Bug#401796: CVE-2006-4249: Plone vulnerability
Moritz Muehlenhoff
jmm at inutil.org
Sun Dec 17 14:34:30 UTC 2006
On Thu, Dec 07, 2006 at 07:26:34AM +0100, Fabio Tranchitella wrote:
> * 2006-12-06 23:08, Encolpe Degoute wrote:
> > Moritz Muehlenhoff a écrit :
> > > Package: zope-cmfplone
> > > Severity: grave
> > > Tags: security
> > > Justification: user security hole
> > >
> > > I don't know very much about Plone and I didn't investigate too deeply
> > > as Sarge is not affected, but I suppose this needs to be fixed for Etch:
> > >
> > > http://plone.org/about/security/advisories/cve-2006-4249/
> > >
> > > | PlonePAS-using Plone releases (Plone 2.5 and Plone 2.5.1)
> > > | has a potential vulnerability that allows a user to
> > > | masquerade as a group. Please update your sites.
> > >
> > > Applying the hotfix is probably preferable to upgrading to 2.5.2.
> >
> > +1
> >
> > There's no Plone 2.5.2 release before january, apply the patch is the
> > solution for etch.
>
> I'm working on this issue, and I'll upload the fix to unstable ASAP.
What's the status?
Cheers,
Moritz
More information about the pkg-zope-developers
mailing list