Hotfix Announcement

classic Classic list List threaded Threaded
18 messages Options
JonStahl JonStahl
Reply | Threaded
Open this post in threaded view
|

Hotfix Announcement

(apologies for cross-posting, forwarded from plone-announce, which is
the primary channel for these and other urgent announcements. --jon)

Last week, the Plone security teams announced the discovery of a series
of security issues affecting all recent versions of Plone, as well as
the planned release of a Hotfix to address this issue to be made today,
Tuesday 6th November at 1500 UTC.

The Plone security team is announcing that this security hotfix is now
available for download. For full instructions on how to get and install
the Hotfix, go here:
http://plone.org/products/plone-hotfix/releases/20121106

To find out more about the details of the issue, answers to common
questions and which versions of Zope and Plone are affected, please
see:
http://plone.org/products/plone/security/advisories/20121106-announcement

Assistance in installing this hotfix is available free of charge via
IRC in #plone. If you don't have in-house server administrators
or a service agreement supporting your website, you can find
consultancy companies under the providers section of Plone.org -
http://plone.org/support/network

On behalf of the Plone security team,

Matthew Wilkes

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
Wichert Akkerman Wichert Akkerman
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix Announcement

On Nov 6, 2012, at 17:49 , Jon Stahl <[hidden email]> wrote:
> The Plone security team is announcing that this security hotfix is now
> available for download. For full instructions on how to get and install
> the Hotfix, go here:
> http://plone.org/products/plone-hotfix/releases/20121106

Is there any summary of what that hotfix fixes? Looking at it is appears to be a mixed collection of a number of very different changes such as adding extra manual security changes, blocking specific hardcoded names in PythonScript, changing a random string generator and a bunch of other things. It would be nice if someone from the security can summarise the changes (and add that to the information on plone.org) instead of the current "24 separate vulnerabilities" statement.

Wichert.
------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
Wichert Akkerman Wichert Akkerman
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix Announcement

In reply to this post by JonStahl
Shouldn't this be send to zope-cmf and zope-dev as well? A fair number of the changes in this hotfix are in Zope2 and CMF instead of Plone.


On Nov 6, 2012, at 17:49 , Jon Stahl <[hidden email]> wrote:

> (apologies for cross-posting, forwarded from plone-announce, which is
> the primary channel for these and other urgent announcements. --jon)
>
> Last week, the Plone security teams announced the discovery of a series
> of security issues affecting all recent versions of Plone, as well as
> the planned release of a Hotfix to address this issue to be made today,
> Tuesday 6th November at 1500 UTC.
>
> The Plone security team is announcing that this security hotfix is now
> available for download. For full instructions on how to get and install
> the Hotfix, go here:
> http://plone.org/products/plone-hotfix/releases/20121106
>
> To find out more about the details of the issue, answers to common
> questions and which versions of Zope and Plone are affected, please
> see:
> http://plone.org/products/plone/security/advisories/20121106-announcement
>
> Assistance in installing this hotfix is available free of charge via
> IRC in #plone. If you don't have in-house server administrators
> or a service agreement supporting your website, you can find
> consultancy companies under the providers section of Plone.org -
> http://plone.org/support/network
>
> On behalf of the Plone security team,
>
> Matthew Wilkes
>
> ------------------------------------------------------------------------------
> LogMeIn Central: Instant, anywhere, Remote PC access and management.
> Stay in control, update software, and manage PCs from one command center
> Diagnose problems and improve visibility into emerging IT issues
> Automate, monitor and manage. Do more in less time with Central
> http://p.sf.net/sfu/logmein12331_d2d
> _______________________________________________
> Plone-developers mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/plone-developers


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
Ruslan Mahmatkhanov Ruslan Mahmatkhanov
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix Announcement

In reply to this post by Wichert Akkerman
Wichert Akkerman wrote on 07.11.2012 13:09:
> On Nov 6, 2012, at 17:49 , Jon Stahl <[hidden email]> wrote:
>> The Plone security team is announcing that this security hotfix is now
>> available for download. For full instructions on how to get and install
>> the Hotfix, go here:
>> http://plone.org/products/plone-hotfix/releases/20121106
>
> Is there any summary of what that hotfix fixes? Looking at it is appears to be a mixed collection of a number of very different changes such as adding extra manual security changes, blocking specific hardcoded names in PythonScript, changing a random string generator and a bunch of other things. It would be nice if someone from the security can summarise the changes (and add that to the information on plone.org) instead of the current "24 separate vulnerabilities" statement.

http://plone.org/products/plone/security/advisories/20121106

In my turn I'm curious, when updated packages will be available? All of
this monkey-patch isn't convenient for packagers.

