70) -- is
>> directed
>> exclusively to its addressee and may contain confidential data, protected
>> under professional secrecy rules. Its unauthorized use is illegal and may
>> subject the transgressor to the law's penalties. If you're not the
>> addressee, please send it back, elucidating the failure."
>>
>> _______________________________________________
>> Comunidade Plone no Governo
>> Site: www.softwarelivre.gov.br/plone
>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>
> _______________________________________________
> Comunidade Plone no Governo
> Site: www.softwarelivre.gov.br/plone
> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>
> -
>
>
> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
> empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
> enviada exclusivamente a seu destinatário e pode conter informações
> confidenciais, protegidas por sigilo profissional. Sua utilização
> desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
> recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
> esclarecendo o equívoco."
>
> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
> government company established under Brazilian law (5.615/70) -- is directed
> exclusively to its addressee and may contain confidential data, protected
> under professional secrecy rules. Its unauthorized use is illegal and may
> subject the transgressor to the law's penalties. If you're not the
> addressee, please send it back, elucidating the failure."
>
> _______________________________________________
> Comunidade Plone no Governo
> Site: http://www.softwarelivre.gov.br/plone
> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>


Mais detalhes sobre a lista de discussão PloneGov-BR