Your message dated Tue, 23 Feb 2010 21:49:07 +0000 (WET) with message-id <20100223214907.5a10d2...@kmos.homeip.net> and subject line Package zope-cmfplone has been removed from Debian has caused the Debian Bug report #486333, regarding plone3: CVE-2008-139[3-6],CVE-2008-0164 multiple vulnerabilities to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 486333: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486333 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: plone3 Version: 3.0.6-1 Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) ids were published for plone3. CVE-2008-1396[0]: | Plone CMS 3.x uses invariant data (a client username and a server | secret) when calculating an HMAC-SHA1 value for an authentication | cookie, which makes it easier for remote attackers to gain permanent | access to an account by sniffing the network. CVE-2008-1395[1]: | Plone CMS does not record users' authentication states, and implements | the logout feature solely on the client side, which makes it easier | for context-dependent attackers to reuse a logged-out session. CVE-2008-1394[2]: | Plone CMS before 3 places a base64 encoded form of the username and | password in the __ac cookie for all user accounts, which makes it | easier for remote attackers to obtain access by sniffing the network. CVE-2008-1393[3]: | Plone CMS 3.0.5, and probably other 3.x versions, places a base64 | encoded form of the username and password in the __ac cookie for the | admin account, which makes it easier for remote attackers to obtain | administrative privileges by sniffing the network. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. Can you please check if those affect Debian? I did not find any statement regarding a fixed version by the upstream, did not see any patches, no installation to try it out and the advisory doesn't reference any code. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1396 http://security-tracker.debian.net/tracker/CVE-2008-1396 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1395 http://security-tracker.debian.net/tracker/CVE-2008-1395 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1394 http://security-tracker.debian.net/tracker/CVE-2008-1394 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1393 http://security-tracker.debian.net/tracker/CVE-2008-1393 -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.pgp0zCkmbLZsI.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Version: 2.5.2-3+rm You filed the bug http://bugs.debian.org/486333 in Debian BTS against the package zope-cmfplone. I'm closing it at *unstable*, but it will remain open for older distributions. For more information about this package's removal, read http://bugs.debian.org/455919. That bug might give the reasons why this package was removed and suggestions of possible replacements. Don't hesitate to reply to this mail if you have any question. Thank you for your contribution to Debian. -- Marco Rodrigues
--- End Message ---