[Plone-IT] oh, no, ancora!

SauZheR sauzher a gmail.com
Gio 6 Giu 2013 08:06:13 UTC


il 2012 e' passato liscio... che pretendete?  :)


2013/6/5 Vito Falco <vitofalco a gmail.com>

> ufff
>
>
>
> 2013/6/5 Yuri <yurj a alfa.it>
>
>> Security vulnerability announcement: 20130611 - Multiple vectors <
>> http://feedproxy.google.com/%**7Er/plonenews/%7E3/QplvNHXQ-**
>> Hc/20130611-announcement?utm_**source=feedburner&utm_medium=**email<http://feedproxy.google.com/%7Er/plonenews/%7E3/QplvNHXQ-Hc/20130611-announcement?utm_source=feedburner&utm_medium=email>>
>>
>>
>> Posted: 31 May 2013 03:26 AM PDT
>>
>> CVE numbers not yet issued.
>>
>> *Versions Affected:* All current Plone versions.
>>
>> *Versions Not Affected:* None.
>>
>> *This is a pre-announcement.* Due to the severity of some of these
>> issues, we are providing an advance warning of an upcoming patch. The patch
>> will be released on this page <http://plone.org/products/**
>> plone-hotfix/releases/20121106<http://plone.org/products/plone-hotfix/releases/20121106>
>> **> at *2013-06-11 15:00 UTC <http://www.timeanddate.com/**
>> worldclock/fixedtime.html?msg=**Plone+security+patch+release&**
>> iso=20130611T15<http://www.timeanddate.com/worldclock/fixedtime.html?msg=Plone+security+patch+release&iso=20130611T15>>*.
>>
>>
>>
>>    What You Should Do in Advance of Patch Availability
>>
>> Due to the nature of the vulnerability, the security team has decided to
>> pre-announce that a fix is upcoming before disclosing the details. This is
>> to ensure that concerned users can plan around the release.  As the fix
>> being published will make the details of the vulnerability public, we are
>> recommending that all users plan a maintenance window for the 60 minutes
>> following the announcement in which to install the fix.
>>
>> Meanwhile, we STRONGLY recommend that you take the following steps to
>> protect your site:
>>
>> 1. Make sure that the Zope/Plone service is running with with minimum
>>    privileges. Ideally, the Zope and ZEO services should be able to
>>    write only to log and data directories.
>> 2. Use an intrusion detection system that monitors key system resources
>>    for unauthorized changes.
>> 3. Monitor your Zope, reverse-proxy request and system logs for unusual
>>    activity.
>>
>> These are standard precautions that should be employed on any production
>> system.
>>
>>
>>      Extra Help
>>
>> Should you not have in-house server administrators or a service agreement
>> looking after your website, you can find consulting companies on
>> plone.net <http://plone.net/>.
>>
>> There is also free support <../../../../support> available online via
>> Plone mailing lists and the Plone IRC channels.
>>
>> *Q: When will the patch be made available?
>> *A: The Plone Security Team will release the patch at 2013-06-11 15:00
>> UTC.
>>
>> *Q. What will be involved in applying the patch?
>> *A. Patches are made available as tarball-style archives that may be
>> unpacked into the products folder of a buildout installation and as Python
>> packages that may be installed by editing a buildout configuration file and
>> running buildout. Patching is generally easy and quick to accomplish.
>>
>> *Q: How were these vulnerability found?
>> *A: The majority of issues were found as part of audits performed by the
>> Plone Security team. A subset were reported by users. More details will be
>> available upon release of the patch.
>>
>> *Q: My site is highly visible and mission-critical. I hear the patch has
>> already been developed. Can I get the fix before the release date?*
>> A: No. The patch will be made available to *all users at the same time*.
>> There are no exceptions.
>>
>> *Q: If the patch has been developed already, why isn't it made available
>> to the public now?
>> *A: The Security Team is still testing the patch and running various
>> scenarios thoroughly. The team is also making sure everybody has
>> appropriate time to plan to patch their Plone installation(s). Some
>> consultancy organizations have hundreds of sites to patch and need the
>> extra time to coordinate their efforts with their clients.
>>
>> *Q: How does one exploit the vulnerability?
>> *A: This information will not be made public until after the patch is
>> made available.
>>
>> *General questions* *about this announcement*, Plone patching procedures,
>> and availability of support may be addressed to the Plone support forums
>> <../../../../support>. If you have *specific questions* about this
>> vulnerability or its handling, contact the Plone Security Team <mailto:
>> security a plone.org>.
>>
>> *To report potentially security-related issues**,* e-mail the Plone
>> Security Team at security a plone.org. We are always happy to credit
>> individuals and companies who make responsible disclosures.
>>
>>
>>      Information for Vulnerability Database Maintainers
>>
>> We will issue individual advice on each issue, including CVSS2 and CWE
>> identifiers when the patch is released. We currently do not have CVE
>> numbers assigned, but are in the process of applying.
>>
>> ______________________________**_________________
>> Plone-IT mailing list
>> Plone-IT a lists.plone.org
>> https://lists.plone.org/**mailman/listinfo/plone-plone-**it<https://lists.plone.org/mailman/listinfo/plone-plone-it>
>> http://plone-regional-forums.**221720.n2.nabble.com/Plone-**
>> Italy-f221721.html<http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html>
>>
>
>
>
> --
> *Vito Falco*
> Webdeveloper & designer freelance, Plone enthusiast
> Bari, IT
> tel +39 3346330137 | skype vito80ba | twitter vito80ba
> Linkedin http://it.linkedin.com/in/vitof
>
> _______________________________________________
> Plone-IT mailing list
> Plone-IT a lists.plone.org
> https://lists.plone.org/mailman/listinfo/plone-plone-it
> http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html
>



-- 
  bye
SauZheR
************************************
l'iterazione  umana...
la ricorsione, Divina!
************************************
reply to: sauzher AT gmail DOT com
-------------- parte successiva --------------
Un allegato HTML  stato rimosso...
URL: <http://lists.plone.org/pipermail/plone-plone-it/attachments/20130606/51b179d2/attachment.html>


Maggiori informazioni sulla lista Plone-IT