--
Regards,
Ruslan

Tinderboxing kills... the drives.

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
Wichert Akkerman Wichert Akkerman
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix Announcement


On Nov 7, 2012, at 10:27 , Ruslan Mahmatkhanov <[hidden email]> wrote:

> Wichert Akkerman wrote on 07.11.2012 13:09:
>> On Nov 6, 2012, at 17:49 , Jon Stahl <[hidden email]> wrote:
>>> The Plone security team is announcing that this security hotfix is now
>>> available for download. For full instructions on how to get and install
>>> the Hotfix, go here:
>>> http://plone.org/products/plone-hotfix/releases/20121106
>>
>> Is there any summary of what that hotfix fixes? Looking at it is appears to be a mixed collection of a number of very different changes such as adding extra manual security changes, blocking specific hardcoded names in PythonScript, changing a random string generator and a bunch of other things. It would be nice if someone from the security can summarise the changes (and add that to the information on plone.org) instead of the current "24 separate vulnerabilities" statement.
>
> http://plone.org/products/plone/security/advisories/20121106

Heh, funny. It seems I clicked on the other URL in the announcement (http://plone.org/products/plone/security/advisories/20121106-announcement ) and from there it is not possible to get to http://plone.org/products/plone/security/advisories/20121106 by clicking around.

Wichert.
------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
Matthew Wilkes Matthew Wilkes
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix Announcement



Wichert Akkerman wrote:
> Heh, funny. It seems I clicked on the other URL in the announcement (http://plone.org/products/plone/security/advisories/20121106-announcement  ) and from there it is not possible to get tohttp://plone.org/products/plone/security/advisories/20121106  by clicking around.

You didn't try all the links. It's in here:

"Further information on individual vulnerabilities (including CVSS
scores, CWE identifiers and summaries) is available at the full
vulnerability list"

Matt

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
Marcio Mazza Marcio Mazza
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix Announcement

I also did not see it until this mention.

Maybe the section "Information for Vulnerability Database Maintainers"
would be better before Q&A.

On Wed, Nov 7, 2012 at 8:37 AM, Matthew Wilkes <[hidden email]> wrote:

>
>
> Wichert Akkerman wrote:
>> Heh, funny. It seems I clicked on the other URL in the announcement (http://plone.org/products/plone/security/advisories/20121106-announcement  ) and from there it is not possible to get tohttp://plone.org/products/plone/security/advisories/20121106  by clicking around.
>
> You didn't try all the links. It's in here:
>
> "Further information on individual vulnerabilities (including CVSS
> scores, CWE identifiers and summaries) is available at the full
> vulnerability list"
>
> Matt
>
> ------------------------------------------------------------------------------
> LogMeIn Central: Instant, anywhere, Remote PC access and management.
> Stay in control, update software, and manage PCs from one command center
> Diagnose problems and improve visibility into emerging IT issues
> Automate, monitor and manage. Do more in less time with Central
> http://p.sf.net/sfu/logmein12331_d2d
> _______________________________________________
> Plone-developers mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/plone-developers

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
Steven Hayles Steven Hayles
Reply | Threaded
Open this post in threaded view
|

Character encoding issue with Hotfix on Plone 3.3.6


After applying the hotfix, I found a page that gave a UnicodeDecodeError.

I tracked it down to an image alt tag containing a numeric HTML entity and
a unicode copyright symbol (\xa9). For example

&#42;©

The alt tag is easily modified to get around the problem, but it ought to
work as it is.

