ufff
2013/6/5 Yuri <[email protected]> > Security vulnerability announcement: 20130611 - Multiple vectors < > http://feedproxy.google.com/%**7Er/plonenews/%7E3/QplvNHXQ-** > Hc/20130611-announcement?utm_**source=feedburner&utm_medium=**email<http://feedproxy.google.com/%7Er/plonenews/%7E3/QplvNHXQ-Hc/20130611-announcement?utm_source=feedburner&utm_medium=email>> > > > Posted: 31 May 2013 03:26 AM PDT > > CVE numbers not yet issued. > > *Versions Affected:* All current Plone versions. > > *Versions Not Affected:* None. > > *This is a pre-announcement.* Due to the severity of some of these issues, > we are providing an advance warning of an upcoming patch. The patch will be > released on this page <http://plone.org/products/** > plone-hotfix/releases/20121106<http://plone.org/products/plone-hotfix/releases/20121106> > **> at *2013-06-11 15:00 UTC <http://www.timeanddate.com/** > worldclock/fixedtime.html?msg=**Plone+security+patch+release&** > iso=20130611T15<http://www.timeanddate.com/worldclock/fixedtime.html?msg=Plone+security+patch+release&iso=20130611T15>>*. > > > > What You Should Do in Advance of Patch Availability > > Due to the nature of the vulnerability, the security team has decided to > pre-announce that a fix is upcoming before disclosing the details. This is > to ensure that concerned users can plan around the release. As the fix > being published will make the details of the vulnerability public, we are > recommending that all users plan a maintenance window for the 60 minutes > following the announcement in which to install the fix. > > Meanwhile, we STRONGLY recommend that you take the following steps to > protect your site: > > 1. Make sure that the Zope/Plone service is running with with minimum > privileges. Ideally, the Zope and ZEO services should be able to > write only to log and data directories. > 2. Use an intrusion detection system that monitors key system resources > for unauthorized changes. > 3. Monitor your Zope, reverse-proxy request and system logs for unusual > activity. > > These are standard precautions that should be employed on any production > system. > > > Extra Help > > Should you not have in-house server administrators or a service agreement > looking after your website, you can find consulting companies on plone.net< > http://plone.net/>. > > There is also free support <../../../../support> available online via > Plone mailing lists and the Plone IRC channels. > > *Q: When will the patch be made available? > *A: The Plone Security Team will release the patch at 2013-06-11 15:00 UTC. > > *Q. What will be involved in applying the patch? > *A. Patches are made available as tarball-style archives that may be > unpacked into the products folder of a buildout installation and as Python > packages that may be installed by editing a buildout configuration file and > running buildout. Patching is generally easy and quick to accomplish. > > *Q: How were these vulnerability found? > *A: The majority of issues were found as part of audits performed by the > Plone Security team. A subset were reported by users. More details will be > available upon release of the patch. > > *Q: My site is highly visible and mission-critical. I hear the patch has > already been developed. Can I get the fix before the release date?* > A: No. The patch will be made available to *all users at the same time*. > There are no exceptions. > > *Q: If the patch has been developed already, why isn't it made available > to the public now? > *A: The Security Team is still testing the patch and running various > scenarios thoroughly. The team is also making sure everybody has > appropriate time to plan to patch their Plone installation(s). Some > consultancy organizations have hundreds of sites to patch and need the > extra time to coordinate their efforts with their clients. > > *Q: How does one exploit the vulnerability? > *A: This information will not be made public until after the patch is made > available. > > *General questions* *about this announcement*, Plone patching procedures, > and availability of support may be addressed to the Plone support forums > <../../../../support>. If you have *specific questions* about this > vulnerability or its handling, contact the Plone Security Team <mailto: > [email protected]>. > > *To report potentially security-related issues**,* e-mail the Plone > Security Team at [email protected]. We are always happy to credit > individuals and companies who make responsible disclosures. > > > Information for Vulnerability Database Maintainers > > We will issue individual advice on each issue, including CVSS2 and CWE > identifiers when the patch is released. We currently do not have CVE > numbers assigned, but are in the process of applying. > > ______________________________**_________________ > Plone-IT mailing list > [email protected] > https://lists.plone.org/**mailman/listinfo/plone-plone-**it<https://lists.plone.org/mailman/listinfo/plone-plone-it> > http://plone-regional-forums.**221720.n2.nabble.com/Plone-** > Italy-f221721.html<http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html> > -- *Vito Falco* Webdeveloper & designer freelance, Plone enthusiast Bari, IT tel +39 3346330137 | skype vito80ba | twitter vito80ba Linkedin http://it.linkedin.com/in/vitof
_______________________________________________ Plone-IT mailing list [email protected] https://lists.plone.org/mailman/listinfo/plone-plone-it http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html
