Thank's! Vito
2013/5/30 Yuri <[email protected]> > > > -------- Messaggio originale -------- > Oggetto: [Plone-Users] Fwd: Vulnerability in PloneFormGen — Updated > announcement > Data: Wed, 29 May 2013 10:31:16 -0700 > Mittente: Steve McMahon <[email protected]> > A: plone_users > <plone-users@lists.**sourceforge.net<[email protected]>>, > Plone Developers > <plone-developers@lists.**sourceforge.net<[email protected]> > > > > > > PloneFormGen > <http://plone.org/products/**ploneformgen<http://plone.org/products/ploneformgen>>, > a widely used response-form-creation add-on for the Plone Content > Management System, has been discovered to have a serious vulnerability that > allows an anonymous attacker to execute arbitrary code with the privileges > of the system user running the server. > > Installations of Plone that do not use the PloneFormGen add-on are not > affected by this vulnerability. > > The vulnerability is present in PloneFormGen versions 1.7.4 (2012-11-04) > through 1.7.8. Users of any of these versions should immediately upgrade to > Products.PloneFormGen version 1.7.11 <https://pypi.python.org/pypi/** > Products.PloneFormGen/1.7.11<https://pypi.python.org/pypi/Products.PloneFormGen/1.7.11>>. > 1.7.11 has been released today to the Plone and Python package repositories. > > Another serious vulnerability affects most earlier versions of > PloneFormGen. This vulnerability affects forms that have custom script > adapters, and allows an anonymous attacker to gain control over the > handling of data submitted through the form. This vulnerability is > addressed in version 1.7.9. Users of PloneFormGen in the 1.6 series, which > runs on Plone 3.x, 4.0 and 4.1 should upgrade to version 1.6.7 < > https://pypi.python.org/pypi/**Products.PloneFormGen/1.6.7<https://pypi.python.org/pypi/Products.PloneFormGen/1.6.7>>, > also released today. > > Help for installing the upgrade is available on the #plone IRC channel < > http://plone.org/support/chat**> and forums <https://plone.org/support/* > *forums <https://plone.org/support/forums>>. Upgrading an already > installed package requires you to specify the new version number in your > buildout configuration file <https://weblion.psu.edu/trac/** > weblion/wiki/VersionPinning<https://weblion.psu.edu/trac/weblion/wiki/VersionPinning>> > and run buildout. > > Thanks to The Code Distillery's security analysts for the responsible > disclosure of the vulnerabilities, and for their suggestions for addressing > the issues. > > > > > _______________________________________________ > Plone-IT mailing list > [email protected] > https://lists.plone.org/mailman/listinfo/plone-plone-it > http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html > -- *Vito Falco* Webdeveloper & designer freelance, Plone enthusiast Bari, IT tel +39 3346330137 | skype vito80ba | twitter vito80ba Linkedin http://it.linkedin.com/in/vitof
_______________________________________________ Plone-IT mailing list [email protected] https://lists.plone.org/mailman/listinfo/plone-plone-it http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html
