[Plone-IT] Fwd: [Plone-Users] Security Announcement: Severe Vulnerability - Patch Pre-Announcement

Yuri yurj a alfa.it
Ven 30 Set 2011 08:28:56 UTC


Il 29/09/2011 19:14, Fabrizio Rota ha scritto:
> Mi ricorda tanto le scalate di privilegi delle altre volte........

Peggio, con questo esegui comandi come utente plone, come ad esempio 
cancellare tutto il contenuto delle directory dell'utente plone (e 
quindi l'istanza).


>
> 2011/9/29 Yuri <yurj a alfa.it <mailto:yurj a alfa.it>>
>
>     oh, no, ancora! :-D
>
>     -------- Messaggio originale --------
>     Oggetto:        [Plone-Users] Security Announcement: Severe
>     Vulnerability - Patch Pre-Announcement
>     Data:   Wed, 28 Sep 2011 13:54:49 -0700
>     Mittente:       Steve McMahon <steve a dcn.org <mailto:steve a dcn.org>>
>     A:      plone_users <plone-users a lists.sourceforge.net
>     <mailto:plone-users a lists.sourceforge.net>>, Plone Developers
>     <plone-developers a lists.sourceforge.net
>     <mailto:plone-developers a lists.sourceforge.net>>
>
>
>
>     During a security audit conducted by a member of the Plone
>     Security Team, a severe vulnerability was discovered in Zope
>     2.12.x and Zope 2.13.x that allows execution of arbitrary code by
>     anonymous users.
>     *
>     *The vulnerability affects Plone 4.0 (through 4.0.9); Plone 4.1;
>     Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x. It allows an
>     unauthenticated attacker to employ a carefully crafted web request
>     to execute arbitrary commands with the privileges of the
>     Zope/Plone service.
>
>     *A patch will be available 2011-10-04, at 15:00 UTC.*
>
>     Please carefully read h
>     <goog_188554871>ttp://plone.org/products/plone/security/advisories/20110928
>     <http://plone.org/products/plone/security/advisories/20110928> for
>     more details.
>
>     *General questions**about this announcement*, Plone patching
>     procedures, and availability of support may be addressed to
>     thePlone support forums <http://plone.org/support>. If you
>     have*specific questions*about this vulnerability or its handling,
>     contact thePlone Security Team <mailto:security a plone.org
>     <mailto:security a plone.org>>.
>
>     *To report potentially security-related issues**,*please send a
>     mail to the Plone Security Team atsecurity a plone.org
>     <mailto:atsecurity a plone.org> <mailto:security a plone.org
>     <mailto:security a plone.org>>. The security team is always happy to
>     credit individuals and companies who make responsible disclosures.
>
>
>     _______________________________________________
>     Plone-IT mailing list
>     Plone-IT a lists.plone.org <mailto:Plone-IT a lists.plone.org>
>     https://lists.plone.org/mailman/listinfo/plone-plone-it
>     http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html
>
>
>
>
> -- 
> Fabrizio
> --------------------
> "Life is what happens to you while you're busy making other plans" - 
> J. Lennon
>
> “If you think education is expensive, try ignorance” - D. Bok
>
> Life is like a game of cards. The hand you are dealt is determinism; 
> the way you play it is free will - Jawaharlal Nehru
>
>
> _______________________________________________
> Plone-IT mailing list
> Plone-IT a lists.plone.org
> https://lists.plone.org/mailman/listinfo/plone-plone-it
> http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html



Maggiori informazioni sulla lista Plone-IT