Bug#473571: unclarity about plone bugs

Wichert Akkerman wichert at wiggy.net
Sun Jun 15 11:14:38 UTC 2008


Thijs Kinkhorst wrote:
> Hoi Wichert,
>
> There's some unclarity about a set of security issues in Plone. This is in
> Debian bug #473571 (CC'ed). Could you please take a look and clarify which
> issues are fixed or are non-issues?
>    

CVE-2008-1396 is only a problem if you don't follow best practices. Best 
practice here means setting up automated cycling of the server secret.

CVE-2008-1395: same thing. The reason we use such a method is that 
anything else is incredibly expensive on busy sites.

CVE-2008-1394 only holds for Plone < 3.0. Plone 3.0 uses a completely 
different session implementation.

CVE-2008-1393 is not true for Plone accounts. It only holds when using 
accounts defined outside the Plone site (such as the Zope root admin 
account) inside the Plone site. Again, this is against best practices.

The CSRF issues mentioned later in the bugreport have seen a hotfix for 
Plone 3.0 and are fixed in Plone 3.1. They will not be fixed in Plone 2.5.

Wichert.

-- 
Wichert Akkerman<wichert at wiggy.net>    It is simple to make things.
http://www.wiggy.net/                  It is hard to make things simple.






More information about the pkg-zope-developers mailing list