[Plone-IT] Fwd: [Plone-Users] Fwd: Vulnerability in PloneFormGen — Updated announcement

Yuri yurj a alfa.it
Gio 30 Maggio 2013 06:51:40 UTC



-------- Messaggio originale --------
Oggetto: 	[Plone-Users] Fwd: Vulnerability in PloneFormGen — Updated 
announcement
Data: 	Wed, 29 May 2013 10:31:16 -0700
Mittente: 	Steve McMahon <steve a dcn.org>
A: 	plone_users <plone-users a lists.sourceforge.net>, Plone Developers 
<plone-developers a lists.sourceforge.net>



PloneFormGen <http://plone.org/products/ploneformgen>, a widely used 
response-form-creation add-on for the Plone Content Management System, 
has been discovered to have a serious vulnerability that allows an 
anonymous attacker to execute arbitrary code with the privileges of the 
system user running the server.

Installations of Plone that do not use the PloneFormGen add-on are not 
affected by this vulnerability.

The vulnerability is present in PloneFormGen versions 1.7.4 (2012-11-04) 
through 1.7.8. Users of any of these versions should immediately upgrade 
to Products.PloneFormGen version 1.7.11 
<https://pypi.python.org/pypi/Products.PloneFormGen/1.7.11>. 1.7.11 has 
been released today to the Plone and Python package repositories.

Another serious vulnerability affects most earlier versions of 
PloneFormGen. This vulnerability affects forms that have custom script 
adapters, and allows an anonymous attacker to gain control over the 
handling of data submitted through the form. This vulnerability is 
addressed in version 1.7.9. Users of PloneFormGen in the 1.6 series, 
which runs on Plone 3.x, 4.0 and 4.1 should upgrade to version 1.6.7 
<https://pypi.python.org/pypi/Products.PloneFormGen/1.6.7>, also 
released today.

Help for installing the upgrade is available on the #plone IRC channel 
<http://plone.org/support/chat> and forums 
<https://plone.org/support/forums>. Upgrading an already installed 
package requires you to specify the new version number in your buildout 
configuration file 
<https://weblion.psu.edu/trac/weblion/wiki/VersionPinning>Â and run 
buildout.

Thanks to The Code Distillery's security analysts for the responsible 
disclosure of the vulnerabilities, and for their suggestions for 
addressing the issues.



-------------- parte successiva --------------
È stato filtrato un testo allegato il cui set di caratteri non era
indicato...
Nome: Parte allegato al messaggio
URL: <http://lists.plone.org/pipermail/plone-plone-it/attachments/20130530/1b4aa60e/attachment.ksh>
-------------- parte successiva --------------
È stato filtrato un testo allegato il cui set di caratteri non era
indicato...
Nome: Parte allegato al messaggio
URL: <http://lists.plone.org/pipermail/plone-plone-it/attachments/20130530/1b4aa60e/attachment-0001.ksh>


Maggiori informazioni sulla lista Plone-IT