[plonegov-br] Security vulnerability announcement: 20130611 - Multiple vectors

Charles Henrique thyarles em gmail.com
Quarta Junho 5 11:42:48 BRT 2013


Só para ficar mais claro:

http://www.zenoss.com = perfeito, lindo, maravilhoso... tudo funciona
maravilhosamente bem.

http://www.zenoss.org = instala e testa... baixa os dois, compara o
código. Seja crítico.
--
Charles Henrique


On Wed, Jun 5, 2013 at 11:39 AM, Charles Henrique <thyarles em gmail.com> wrote:
> Isso ai. Entendeu corretamente.
> --
> Charles Henrique
>
>
> On Wed, Jun 5, 2013 at 11:38 AM, Rafael Bruno Cavalhero de Oliveira
> <rafael-bruno.oliveira em serpro.gov.br> wrote:
>> Charles,
>>
>> Só para confirmar se eu entendi corretamente. Você está afirmando que:
>>
>> 1. Em algum momento os desenvolvedores do Zenoss introduziram
>> propositalmente uma falha no softwre.
>> 2. Essa informação não será encontrada no Google. Portanto não é uma
>> informação pública.
>>
>> Seria isso ?
>>
>> Rafael Oliveira - #31-7108
>> SERPRO/SUPDE/DEBHE/DE6WE
>>
>> Em 05/06/2013 às 11:29 horas, plonegov-br em listas.interlegis.gov.br escreveu:
>>
>> É... infelizmente isso não está no Google.
>>
>> Mas se quer achar, procure mais um pouco ;)
>> --
>> Charles Henrique
>>
>>
>> On Wed, Jun 5, 2013 at 11:19 AM, Rafael Bruno Cavalhero de Oliveira
>> <rafael-bruno.oliveira em serpro.gov.br> wrote:
>>> Desculpe, mas eu não achei nenhuma referência sobre falhas introduzidas
>>> propositalmente nesse software. Você poderia enviar um link de uma notícia
>>> sobre o assunto ?
>>>
>>> Rafael Oliveira - #31-7108
>>> SERPRO/SUPDE/DEBHE/DE6WE
>>>
>>> Em 05/06/2013 às 11:10 horas, plonegov-br em listas.interlegis.gov.br
>>> escreveu:
>>>
>>> www.zenoss.org
>>> --
>>> Charles Henrique
>>>
>>>
>>> On Wed, Jun 5, 2013 at 10:16 AM, Rafael Bruno Cavalhero de Oliveira
>>> <rafael-bruno.oliveira em serpro.gov.br> wrote:
>>>> Charles,
>>>>
>>>> Fiquei curioso, em qual "open source" você já viu falhas propositais
>>>> serem
>>>> introduzidas ?
>>>>
>>>> Att,
>>>>
>>>> Rafael Oliveira - #31-7108
>>>> SERPRO/SUPDE/DEBHE/DE6WE
>>>>
>>>> Em 04/06/2013 às 18:51 horas, plonegov-br em listas.interlegis.gov.br
>>>> escreveu:
>>>>
>>>> Não tão infeliz quanto o ato, se verdadeiro o comentário.
>>>>
>>>> Já vi isso em outros open sources... quem pode dizer que não ou que
>>>> sim no Plone?
>>>> --
>>>> Charles Henrique
>>>>
>>>>
>>>> On Tue, Jun 4, 2013 at 5:24 PM, Luís Flávio Loreto da Rocha
>>>> <luis.rocha em ebc.com.br> wrote:
>>>>> Nossa, que comentário infeliz!
>>>>>
>>>>>
>>>>> Luis Flávio Loreto da Rocha
>>>>> Coordenador de Projetos Digitais
>>>>> Gerência de Criação - DICAP
>>>>> EBC - Empresa Brasil de Comunicação
>>>>> (61) 3799-5437
>>>>>
>>>>> ----- Mensagem original -----
>>>>>> De: "Charles Henrique" <charleshenrique em pgr.mpf.gov.br>
>>>>>> Para: "Comunidade Plone no Governo"
>>>>>> <plonegov-br em listas.interlegis.gov.br>
>>>>>> Enviadas: Terça-feira, 4 de Junho de 2013 14:18:23
>>>>>> Assunto: [plonegov-br] Security vulnerability announcement: 20130611 -
>>>>>> Multiple vectors
>>>>>> Prezados,
>>>>>>
>>>>>> Mais uma correção de grave vulnerabilidade prevista para o dia 11/6/
>>>>>> 2013 , que alcança todas as versões do Plone. Estou começando a achar
>>>>>> que tais falhas são propositais, pois na mensagem existem orientações
>>>>>> de onde contratar consultoria especializada, caso a empresa não tenha
>>>>>> um ninja em Plone. Talvez os cores developers não estejam tão bem
>>>>>> intencionados, como pensamos.
>>>>>>
>>>>>>
>>>>>> Atenciosamente,
>>>>>>
>>>>>> Charles Henrique G. Santos
>>>>>> Procuradoria Geral da República
>>>>>> Ministério Público Federal
>>>>>> (61) 3105-6795
>>>>>>
>>>>>> "Ambiente limpo não é o que mais se limpa
>>>>>> e sim o que menos se suja."
>>>>>>
>>>>>> -------- Mensagem original --------
>>>>>> Assunto: Security vulnerability announcement: 20130611 - Multiple
>>>>>> vectors
>>>>>> Data: Fri, 31 May 2013 10:26:24 GMT
>>>>>> De: <Matthew Wilkes>
>>>>>>
>>>>>> Security vulnerability announcement: 20130611 - Multiple vectors
>>>>>>
>>>>>> CVE numbers not yet issued.
>>>>>>
>>>>>> Versions Affected: All current Plone versions.
>>>>>>
>>>>>> Versions Not Affected: None.
>>>>>>
>>>>>> This is a pre-announcement. Due to the severity of some of these