The tail end of the stack trace looks like this

   Module Products.PortalTransforms.transforms.safe_html, line 201, in
scrubHTML
   Module sgmllib, line 95, in feed
   Module sgmllib, line 129, in goahead
   Module sgmllib, line 283, in parse_starttag
   Module sgmllib, line 314, in finish_starttag
   Module Products.PortalTransforms.transforms.safe_html, line 145, in
unknown_starttag
   Module Products.PortalTransforms.transforms.safe_html, line 59, in
hasScript
   Module Products.PloneHotfix20121106.safe_html, line 43, in
decode_htmlentities
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 0:
ordinal not in range(128)

Steven

Steven Hayles - Senior Solution Developer (Web Applications),
Multimedia Services, Division of Corporate Affairs and Planning
University of Leicester, Prospect House, 94 Regent Rd, Leicester, LE1 7DA
Tel +44 (0)116 229 7950

Elite Without Being Elitist
Times Higher Awards Winner 2007, 2008, 2009, 2010, 2011
Follow us on Twitter http://twitter.com/uniofleicester
------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
hvelarde hvelarde
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix Announcement

In reply to this post by Matthew Wilkes
On 07/11/12 08:37, Matthew Wilkes wrote:
> "Further information on individual vulnerabilities (including CVSS
> scores, CWE identifiers and summaries) is available at the full
> vulnerability list"

just curious about this vulnerability still listed as not fixed:
https://secunia.com/advisories/47406/

any comment?


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers

smime.p7s (5K) Download Attachment
Domen Kožar Domen Kožar
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix Announcement

It's a very general description of the problem, but sounds like Python issue. http://bugs.python.org/issue14621

In any case, there are thousand of ways to DoS your server.


On Wed, Nov 7, 2012 at 3:09 PM, Héctor Velarde <[hidden email]> wrote:
On 07/11/12 08:37, Matthew Wilkes wrote:
"Further information on individual vulnerabilities (including CVSS
scores, CWE identifiers and summaries) is available at the full
vulnerability list"

just curious about this vulnerability still listed as not fixed: https://secunia.com/advisories/47406/

any comment?


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers



------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
Malthe Borch-2 Malthe Borch-2
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix Announcement

On 7 November 2012 15:16, Domen Kožar <[hidden email]> wrote:
> It's a very general description of the problem, but sounds like Python
> issue. http://bugs.python.org/issue14621
>
> In any case, there are thousand of ways to DoS your server.

In the case of Plone, just click reload a couple of times.

\malthe

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
Luca Fabbri Luca Fabbri
Reply | Threaded
Open this post in threaded view
|

Re: Character encoding issue with Hotfix on Plone 3.3.6

In reply to this post by Steven Hayles
On Wed, Nov 7, 2012 at 2:08 PM, Steven Hayles <[hidden email]> wrote:

>
> After applying the hotfix, I found a page that gave a UnicodeDecodeError.
>
> I tracked it down to an image alt tag containing a numeric HTML entity and a
> unicode copyright symbol (\xa9). For example
>
> &#42;©
>
> The alt tag is easily modified to get around the problem, but it ought to
> work as it is.
>
> The tail end of the stack trace looks like this
>
>   Module Products.PortalTransforms.transforms.safe_html, line 201, in
> scrubHTML
>   Module sgmllib, line 95, in feed
>   Module sgmllib, line 129, in goahead
>   Module sgmllib, line 283, in parse_starttag
>   Module sgmllib, line 314, in finish_starttag
>   Module Products.PortalTransforms.transforms.safe_html, line 145, in
> unknown_starttag
>   Module Products.PortalTransforms.transforms.safe_html, line 59, in
> hasScript
>   Module Products.PloneHotfix20121106.safe_html, line 43, in
> decode_htmlentities
> UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 0:
> ordinal not in range(128)
>

Just for know: what version of the Hotfix you are using?


