[Plone-IT] Fwd: [Plone-Users] Fwd: Vulnerability in PloneFormGen — Updated announcement
Luca Fabbri
keul a redturtle.it
Gio 30 Maggio 2013 10:33:32 UTC
On Thu, May 30, 2013 at 11:25 AM, Yuri <yurj a alfa.it> wrote:
> Il 30/05/2013 11:00, Fabrizio Rota ha scritto:
>
>> io ho la 1.7.0: parrebbe esente da vulnerabilità: mi fido?
>
>
> dalla 1.7.0:
>
> def onSuccess(self, fields, REQUEST=None, loopstop=False):
> """
> saves data.
> """
>
> dalla 1.7.11:
>
> security.declarePrivate('onSuccess')
> def onSuccess(self, fields, REQUEST=None, loopstop=False):
> # """
> # saves data.
> # """
>
>
> Direi di no :)
>
Dalla tua analisi sembra proprio che anche la 1.7.0 sia bacata...
qualcuno ha info ufficiali a riguardo?
>
>>
>>
>> 2013/5/30 Luca Fabbri <keul a redturtle.it <mailto:keul a redturtle.it>>
>>
>>
>> Un po' criticabile il fatto che non c'è stata una segnalazione
>> preventiva. Capisco non sia un HotFix però qualche disagio potrebbe
>> averlo creato. Dopo tutto è forse il prodotto aggiuntivo più famoso!
>>
>>
>> On Thu, May 30, 2013 at 8:59 AM, Vito Falco <vitofalco a gmail.com
>> <mailto:vitofalco a gmail.com>> wrote:
>> > Thank's!
>> >
>> > Vito
>> >
>> >
>> > 2013/5/30 Yuri <yurj a alfa.it <mailto:yurj a alfa.it>>
>>
>> >>
>> >>
>> >>
>> >> -------- Messaggio originale --------
>> >> Oggetto: [Plone-Users] Fwd: Vulnerability in
>> PloneFormGen — Updated
>> >> announcement
>> >> Data: Wed, 29 May 2013 10:31:16 -0700
>> >> Mittente: Steve McMahon <steve a dcn.org
>> <mailto:steve a dcn.org>>
>> >> A: plone_users <plone-users a lists.sourceforge.net
>> <mailto:plone-users a lists.sourceforge.net>>, Plone Developers
>> >> <plone-developers a lists.sourceforge.net
>> <mailto:plone-developers a lists.sourceforge.net>>
>>
>> >>
>> >>
>> >>
>> >> PloneFormGen <http://plone.org/products/ploneformgen>, a widely
>> used
>> >> response-form-creation add-on for the Plone Content Management
>> System, has
>> >> been discovered to have a serious vulnerability that allows an
>> anonymous
>> >> attacker to execute arbitrary code with the privileges of the
>> system user
>> >> running the server.
>> >>
>> >> Installations of Plone that do not use the PloneFormGen add-on
>> are not
>> >> affected by this vulnerability.
>> >>
>> >> The vulnerability is present in PloneFormGen versions 1.7.4
>> (2012-11-04)
>> >> through 1.7.8. Users of any of these versions should
>> immediately upgrade to
>> >> Products.PloneFormGen version 1.7.11
>> >> <https://pypi.python.org/pypi/Products.PloneFormGen/1.7.11>.
>> 1.7.11 has been
>> >> released today to the Plone and Python package repositories.
>> >>
>> >> Another serious vulnerability affects most earlier versions of
>> >> PloneFormGen. This vulnerability affects forms that have custom
>> script
>> >> adapters, and allows an anonymous attacker to gain control over
>> the handling
>> >> of data submitted through the form. This vulnerability is
>> addressed in
>> >> version 1.7.9. Users of PloneFormGen in the 1.6 series, which
>> runs on Plone
>> >> 3.x, 4.0 and 4.1 should upgrade to version 1.6.7
>> >> <https://pypi.python.org/pypi/Products.PloneFormGen/1.6.7>,
>> also released
>> >> today.
>> >>
>> >> Help for installing the upgrade is available on the #plone IRC
>> channel
>> >> <http://plone.org/support/chat> and forums
>> >> <https://plone.org/support/forums>. Upgrading an already
>> installed package
>> >> requires you to specify the new version number in your buildout
>> >> configuration file
>> >> <https://weblion.psu.edu/trac/weblion/wiki/VersionPinning>Â and run
>> >> buildout.
>> >>
>> >> Thanks to The Code Distillery's security analysts for the
>> responsible
>> >> disclosure of the vulnerabilities, and for their suggestions
>> for addressing
>> >> the issues.
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> Plone-IT mailing list
>> >> Plone-IT a lists.plone.org <mailto:Plone-IT a lists.plone.org>
>>
>> >> https://lists.plone.org/mailman/listinfo/plone-plone-it
>> >>
>>
>> http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html
>> >
>> >
>> >
>> >
>> > --
>> > Vito Falco
>> > Webdeveloper & designer freelance, Plone enthusiast
>> > Bari, IT
>> > tel +39 3346330137 <tel:%2B39%203346330137> | skype vito80ba |
>>
>> twitter vito80ba
>> > Linkedin http://it.linkedin.com/in/vitof
>> >
>> > _______________________________________________
>> > Plone-IT mailing list
>> > Plone-IT a lists.plone.org <mailto:Plone-IT a lists.plone.org>
>>
>> > https://lists.plone.org/mailman/listinfo/plone-plone-it
>> >
>>
>> http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html
>>
>>
>>
>> --
>> Saluti/Regards
>>
>> Luca Fabbri - RedTurtle Technology
>> E-mail: luca.fabbri a redturtle.it <mailto:luca.fabbri a redturtle.it>
>> Web Site: http://www.redturtle.it/
>> Phone: +39 0532 1915958 <tel:%2B39%200532%201915958>
>> Fax: +39 0532 287070 <tel:%2B39%200532%20287070>
>> _______________________________________________
>> Plone-IT mailing list
>> Plone-IT a lists.plone.org <mailto:Plone-IT a lists.plone.org>
>>
>> https://lists.plone.org/mailman/listinfo/plone-plone-it
>>
>> http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html
>>
>>
>>
>>
>> --
>> Fabrizio
>> --------------------
>> Non inviato da IPhone
>>
>> "Life is what happens to you while you're busy making other plans" - J.
>> Lennon
>>
>> “If you think education is expensive, try ignorance” - D. Bok
>>
>> Life is like a game of cards. The hand you are dealt is determinism; the
>> way you play it is free will - Jawaharlal Nehru
>>
>>
>> _______________________________________________
>> Plone-IT mailing list
>> Plone-IT a lists.plone.org
>> https://lists.plone.org/mailman/listinfo/plone-plone-it
>> http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html
>
>
> _______________________________________________
> Plone-IT mailing list
> Plone-IT a lists.plone.org
> https://lists.plone.org/mailman/listinfo/plone-plone-it
> http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html
--
Saluti/Regards
Luca Fabbri - RedTurtle Technology
E-mail: luca.fabbri a redturtle.it
Web Site: http://www.redturtle.it/
Phone: +39 0532 1915958
Fax: +39 0532 287070
Maggiori informazioni sulla lista
Plone-IT