>>>>>> issues, we are providing an advance warning of an upcoming patch. The
>>>>>> patch will be released on this page at 2013-06-11 15:00 UTC . What You
>>>>>> Should Do in Advance of Patch Availability
>>>>>>
>>>>>>
>>>>>> Due to the nature of the vulnerability, the security team has decided
>>>>>> to pre-announce that a fix is upcoming before disclosing the details.
>>>>>> This is to ensure that concerned users can plan around the release. As
>>>>>> the fix being published will make the details of the vulnerability
>>>>>> public, we are recommending that all users plan a maintenance window
>>>>>> for the 60 minutes following the announcement in which to install the
>>>>>> fix.
>>>>>>
>>>>>> Meanwhile, we STRONGLY recommend that you take the following steps to
>>>>>> protect your site:
>>>>>>
>>>>>> 1. Make sure that the Zope/Plone service is running with with minimum
>>>>>> privileges. Ideally, the Zope and ZEO services should be able to write
>>>>>> only to log and data directories.
>>>>>> 2. Use an intrusion detection system that monitors key system
>>>>>> resources for unauthorized changes.
>>>>>> 3. Monitor your Zope, reverse-proxy request and system logs for
>>>>>> unusual activity.
>>>>>>
>>>>>>
>>>>>> These are standard precautions that should be employed on any
>>>>>> production system. Extra Help
>>>>>>
>>>>>>
>>>>>> Should you not have in-house server administrators or a service
>>>>>> agreement looking after your website, you can find consulting
>>>>>> companies on plone.net .
>>>>>>
>>>>>> There is also free support available online via Plone mailing lists
>>>>>> and the Plone IRC channels.
>>>>>>
>>>>>> Q: When will the patch be made available?
>>>>>> A: The Plone Security Team will release the patch at 2013-06-11 15:00
>>>>>> UTC.
>>>>>>
>>>>>> Q. What will be involved in applying the patch?
>>>>>> A. Patches are made available as tarball-style archives that may be
>>>>>> unpacked into the products folder of a buildout installation and as
>>>>>> Python packages that may be installed by editing a buildout
>>>>>> configuration file and running buildout. Patching is generally easy
>>>>>> and quick to accomplish.
>>>>>>
>>>>>> Q: How were these vulnerability found?
>>>>>> A: The majority of issues were found as part of audits performed by
>>>>>> the Plone Security team. A subset were reported by users. More details
>>>>>> will be available upon release of the patch.
>>>>>>
>>>>>> Q: My site is highly visible and mission-critical. I hear the patch
>>>>>> has already been developed. Can I get the fix before the release date?
>>>>>> A: No. The patch will be made available to all users at the same time
>>>>>> . There are no exceptions.
>>>>>>
>>>>>> Q: If the patch has been developed already, why isn't it made
>>>>>> available to the public now?
>>>>>> A: The Security Team is still testing the patch and running various
>>>>>> scenarios thoroughly. The team is also making sure everybody has
>>>>>> appropriate time to plan to patch their Plone installation(s). Some
>>>>>> consultancy organizations have hundreds of sites to patch and need the
>>>>>> extra time to coordinate their efforts with their clients.
>>>>>>
>>>>>> Q: How does one exploit the vulnerability?
>>>>>> A: This information will not be made public until after the patch is
>>>>>> made available.
>>>>>>
>>>>>> General questions about this announcement , Plone patching procedures,
>>>>>> and availability of support may be addressed to the Plone support
>>>>>> forums . If you have specific questions about this vulnerability or
>>>>>> its handling, contact the Plone Security Team .
>>>>>>
>>>>>> To report potentially security-related issues , e-mail the Plone
>>>>>> Security Team at security em plone.org . We are always happy to credit
>>>>>> individuals and companies who make responsible disclosures.
>>>>>> Information for Vulnerability Database Maintainers
>>>>>>
>>>>>>
>>>>>> We will issue individual advice on each issue, including CVSS2 and CWE
>>>>>> identifiers when the patch is released. We currently do not have CVE
>>>>>> numbers assigned, but are in the process of applying.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Comunidade Plone no Governo
>>>>>> Site: www.softwarelivre.gov.br/plone
