Un po' criticabile il fatto che non c'è stata una segnalazione preventiva. Capisco non sia un HotFix però qualche disagio potrebbe averlo creato. Dopo tutto è forse il prodotto aggiuntivo più famoso!
On Thu, May 30, 2013 at 8:59 AM, Vito Falco <[email protected]> wrote: > Thank's! > > Vito > > > 2013/5/30 Yuri <[email protected]> >> >> >> >> -------- Messaggio originale -------- >> Oggetto: [Plone-Users] Fwd: Vulnerability in PloneFormGen — Updated >> announcement >> Data: Wed, 29 May 2013 10:31:16 -0700 >> Mittente: Steve McMahon <[email protected]> >> A: plone_users <[email protected]>, Plone Developers >> <[email protected]> >> >> >> >> PloneFormGen <http://plone.org/products/ploneformgen>, a widely used >> response-form-creation add-on for the Plone Content Management System, has >> been discovered to have a serious vulnerability that allows an anonymous >> attacker to execute arbitrary code with the privileges of the system user >> running the server. >> >> Installations of Plone that do not use the PloneFormGen add-on are not >> affected by this vulnerability. >> >> The vulnerability is present in PloneFormGen versions 1.7.4 (2012-11-04) >> through 1.7.8. Users of any of these versions should immediately upgrade to >> Products.PloneFormGen version 1.7.11 >> <https://pypi.python.org/pypi/Products.PloneFormGen/1.7.11>. 1.7.11 has been >> released today to the Plone and Python package repositories. >> >> Another serious vulnerability affects most earlier versions of >> PloneFormGen. This vulnerability affects forms that have custom script >> adapters, and allows an anonymous attacker to gain control over the handling >> of data submitted through the form. This vulnerability is addressed in >> version 1.7.9. Users of PloneFormGen in the 1.6 series, which runs on Plone >> 3.x, 4.0 and 4.1 should upgrade to version 1.6.7 >> <https://pypi.python.org/pypi/Products.PloneFormGen/1.6.7>, also released >> today. >> >> Help for installing the upgrade is available on the #plone IRC channel >> <http://plone.org/support/chat> and forums >> <https://plone.org/support/forums>. Upgrading an already installed package >> requires you to specify the new version number in your buildout >> configuration file >> <https://weblion.psu.edu/trac/weblion/wiki/VersionPinning> and run >> buildout. >> >> Thanks to The Code Distillery's security analysts for the responsible >> disclosure of the vulnerabilities, and for their suggestions for addressing >> the issues. >> >> >> >> >> _______________________________________________ >> Plone-IT mailing list >> [email protected] >> https://lists.plone.org/mailman/listinfo/plone-plone-it >> http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html > > > > > -- > Vito Falco > Webdeveloper & designer freelance, Plone enthusiast > Bari, IT > tel +39 3346330137 | skype vito80ba | twitter vito80ba > Linkedin http://it.linkedin.com/in/vitof > > _______________________________________________ > Plone-IT mailing list > [email protected] > https://lists.plone.org/mailman/listinfo/plone-plone-it > http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html -- Saluti/Regards Luca Fabbri - RedTurtle Technology E-mail: [email protected] Web Site: http://www.redturtle.it/ Phone: +39 0532 1915958 Fax: +39 0532 287070 _______________________________________________ Plone-IT mailing list [email protected] https://lists.plone.org/mailman/listinfo/plone-plone-it http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html
