[Plone-IT] Fwd: [Plone-Users] Fwd: Vulnerability in PloneFormGen — Updated announcement
Roberto Rascioni
r.rascioni a unimc.it
Gio 30 Maggio 2013 08:47:19 UTC
Grazie mille!
Roberto
Il 30/05/13 08.51, Yuri ha scritto:
>
>
> -------- Messaggio originale --------
> Oggetto: [Plone-Users] Fwd: Vulnerability in PloneFormGen —
> Updated announcement
> Data: Wed, 29 May 2013 10:31:16 -0700
> Mittente: Steve McMahon <steve a dcn.org>
> A: plone_users <plone-users a lists.sourceforge.net>, Plone
> Developers <plone-developers a lists.sourceforge.net>
>
>
>
> PloneFormGen <http://plone.org/products/ploneformgen>, a widely used
> response-form-creation add-on for the Plone Content Management System,
> has been discovered to have a serious vulnerability that allows an
> anonymous attacker to execute arbitrary code with the privileges of
> the system user running the server.
>
> Installations of Plone that do not use the PloneFormGen add-on are not
> affected by this vulnerability.
>
> The vulnerability is present in PloneFormGen versions 1.7.4
> (2012-11-04) through 1.7.8. Users of any of these versions should
> immediately upgrade to Products.PloneFormGen version 1.7.11
> <https://pypi.python.org/pypi/Products.PloneFormGen/1.7.11>. 1.7.11
> has been released today to the Plone and Python package repositories.
>
> Another serious vulnerability affects most earlier versions of
> PloneFormGen. This vulnerability affects forms that have custom script
> adapters, and allows an anonymous attacker to gain control over the
> handling of data submitted through the form. This vulnerability is
> addressed in version 1.7.9. Users of PloneFormGen in the 1.6 series,
> which runs on Plone 3.x, 4.0 and 4.1 should upgrade to version 1.6.7
> <https://pypi.python.org/pypi/Products.PloneFormGen/1.6.7>, also
> released today.
>
> Help for installing the upgrade is available on the #plone IRC
> channel <http://plone.org/support/chat> and forums
> <https://plone.org/support/forums>. Upgrading an already installed
> package requires you to specify the new version number in your
> buildout configuration file
> <https://weblion.psu.edu/trac/weblion/wiki/VersionPinning>Â and run
> buildout.
>
> Thanks to The Code Distillery's security analysts for the responsible
> disclosure of the vulnerabilities, and for their suggestions for
> addressing the issues.
>
>
>
>
>
> _______________________________________________
> Plone-IT mailing list
> Plone-IT a lists.plone.org
> https://lists.plone.org/mailman/listinfo/plone-plone-it
> http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html
--
*dott. Roberto Rascioni - Ufficio Web, E-Learning, Sviluppo & Ricerca *
CSIA - Università degli studi di Macerata
Vicolo Tornabuoni, 58 - 62100 Macerata
Tel +39 0733.258.4408 - Fax +39 0733.258.4415
http://www.unimc.it
Save a tree - Do you really need to print this email?
************************************************************
LA SCIENZA DI OGGI È LA VITA DI DOMANI.
Sostieni il *Progetto giovani ricercatori*:
5 per mille all'Università di Macerata - C.F.: 00177050432
http://www.unimc.it/5permille
************************************************************
-------------- parte successiva --------------
Un allegato HTML è stato rimosso...
URL: <http://lists.plone.org/pipermail/plone-plone-it/attachments/20130530/5e1f7902/attachment-0001.html>
Maggiori informazioni sulla lista
Plone-IT