On Thu, May 30, 2013 at 11:25 AM, Yuri <[email protected]> wrote: > Il 30/05/2013 11:00, Fabrizio Rota ha scritto: > >> io ho la 1.7.0: parrebbe esente da vulnerabilità: mi fido? > > > dalla 1.7.0: > > def onSuccess(self, fields, REQUEST=None, loopstop=False): > """ > saves data. > """ > > dalla 1.7.11: > > security.declarePrivate('onSuccess') > def onSuccess(self, fields, REQUEST=None, loopstop=False): > # """ > # saves data. > # """ > > > Direi di no :) >
Dalla tua analisi sembra proprio che anche la 1.7.0 sia bacata... qualcuno ha info ufficiali a riguardo? > >> >> >> 2013/5/30 Luca Fabbri <[email protected] <mailto:[email protected]>> >> >> >> Un po' criticabile il fatto che non c'è stata una segnalazione >> preventiva. Capisco non sia un HotFix però qualche disagio potrebbe >> averlo creato. Dopo tutto è forse il prodotto aggiuntivo più famoso! >> >> >> On Thu, May 30, 2013 at 8:59 AM, Vito Falco <[email protected] >> <mailto:[email protected]>> wrote: >> > Thank's! >> > >> > Vito >> > >> > >> > 2013/5/30 Yuri <[email protected] <mailto:[email protected]>> >> >> >> >> >> >> >> >> >> -------- Messaggio originale -------- >> >> Oggetto: [Plone-Users] Fwd: Vulnerability in >> PloneFormGen — Updated >> >> announcement >> >> Data: Wed, 29 May 2013 10:31:16 -0700 >> >> Mittente: Steve McMahon <[email protected] >> <mailto:[email protected]>> >> >> A: plone_users <[email protected] >> <mailto:[email protected]>>, Plone Developers >> >> <[email protected] >> <mailto:[email protected]>> >> >> >> >> >> >> >> >> >> PloneFormGen <http://plone.org/products/ploneformgen>, a widely >> used >> >> response-form-creation add-on for the Plone Content Management >> System, has >> >> been discovered to have a serious vulnerability that allows an >> anonymous >> >> attacker to execute arbitrary code with the privileges of the >> system user >> >> running the server. >> >> >> >> Installations of Plone that do not use the PloneFormGen add-on >> are not >> >> affected by this vulnerability. >> >> >> >> The vulnerability is present in PloneFormGen versions 1.7.4 >> (2012-11-04) >> >> through 1.7.8. Users of any of these versions should >> immediately upgrade to >> >> Products.PloneFormGen version 1.7.11 >> >> <https://pypi.python.org/pypi/Products.PloneFormGen/1.7.11>. >> 1.7.11 has been >> >> released today to the Plone and Python package repositories. >> >> >> >> Another serious vulnerability affects most earlier versions of >> >> PloneFormGen. This vulnerability affects forms that have custom >> script >> >> adapters, and allows an anonymous attacker to gain control over >> the handling >> >> of data submitted through the form. This vulnerability is >> addressed in >> >> version 1.7.9. Users of PloneFormGen in the 1.6 series, which >> runs on Plone >> >> 3.x, 4.0 and 4.1 should upgrade to version 1.6.7 >> >> <https://pypi.python.org/pypi/Products.PloneFormGen/1.6.7>, >> also released >> >> today. >> >> >> >> Help for installing the upgrade is available on the #plone IRC >> channel >> >> <http://plone.org/support/chat> and forums >> >> <https://plone.org/support/forums>. Upgrading an already >> installed package >> >> requires you to specify the new version number in your buildout >> >> configuration file >> >> <https://weblion.psu.edu/trac/weblion/wiki/VersionPinning> and run >> >> buildout. >> >> >> >> Thanks to The Code Distillery's security analysts for the >> responsible >> >> disclosure of the vulnerabilities, and for their suggestions >> for addressing >> >> the issues. >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> Plone-IT mailing list >> >> [email protected] <mailto:[email protected]> >> >> >> https://lists.plone.org/mailman/listinfo/plone-plone-it >> >> >> >> http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html >> > >> > >> > >> > >> > -- >> > Vito Falco >> > Webdeveloper & designer freelance, Plone enthusiast >> > Bari, IT >> > tel +39 3346330137 <tel:%2B39%203346330137> | skype vito80ba | >> >> twitter vito80ba >> > Linkedin http://it.linkedin.com/in/vitof >> > >> > _______________________________________________ >> > Plone-IT mailing list >> > [email protected] <mailto:[email protected]> >> >> > https://lists.plone.org/mailman/listinfo/plone-plone-it >> > >> >> http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html >> >> >> >> -- >> Saluti/Regards >> >> Luca Fabbri - RedTurtle Technology >> E-mail: [email protected] <mailto:[email protected]> >> Web Site: http://www.redturtle.it/ >> Phone: +39 0532 1915958 <tel:%2B39%200532%201915958> >> Fax: +39 0532 287070 <tel:%2B39%200532%20287070> >> _______________________________________________ >> Plone-IT mailing list >> [email protected] <mailto:[email protected]> >> >> https://lists.plone.org/mailman/listinfo/plone-plone-it >> >> http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html >> >> >> >> >> -- >> Fabrizio >> -------------------- >> Non inviato da IPhone >> >> "Life is what happens to you while you're busy making other plans" - J. >> Lennon >> >> “If you think education is expensive, try ignorance” - D. Bok >> >> Life is like a game of cards. The hand you are dealt is determinism; the >> way you play it is free will - Jawaharlal Nehru >> >> >> _______________________________________________ >> Plone-IT mailing list >> [email protected] >> https://lists.plone.org/mailman/listinfo/plone-plone-it >> http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html > > > _______________________________________________ > Plone-IT mailing list > [email protected] > https://lists.plone.org/mailman/listinfo/plone-plone-it > http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html -- Saluti/Regards Luca Fabbri - RedTurtle Technology E-mail: [email protected] Web Site: http://www.redturtle.it/ Phone: +39 0532 1915958 Fax: +39 0532 287070 _______________________________________________ Plone-IT mailing list [email protected] https://lists.plone.org/mailman/listinfo/plone-plone-it http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html