>>>>>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>>>>>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>>>> _______________________________________________
>>>>> Comunidade Plone no Governo
>>>>> Site: www.softwarelivre.gov.br/plone
>>>>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>>>>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>>> _______________________________________________
>>>> Comunidade Plone no Governo
>>>> Site: www.softwarelivre.gov.br/plone
>>>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>>>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>>>
>>>> -
>>>>
>>>>
>>>> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
>>>> empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
>>>> enviada exclusivamente a seu destinatário e pode conter informações
>>>> confidenciais, protegidas por sigilo profissional. Sua utilização
>>>> desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
>>>> recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
>>>> esclarecendo o equívoco."
>>>>
>>>> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) --
>>>> a
>>>> government company established under Brazilian law (5.615/70) -- is
>>>> directed
>>>> exclusively to its addressee and may contain confidential data, protected
>>>> under professional secrecy rules. Its unauthorized use is illegal and may
>>>> subject the transgressor to the law's penalties. If you're not the
>>>> addressee, please send it back, elucidating the failure."
>>>>
>>>> _______________________________________________
>>>> Comunidade Plone no Governo
>>>> Site: www.softwarelivre.gov.br/plone
>>>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>>>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>>>
>>> _______________________________________________
>>> Comunidade Plone no Governo
>>> Site: www.softwarelivre.gov.br/plone
>>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>>
>>> -
>>>
>>>
>>> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
>>> empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
>>> enviada exclusivamente a seu destinatário e pode conter informações
>>> confidenciais, protegidas por sigilo profissional. Sua utilização
>>> desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
>>> recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
>>> esclarecendo o equívoco."
>>>
>>> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
>>> government company established under Brazilian law (5.615/70) -- is
>>> directed
>>> exclusively to its addressee and may contain confidential data, protected
>>> under professional secrecy rules. Its unauthorized use is illegal and may
>>> subject the transgressor to the law's penalties. If you're not the
>>> addressee, please send it back, elucidating the failure."
>>>
>>> _______________________________________________
>>> Comunidade Plone no Governo
>>> Site: www.softwarelivre.gov.br/plone
>>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>>
>> _______________________________________________
>> Comunidade Plone no Governo
>> Site: www.softwarelivre.gov.br/plone
>> Wiki: colab.interlegis.leg.br/wiki/PloneGovBr
>> Lista: listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>
>> -
>>
>>
>> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
>> empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
>> enviada exclusivamente a seu destinatário e pode conter informações
>> confidenciais, protegidas por sigilo profissional. Sua utilização
>> desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
>> recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
>> esclarecendo o equívoco."
>>
>> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
>> government company established under Brazilian law (5.615/70) -- is directed
>> exclusively to its addressee and may contain confidential data, protected
>> under professional secrecy rules. Its unauthorized use is illegal and may
>> subject the transgressor to the law's penalties. If you're not the
>> addressee, please send it back, elucidating the failure."
>>
>> _______________________________________________
>> Comunidade Plone no Governo
>> Site: http://www.softwarelivre.gov.br/plone
>> Wiki: http://colab.interlegis.leg.br/wiki/PloneGovBr
>> Lista: http://listas.interlegis.gov.br/mailman/listinfo/plonegov-br
>>


Mais detalhes sobre a lista de discussão PloneGov-BR