Your message dated Tue, 06 May 2008 07:32:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#473571: fixed in plone3 3.1.1-1
has caused the Debian Bug report #473571,
regarding plone3: CVE-2008-139[3-6],CVE-2008-0164 multiple vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
473571: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=473571
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Source: plone3
Version: 3.0.6-1
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for plone3.
CVE-2008-1396[0]:
| Plone CMS 3.x uses invariant data (a client username and a server
| secret) when calculating an HMAC-SHA1 value for an authentication
| cookie, which makes it easier for remote attackers to gain permanent
| access to an account by sniffing the network.
CVE-2008-1395[1]:
| Plone CMS does not record users' authentication states, and implements
| the logout feature solely on the client side, which makes it easier
| for context-dependent attackers to reuse a logged-out session.
CVE-2008-1394[2]:
| Plone CMS before 3 places a base64 encoded form of the username and
| password in the __ac cookie for all user accounts, which makes it
| easier for remote attackers to obtain access by sniffing the network.
CVE-2008-1393[3]:
| Plone CMS 3.0.5, and probably other 3.x versions, places a base64
| encoded form of the username and password in the __ac cookie for the
| admin account, which makes it easier for remote attackers to obtain
| administrative privileges by sniffing the network.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
Can you please check if those affect Debian? I did not find
any statement regarding a fixed version by the upstream, did
not see any patches, no installation to try it out and the
advisory doesn't reference any code.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1396
http://security-tracker.debian.net/tracker/CVE-2008-1396
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1395
http://security-tracker.debian.net/tracker/CVE-2008-1395
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1394
http://security-tracker.debian.net/tracker/CVE-2008-1394
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1393
http://security-tracker.debian.net/tracker/CVE-2008-1393
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp5k1pBhbNCR.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: plone3
Source-Version: 3.1.1-1
We believe that the bug you reported is fixed in the latest version of
plone3, which is due to be installed in the Debian FTP archive:
plone3-site_3.1.1-1_all.deb
to pool/main/p/plone3/plone3-site_3.1.1-1_all.deb
plone3_3.1.1-1.diff.gz
to pool/main/p/plone3/plone3_3.1.1-1.diff.gz
plone3_3.1.1-1.dsc
to pool/main/p/plone3/plone3_3.1.1-1.dsc
plone3_3.1.1.orig.tar.gz
to pool/main/p/plone3/plone3_3.1.1.orig.tar.gz
zope-plone3_3.1.1-1_all.deb
to pool/main/p/plone3/zope-plone3_3.1.1-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabio Tranchitella <[EMAIL PROTECTED]> (supplier of updated plone3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 06 May 2008 08:02:02 +0200
Source: plone3
Binary: zope-plone3 plone3-site
Architecture: source all
Version: 3.1.1-1
Distribution: unstable
Urgency: low
Maintainer: Debian/Ubuntu Zope Team <[EMAIL PROTECTED]>
Changed-By: Fabio Tranchitella <[EMAIL PROTECTED]>
Description:
plone3-site - preconfigured zope instance containing a plone site
zope-plone3 - content management system based on zope and cmf
Closes: 473571 475286
Changes:
plone3 (3.1.1-1) unstable; urgency=low
.
* New upstream release.
* Add CSRF protection to user forms and control panel pages (CVE-2008-0164).
(Closes: #473571)
* debian/control: depends on libjs-prototype. (Closes: #475286)
Checksums-Sha1:
1a9858967fc8435d9e783ca73407ca7afba1b3a6 1199 plone3_3.1.1-1.dsc
bfd3e587c8f86da83b6b12683668251bf424ae08 12632042 plone3_3.1.1.orig.tar.gz
547fa17f5b448be9d89ae09a5fe30d51f4acf146 14895 plone3_3.1.1-1.diff.gz
010b15d7cd0b1be59fadb86bb528ffc85408f1f3 15334170 zope-plone3_3.1.1-1_all.deb
6e9ea6bc8acc7ee966f59757b0d3ddaed88671df 11372 plone3-site_3.1.1-1_all.deb
Checksums-Sha256:
2c1137e6db83b495e7c0f8ba5a1cfaf69d5215a06f5688276762291ef42f6c4d 1199
plone3_3.1.1-1.dsc
fbd43d734ff8f5f0064fad630ff111c8e75778d7fd80ff33defb174832719c5d 12632042
plone3_3.1.1.orig.tar.gz
7a8a7a34130a5eaa8542ed8233bd3ef277e7b23d79e5a82e14bb62a88338e70d 14895
plone3_3.1.1-1.diff.gz
bdf3a648e21cb9d4bca41029e3b711212c9a49a16d6479f6b83d98f18f06d728 15334170
zope-plone3_3.1.1-1_all.deb
8d05b7bee4942bfdb2c1c23481239b9e9d8d62f4f113aa3dd31fd8d7aaa10bdb 11372
plone3-site_3.1.1-1_all.deb
Files:
dcb941941d9b6ca4126d716cc1a4c807 1199 web optional plone3_3.1.1-1.dsc
78d594c1d07ed6f9a395c497382e3fe9 12632042 web optional plone3_3.1.1.orig.tar.gz
db778925313d6ed5f761747a561b7a05 14895 web optional plone3_3.1.1-1.diff.gz
73c323b29cfa00b1bb0ade59145df4af 15334170 web optional
zope-plone3_3.1.1-1_all.deb
1ae4e77c29913656754872c8f4e71c1b 11372 web optional plone3-site_3.1.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIIAgJK/juK3+WFWQRAhBrAJ92SQ6zS7jDz6uE9MG2B0aRuVIJPACaA0Xf
KFqP0eskKJDz1JsU+h9qBB4=
=9if+
-----END PGP SIGNATURE-----
--- End Message ---
