Security patch released: 20160419 — Plone CMS

classic Classic list List threaded Threaded
1 message Options
Announce mailing list Announce mailing list
Reply | Threaded
Open this post in threaded view
|

Security patch released: 20160419 — Plone CMS


Security patch released: 20160419

CVE numbers not yet issued.

Versions Affected: All supported Plone versions (4.x, 5.x). Previous versions could be affected but have not been tested.

Versions Not Affected: None.

Nature of vulnerability: Patches multiple attack vectors.

The patch can be added to buildouts as Products.PloneHotfix20160419 (available from pypi.python.org) or downloaded from Plone.org

This patch is compatible with all supported Plone versions (i.e. Plone 4, Plone 5). It may work on earlier versions of Plone, but as these are officially unsupported they have not undergone the same level of testing with the patch.

Installation

Full installation instructions are available on the HotFix release page.

Extra Help

If you do not have in-house server administrators or a website maintenance service agreement, you can find consulting companies at plone.com/providers and plone.org/support/network .

There is also free support available online via the Plone IRC channel and the Plone community forum.

Thanks

The Plone Security Team is grateful to Giovanni Monteiro Calanzani and Glauter de Sousa Vilela, who reported the vulnerability.


Questions and Answers

What is involved in applying the patch?
Patches are made available as tarball-style archives that may be unpacked into the “products” folder of a buildout installation and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish.

How were these vulnerabilities found?
The vulnerabilities were found by users submitting them to the security mailing list.

My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
Plone patches are always made available to all users at the same time. There are no exceptions.

How can I report other potential security vulnerabilities?
Please email the Plone Security Team at [hidden email] rather than publicly discussing potential security issues.

How can I apply the patch without affecting my users?
Even though this patch does NOT require you to run buildout, you can run buildout without affecting your users. You can restart a multi-client Plone install without affecting your users; see http://docs.plone.org/manage/deploying/processes.html  

How do I get help patching my site?
Plone service providers are listed at plone.com/providers and plone.org/support/network There is also free support available online via the Plone IRC channel and the Plone community forum.

Who is on the Plone Security Team and how is it funded?
The Plone Security Team is made up of volunteers who are experienced developers familiar with the Plone code base and with security exploits. The Plone Security Team is not funded; members and/or their employers have volunteered their time in the interests of the greater Plone community.

How can I help the Plone Security Team?
The Plone Security Team is looking for help from security-minded developers and testers. Volunteers must be known to the Security Team and have been part of the Plone community for some time. To help the Security Team financially, your donations are most welcome at http://plone.org/donate.

General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums . If you have specific questions about this vulnerability or its handling, contact the [hidden email]directly.

To report potentially security-related issues, e-mail the Plone Security Team directly at [hidden email] rather than publicly discussing potential security issues. We are always happy to credit individuals and companies who make responsible disclosures.

The Plone Security Team is an all-volunteer team. If you'd like to help the team, as a developer, a tester, or as a financial sponsor, please email the team at [hidden email] and become a sponsor at plone.org/donate

Information for Vulnerability Database Maintainers

We have already applied for CVE numbers for these issues. Further information on individual vulnerabilities (including CVSS scores, CWE identifiers and summaries) is available at the full vulnerability list 


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Plone-Announce mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-announce