[Plone-IT] oh, no, ancora!

Vito Falco vitofalco a gmail.com
Mer 5 Giu 2013 08:12:28 UTC


2013/6/5 Yuri <yurj a alfa.it>

> Security vulnerability announcement: 20130611 - Multiple vectors <
> http://feedproxy.google.com/%**7Er/plonenews/%7E3/QplvNHXQ-**
> Hc/20130611-announcement?utm_**source=feedburner&utm_medium=**email<http://feedproxy.google.com/%7Er/plonenews/%7E3/QplvNHXQ-Hc/20130611-announcement?utm_source=feedburner&utm_medium=email>>
> Posted: 31 May 2013 03:26 AM PDT
> CVE numbers not yet issued.
> *Versions Affected:* All current Plone versions.
> *Versions Not Affected:* None.
> *This is a pre-announcement.* Due to the severity of some of these issues,
> we are providing an advance warning of an upcoming patch. The patch will be
> released on this page <http://plone.org/products/**
> plone-hotfix/releases/20121106<http://plone.org/products/plone-hotfix/releases/20121106>
> **> at *2013-06-11 15:00 UTC <http://www.timeanddate.com/**
> worldclock/fixedtime.html?msg=**Plone+security+patch+release&**
> iso=20130611T15<http://www.timeanddate.com/worldclock/fixedtime.html?msg=Plone+security+patch+release&iso=20130611T15>>*.
>    What You Should Do in Advance of Patch Availability
> Due to the nature of the vulnerability, the security team has decided to
> pre-announce that a fix is upcoming before disclosing the details. This is
> to ensure that concerned users can plan around the release.  As the fix
> being published will make the details of the vulnerability public, we are
> recommending that all users plan a maintenance window for the 60 minutes
> following the announcement in which to install the fix.
> Meanwhile, we STRONGLY recommend that you take the following steps to
> protect your site:
> 1. Make sure that the Zope/Plone service is running with with minimum
>    privileges. Ideally, the Zope and ZEO services should be able to
>    write only to log and data directories.
> 2. Use an intrusion detection system that monitors key system resources
>    for unauthorized changes.
> 3. Monitor your Zope, reverse-proxy request and system logs for unusual
>    activity.
> These are standard precautions that should be employed on any production
> system.
>      Extra Help
> Should you not have in-house server administrators or a service agreement
> looking after your website, you can find consulting companies on plone.net<
> http://plone.net/>.
> There is also free support <../../../../support> available online via
> Plone mailing lists and the Plone IRC channels.
> *Q: When will the patch be made available?
> *A: The Plone Security Team will release the patch at 2013-06-11 15:00 UTC.
> *Q. What will be involved in applying the patch?
> *A. Patches are made available as tarball-style archives that may be
> unpacked into the products folder of a buildout installation and as Python
> packages that may be installed by editing a buildout configuration file and
> running buildout. Patching is generally easy and quick to accomplish.
> *Q: How were these vulnerability found?
> *A: The majority of issues were found as part of audits performed by the
> Plone Security team. A subset were reported by users. More details will be
> available upon release of the patch.
> *Q: My site is highly visible and mission-critical. I hear the patch has
> already been developed. Can I get the fix before the release date?*
> A: No. The patch will be made available to *all users at the same time*.
> There are no exceptions.
> *Q: If the patch has been developed already, why isn't it made available
> to the public now?
> *A: The Security Team is still testing the patch and running various
> scenarios thoroughly. The team is also making sure everybody has
> appropriate time to plan to patch their Plone installation(s). Some
> consultancy organizations have hundreds of sites to patch and need the
> extra time to coordinate their efforts with their clients.
> *Q: How does one exploit the vulnerability?
> *A: This information will not be made public until after the patch is made
> available.
> *General questions* *about this announcement*, Plone patching procedures,
> and availability of support may be addressed to the Plone support forums
> <../../../../support>. If you have *specific questions* about this
> vulnerability or its handling, contact the Plone Security Team <mailto:
> security a plone.org>.
> *To report potentially security-related issues**,* e-mail the Plone
> Security Team at security a plone.org. We are always happy to credit
> individuals and companies who make responsible disclosures.
>      Information for Vulnerability Database Maintainers
> We will issue individual advice on each issue, including CVSS2 and CWE
> identifiers when the patch is released. We currently do not have CVE
> numbers assigned, but are in the process of applying.
> ______________________________**_________________
> Plone-IT mailing list
> Plone-IT a lists.plone.org
> https://lists.plone.org/**mailman/listinfo/plone-plone-**it<https://lists.plone.org/mailman/listinfo/plone-plone-it>
> http://plone-regional-forums.**221720.n2.nabble.com/Plone-**
> Italy-f221721.html<http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html>

*Vito Falco*
Webdeveloper & designer freelance, Plone enthusiast
Bari, IT
tel +39 3346330137 | skype vito80ba | twitter vito80ba
Linkedin http://it.linkedin.com/in/vitof
-------------- parte successiva --------------
Un allegato HTML  stato rimosso...
URL: <http://lists.plone.org/pipermail/plone-plone-it/attachments/20130605/742f04b1/attachment.html>

Maggiori informazioni sulla lista Plone-IT