IMPORTANT: Flaw in yesterday's security hotfix

classic Classic list List threaded Threaded
1 message Options
Announce mailing list Announce mailing list
Reply | Threaded
Open this post in threaded view

IMPORTANT: Flaw in yesterday's security hotfix

The Plone security team is sorry to announce that a flaw in
PloneHotfix20121106, released on the 6th November 2012, has been found.

In some deployment configurations the allow_module patch is not
correctly applied, potentially compromising the security of
RestrictedPython.  See for
further information.  In addition, earlier versions of the hotfix
introduced too stringent a test on FTP access, causing it to become
unavailable to all users.

As such, we have released version 1.2 of this fix which contains an
updated patch for these issues.  It is available on the hotfix release
page here:

All users with either the 1.0 or 1.1 version of the hotfix installed
should upgrade as soon as possible.

We apologise for the inconvenience this has caused; we will be doing a
postmortem on this fix to further improve our security patch release
procedures in the coming weeks.

Alan Hoey
on behalf of the Plone security team

LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
Plone-Announce mailing list
[hidden email]