[Plone-IT] Fwd: [Plone-Users] Fwd: Vulnerability in PloneFormGen — Updated announcement

Fabrizio Rota fabrizio.rota a gmail.com
Sab 1 Giu 2013 12:42:28 UTC


Aggiornato. Tx.


2013/5/30 Fabrizio Rota <fabrizio.rota a gmail.com>

> Potevano indicarla esplicitamente nel messaggio insieme alle altre
> versioni..... O magari ho capito male io!
> Il giorno 30/mag/2013 11:26, "Yuri" <yurj a alfa.it> ha scritto:
>
> Il 30/05/2013 11:00, Fabrizio Rota ha scritto:
>>
>>> io ho la 1.7.0: parrebbe esente da vulnerabilitÓ: mi fido?
>>>
>>
>> dalla 1.7.0:
>>
>>     def onSuccess(self, fields, REQUEST=None, loopstop=False):
>>         """
>>         saves data.
>>         """
>>
>> dalla 1.7.11:
>>
>>     security.declarePrivate('**onSuccess')
>>     def onSuccess(self, fields, REQUEST=None, loopstop=False):
>>         # """
>>         # saves data.
>>         # """
>>
>>
>> Direi di no :)
>>
>>
>>
>>>
>>> 2013/5/30 Luca Fabbri <keul a redturtle.it <mailto:keul a redturtle.it>>
>>>
>>>     Un po' criticabile il fatto che non c'Ŕ stata una segnalazione
>>>     preventiva. Capisco non sia un HotFix per˛ qualche disagio potrebbe
>>>     averlo creato. Dopo tutto Ŕ forse il prodotto aggiuntivo pi¨ famoso!
>>>
>>>
>>>     On Thu, May 30, 2013 at 8:59 AM, Vito Falco <vitofalco a gmail.com
>>>     <mailto:vitofalco a gmail.com>> wrote:
>>>     > Thank's!
>>>     >
>>>     > Vito
>>>     >
>>>     >
>>>     > 2013/5/30 Yuri <yurj a alfa.it <mailto:yurj a alfa.it>>
>>>     >>
>>>     >>
>>>     >>
>>>     >> -------- Messaggio originale --------
>>>     >> Oggetto:        [Plone-Users] Fwd: Vulnerability in
>>>     PloneFormGen — Updated
>>>     >> announcement
>>>     >> Data:   Wed, 29 May 2013 10:31:16 -0700
>>>     >> Mittente:       Steve McMahon <steve a dcn.org
>>>     <mailto:steve a dcn.org>>
>>>     >> A:      plone_users <plone-users a lists.**sourceforge.net<plone-users a lists.sourceforge.net>
>>>     <mailto:plone-users a lists.**sourceforge.net<plone-users a lists.sourceforge.net>>>,
>>> Plone Developers
>>>     >> <plone-developers a lists.**sourceforge.net<plone-developers a lists.sourceforge.net>
>>>     <mailto:plone-developers@**lists.sourceforge.net<plone-developers a lists.sourceforge.net>
>>> >>
>>>     >>
>>>     >>
>>>     >>
>>>     >> PloneFormGen <http://plone.org/products/**ploneformgen<http://plone.org/products/ploneformgen>>,
>>> a widely
>>>     used
>>>     >> response-form-creation add-on for the Plone Content Management
>>>     System, has
>>>     >> been discovered to have a serious vulnerability that allows an
>>>     anonymous
>>>     >> attacker to execute arbitrary code with the privileges of the
>>>     system user
>>>     >> running the server.
>>>     >>
>>>     >> Installations of Plone that do not use the PloneFormGen add-on
>>>     are not
>>>     >> affected by this vulnerability.
>>>     >>
>>>     >> The vulnerability is present in PloneFormGen versions 1.7.4
>>>     (2012-11-04)
>>>     >> through 1.7.8. Users of any of these versions should
>>>     immediately upgrade to
>>>     >> Products.PloneFormGen version 1.7.11
>>>     >> <https://pypi.python.org/pypi/**Products.PloneFormGen/1.7.11<https://pypi.python.org/pypi/Products.PloneFormGen/1.7.11>
>>> >.
>>>     1.7.11 has been
>>>     >> released today to the Plone and Python package repositories.
>>>     >>
>>>     >> Another serious vulnerability affects most earlier versions of
>>>     >> PloneFormGen. This vulnerability affects forms that have custom
>>>     script
>>>     >> adapters, and allows an anonymous attacker to gain control over
>>>     the handling
>>>     >> of data submitted through the form. This vulnerability is
>>>     addressed in
>>>     >> version 1.7.9. Users of PloneFormGen in the 1.6 series, which
>>>     runs on Plone
>>>     >> 3.x, 4.0 and 4.1 should upgrade to version 1.6.7
>>>     >> <https://pypi.python.org/pypi/**Products.PloneFormGen/1.6.7<https://pypi.python.org/pypi/Products.PloneFormGen/1.6.7>
>>> >,
>>>     also released
>>>     >> today.
>>>     >>
>>>     >> Help for installing the upgrade is available on the┬ #plone IRC
>>>     channel
>>>     >> <http://plone.org/support/chat**>┬ and┬ forums
>>>     >> <https://plone.org/support/**forums<https://plone.org/support/forums>>.
>>> Upgrading an already
>>>     installed package
>>>     >> requires you to┬ specify the new version number in your buildout
