E speriamo sia l'ultima per quest'anno... 2016-11-29 16:57 GMT+01:00 Yuri <y...@alfa.it>:
> https://plone.org/security/announcements/security-patch-released-20161129 > > This hotfix fixes several security issues: > > - A user could copy a public folder containing a private document and be > able to see the document in the copy. > > - An anonymous user could see some settings of the site by accessing > widgets directly. > This is for z3c.form widgets, which are widely used in Plone. > > - A comment on a private document would be partly visible in the live > search. > Access to the search result page would be denied if the results > contained such a comment. > This is for the plone.app.discussion commenting system introduced in > Plone 4.1. > See the required manual step below for further instructions. > > == > > Extra fixes > =========== > > - Related: a vulnerability in DTML was discovered that could allow Cross > Site Scripting attacks (XSS). > This vulnerability is *not* fixed by this hotfix, because this was not > possible. > An exploit is hard: an attacker would need to enter a character that > cannot normally be entered on a keyboard. > On Plone 4.1 and higher, you should use DocumentTemplate 2.13.3, which > was released today. > On Plone 4.0 and lower, DocumentTemplate was included in the Zope2 code, > which will not get an updated release. > > - The Zope Security Team fixed an issue where quoting of an SQL string > could fail. > The ZSQLMethods product is available in all Plone sites, but no core > code uses it. > An exploit is hard: an attacker would need to enter a character that > cannot normally be entered on a keyboard. > On Plone 4.0 and higher, you should use Products.ZSQLMethods 2.13.5, > which was released a few weeks ago. > On Plone 3.3 and lower, Products.ZSQLMethods was included in the Zope2 > code, which will not get an updated release. > > _______________________________________________ > Plone-IT mailing list > plone...@lists.plone.org > https://lists.plone.org/mailman/listinfo/plone-plone-it > http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html > -- *Vito Falco* Designer & Front-end developer | Freelance Bari, IT Linkedin it.linkedin.com/in/vitofalco
_______________________________________________ Plone-IT mailing list plone...@lists.plone.org https://lists.plone.org/mailman/listinfo/plone-plone-it http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html