Hola a todos,
se ha encontrado una vulnerabilidad en el producto PloneFormGen, se
aconseja actualizar el mismo a la versión 1.7.11.
Saludos,
Danilo Dellaquila
-------- Original Message --------
Subject: [Plone-Announce] Vulnerability in PloneFormGen — Updated
announcement
Date: Wed, 29 May 2013 10:26:12 -0700
From: Announcement of Plone releases and security-related
notifications. Recommended subscription for all Plone developers and
site admins. <[email protected]>
Reply-To: [email protected]
To: [email protected]
[The previous version of this announcement suggested an upgrade to
PloneFormGen version 1.7.9. The distribution file for that version had
an error that prevented installation. Version 1.7.11 replaces it.
Information has also been added on how to get help with the update.]
PloneFormGen <http://plone.org/products/ploneformgen>, a widely used
response-form-creation add-on for the Plone Content Management System,
has been discovered to have a serious vulnerability that allows an
anonymous attacker to execute arbitrary code with the privileges of the
system user running the server.
Installations of Plone that do not use the PloneFormGen add-on are not
affected by this vulnerability.
The vulnerability is present in PloneFormGen versions 1.7.4 (2012-11-04)
through 1.7.8. Users of any of these versions should immediately upgrade
to Products.PloneFormGen version 1.7.11
<https://pypi.python.org/pypi/Products.PloneFormGen/1.7.11>. 1.7.11 has
been released today to the Plone and Python package repositories.
Another serious vulnerability affects most earlier versions of
PloneFormGen. This vulnerability affects forms that have custom script
adapters, and allows an anonymous attacker to gain control over the
handling of data submitted through the form. This vulnerability is
addressed in version 1.7.9. Users of PloneFormGen in the 1.6 series,
which runs on Plone 3.x, 4.0 and 4.1 should upgrade to version 1.6.7
<https://pypi.python.org/pypi/Products.PloneFormGen/1.6.7>, also
released today.
Help for installing the upgrade is available on the #plone IRC channel
<http://plone.org/support/chat> and forums
<https://plone.org/support/forums>. Upgrading an already installed
package requires you to specify the new version number in your buildout
configuration file
<https://weblion.psu.edu/trac/weblion/wiki/VersionPinning>Â and run
buildout.
Thanks to The Code Distillery's security analysts for the responsible
disclosure of the vulnerabilities, and for their suggestions for
addressing the issues.
--
Danilo Dellaquila
Director Técnico
K-Gigas Computers S.L.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Empresa: http://www.k-gigas.com
Blog: http://danilodellaquila.com
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Plone-Announce mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/plone-announce
_______________________________________________
Usuarios-Plone mailing list
[email protected]
https://lists.plone.org/mailman/listinfo/plone-usuarios-plone