--
-- luca

twitter: http://twitter.com/keul
linkedin: http://linkedin.com/in/lucafbb
blog: http://blog.keul.it/

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
David Glick (Plone) David Glick (Plone)
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix Announcement

In reply to this post by Domen Kožar
Yes. We should update plone.recipe.zope2instance to set the environment variable that turns on hash randomization, but this vulnerability and info on how to fix it have been public from Python sources for a long time, so the security team's focus was first on the Zope/Plone specific issues.
David

On 11/7/12 6:16 AM, Domen Kožar wrote:
It's a very general description of the problem, but sounds like Python issue. http://bugs.python.org/issue14621

In any case, there are thousand of ways to DoS your server.


On Wed, Nov 7, 2012 at 3:09 PM, Héctor Velarde <[hidden email]> wrote:
On 07/11/12 08:37, Matthew Wilkes wrote:
"Further information on individual vulnerabilities (including CVSS
scores, CWE identifiers and summaries) is available at the full
vulnerability list"

just curious about this vulnerability still listed as not fixed: https://secunia.com/advisories/47406/

any comment?


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers




------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d


_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
Steve McMahon Steve McMahon
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix Announcement

Our installers have been carrying the updated Pythons and setting the PYTHONHASHSEED environment variable since 4.1.5 and 4.2rc1.




On Wed, Nov 7, 2012 at 10:20 AM, David Glick (Plone) <[hidden email]> wrote:
Yes. We should update plone.recipe.zope2instance to set the environment variable that turns on hash randomization, but this vulnerability and info on how to fix it have been public from Python sources for a long time, so the security team's focus was first on the Zope/Plone specific issues.
David


On 11/7/12 6:16 AM, Domen Kožar wrote:
It's a very general description of the problem, but sounds like Python issue. http://bugs.python.org/issue14621

In any case, there are thousand of ways to DoS your server.


On Wed, Nov 7, 2012 at 3:09 PM, Héctor Velarde <[hidden email]> wrote:
On 07/11/12 08:37, Matthew Wilkes wrote:
"Further information on individual vulnerabilities (including CVSS
scores, CWE identifiers and summaries) is available at the full
vulnerability list"

just curious about this vulnerability still listed as not fixed: https://secunia.com/advisories/47406/

any comment?


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers




------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d


_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers



------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
Domen Kožar Domen Kožar
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix Announcement

If you open the issue I posted above (http://bugs.python.org/issue14621) you will see that mostly doesn't help.


On Wed, Nov 7, 2012 at 7:44 PM, Steve McMahon <[hidden email]> wrote:
Our installers have been carrying the updated Pythons and setting the PYTHONHASHSEED environment variable since 4.1.5 and 4.2rc1.




On Wed, Nov 7, 2012 at 10:20 AM, David Glick (Plone) <[hidden email]> wrote:
Yes. We should update plone.recipe.zope2instance to set the environment variable that turns on hash randomization, but this vulnerability and info on how to fix it have been public from Python sources for a long time, so the security team's focus was first on the Zope/Plone specific issues.
David


On 11/7/12 6:16 AM, Domen Kožar wrote:
It's a very general description of the problem, but sounds like Python issue. http://bugs.python.org/issue14621

In any case, there are thousand of ways to DoS your server.


On Wed, Nov 7, 2012 at 3:09 PM, Héctor Velarde <[hidden email]> wrote:
On 07/11/12 08:37, Matthew Wilkes wrote:
"Further information on individual vulnerabilities (including CVSS
scores, CWE identifiers and summaries) is available at the full
vulnerability list"

just curious about this vulnerability still listed as not fixed: https://secunia.com/advisories/47406/

any comment?


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers




------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d


_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers



------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers



------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
Steve McMahon Steve McMahon
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix Announcement

On Wed, Nov 7, 2012 at 10:54 AM, Domen Kožar <[hidden email]> wrote:
If you open the issue I posted above (http://bugs.python.org/issue14621) you will see that mostly doesn't help.

Wow. A fascinating discussion.

Your larger point is still valid, though: there are much easier ways to DOS any CMS.

 


On Wed, Nov 7, 2012 at 7:44 PM, Steve McMahon <[hidden email]> wrote:
Our installers have been carrying the updated Pythons and setting the PYTHONHASHSEED environment variable since 4.1.5 and 4.2rc1.