>>>     >> configuration file
>>>     >> <https://weblion.psu.edu/trac/**weblion/wiki/VersionPinning<https://weblion.psu.edu/trac/weblion/wiki/VersionPinning>>┬
>>> and run
>>>     >> buildout.
>>>     >>
>>>     >> Thanks to The Code Distillery's security analysts for the
>>>     responsible
>>>     >> disclosure of the vulnerabilities, and for their suggestions
>>>     for addressing
>>>     >> the issues.
>>>     >>
>>>     >>
>>>     >>
>>>     >>
>>>     >> ______________________________**_________________
>>>     >> Plone-IT mailing list
>>>     >> Plone-IT a lists.plone.org <mailto:Plone-IT a lists.plone.**org<Plone-IT a lists.plone.org>
>>> >
>>>     >> https://lists.plone.org/**mailman/listinfo/plone-plone-**it<https://lists.plone.org/mailman/listinfo/plone-plone-it>
>>>     >>
>>>     http://plone-regional-forums.**221720.n2.nabble.com/Plone-**
>>> Italy-f221721.html<http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html>
>>>     >
>>>     >
>>>     >
>>>     >
>>>     > --
>>>     > Vito Falco
>>>     > Webdeveloper & designer freelance, Plone enthusiast
>>>     > Bari, IT
>>>     > tel +39 3346330137 <tel:%2B39%203346330137> | skype vito80ba |
>>>     twitter vito80ba
>>>     > Linkedin http://it.linkedin.com/in/**vitof<http://it.linkedin.com/in/vitof>
>>>     >
>>>     > ______________________________**_________________
>>>     > Plone-IT mailing list
>>>     > Plone-IT a lists.plone.org <mailto:Plone-IT a lists.plone.**org<Plone-IT a lists.plone.org>
>>> >
>>>     > https://lists.plone.org/**mailman/listinfo/plone-plone-**it<https://lists.plone.org/mailman/listinfo/plone-plone-it>
>>>     >
>>>     http://plone-regional-forums.**221720.n2.nabble.com/Plone-**
>>> Italy-f221721.html<http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html>
>>>
>>>
>>>
>>>     --
>>>     Saluti/Regards
>>>
>>>     Luca Fabbri - RedTurtle Technology
>>>     E-mail: luca.fabbri a redturtle.it <mailto:luca.fabbri a redturtle.**it<luca.fabbri a redturtle.it>
>>> >
>>>     Web Site: http://www.redturtle.it/
>>>     Phone: +39 0532 1915958 <tel:%2B39%200532%201915958>
>>>     Fax: +39 0532 287070 <tel:%2B39%200532%20287070>
>>>     ______________________________**_________________
>>>     Plone-IT mailing list
>>>     Plone-IT a lists.plone.org <mailto:Plone-IT a lists.plone.**org<Plone-IT a lists.plone.org>
>>> >
>>>     https://lists.plone.org/**mailman/listinfo/plone-plone-**it<https://lists.plone.org/mailman/listinfo/plone-plone-it>
>>>     http://plone-regional-forums.**221720.n2.nabble.com/Plone-**
>>> Italy-f221721.html<http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html>
>>>
>>>
>>>
>>>
>>> --
>>> Fabrizio
>>> --------------------
>>> Non inviato da IPhone
>>>
>>> "Life is what happens to you while you're busy making other plans" - J.
>>> Lennon
>>>
>>> “If you think education is expensive, try ignorance” - D. Bok
>>>
>>> Life is like a game of cards. The hand you are dealt is determinism; the
>>> way you play it is free will - Jawaharlal Nehru
>>>
>>>
>>> ______________________________**_________________
>>> Plone-IT mailing list
>>> Plone-IT a lists.plone.org
>>> https://lists.plone.org/**mailman/listinfo/plone-plone-**it<https://lists.plone.org/mailman/listinfo/plone-plone-it>
>>> http://plone-regional-forums.**221720.n2.nabble.com/Plone-**
>>> Italy-f221721.html<http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html>
>>>
>>
>> ______________________________**_________________
>> Plone-IT mailing list
>> Plone-IT a lists.plone.org
>> https://lists.plone.org/**mailman/listinfo/plone-plone-**it<https://lists.plone.org/mailman/listinfo/plone-plone-it>
>> http://plone-regional-forums.**221720.n2.nabble.com/Plone-**
>> Italy-f221721.html<http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html>
>>
>


-- 
Fabrizio
--------------------
Non inviato da IPhone

"Life is what happens to you while you're busy making other plans" - J.
Lennon

“If you think education is expensive, try ignorance” - D. Bok

Life is like a game of cards. The hand you are dealt is determinism; the
way you play it is free will - Jawaharlal Nehru
-------------- parte successiva --------------
Un allegato HTML Ŕ stato rimosso...
URL: <http://lists.plone.org/pipermail/plone-plone-it/attachments/20130601/c4cfa645/attachment.html>


Maggiori informazioni sulla lista Plone-IT