On Wed, Nov 7, 2012 at 10:20 AM, David Glick (Plone) <[hidden email]> wrote:
Yes. We should update plone.recipe.zope2instance to set the environment variable that turns on hash randomization, but this vulnerability and info on how to fix it have been public from Python sources for a long time, so the security team's focus was first on the Zope/Plone specific issues.
David


On 11/7/12 6:16 AM, Domen Kožar wrote:
It's a very general description of the problem, but sounds like Python issue. http://bugs.python.org/issue14621

In any case, there are thousand of ways to DoS your server.


On Wed, Nov 7, 2012 at 3:09 PM, Héctor Velarde <[hidden email]> wrote:
On 07/11/12 08:37, Matthew Wilkes wrote:
"Further information on individual vulnerabilities (including CVSS
scores, CWE identifiers and summaries) is available at the full
vulnerability list"

just curious about this vulnerability still listed as not fixed: https://secunia.com/advisories/47406/

any comment?


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers




------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d


_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers



------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers




------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
Maurits van Rees-3 Maurits van Rees-3
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix Announcement

In reply to this post by Wichert Akkerman
Is there anything that add-on developers should learn from this hotfix?
  Any action they should take to check their own code?

In other news, today I noticed that a technical customer had updated his
own site with this hotfix.  It was a Grok site...  No Plone in sight,
except for a plone.recipe.distros egg.  There was an error, but that
seems to have been due to a failing connection to a database, which
seems unrelated.  When I tried it locally just for laughs everything was
fine, because the egg was available but not used at all.  Sigh. :-)


--
Maurits van Rees: http://maurits.vanrees.org/
Zest Software: http://zestsoftware.nl


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
Steven Hayles Steven Hayles
Reply | Threaded
Open this post in threaded view
|

Re: Character encoding issue with Hotfix on Plone 3.3.6

In reply to this post by Luca Fabbri

Hi Luca

I was using 1.0, but 1.2 behaves the same.

I can get decode_htmlentities to work by converting to Unicode at the
start

s = s.decode("utf-8")

But shouldn't all of the HTML processing be performed in Unicode? If so
this isn't the right place to perform the decode.

Steven

Steven Hayles - Senior Solution Developer (Web Applications),
Multimedia Services, Division of Corporate Affairs and Planning
University of Leicester, Prospect House, 94 Regent Rd, Leicester, LE1 7DA
Tel +44 (0)116 229 7950

Elite Without Being Elitist
Times Higher Awards Winner 2007, 2008, 2009, 2010, 2011
Follow us on Twitter http://twitter.com/uniofleicester

On Wed, 7 Nov 2012, Luca Fabbri wrote:

> On Wed, Nov 7, 2012 at 2:08 PM, Steven Hayles <[hidden email]> wrote:
>>
>> After applying the hotfix, I found a page that gave a UnicodeDecodeError.
>>
>> I tracked it down to an image alt tag containing a numeric HTML entity and a
>> unicode copyright symbol (\xa9). For example
>>
>> &#42;©
>>
>> The alt tag is easily modified to get around the problem, but it ought to
>> work as it is.
>>
>> The tail end of the stack trace looks like this
>>
>>   Module Products.PortalTransforms.transforms.safe_html, line 201, in
>> scrubHTML
>>   Module sgmllib, line 95, in feed
>>   Module sgmllib, line 129, in goahead
>>   Module sgmllib, line 283, in parse_starttag
>>   Module sgmllib, line 314, in finish_starttag
>>   Module Products.PortalTransforms.transforms.safe_html, line 145, in
>> unknown_starttag
>>   Module Products.PortalTransforms.transforms.safe_html, line 59, in
>> hasScript
>>   Module Products.PloneHotfix20121106.safe_html, line 43, in
>> decode_htmlentities
>> UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 0:
>> ordinal not in range(128)
>>
>
> Just for know: what version of the Hotfix you are using?
>
>
> --
> -- luca
>
> twitter: http://twitter.com/keul
> linkedin: http://linkedin.com/in/lucafbb
> blog: http://blog.keul.it/
>
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers