Bug#473571: plone3: CVE-2008-139[3-6] multiple vulnerabilities
Nico Golde
nion at debian.org
Mon Mar 31 13:27:34 UTC 2008
Hi Fabio,
* Fabio Tranchitella <kobold at kobold.it> [2008-03-31 15:09]:
> * 2008-03-31 14:31, Nico Golde wrote:
[...]
> > the following CVE (Common Vulnerabilities & Exposures) ids were
> > published for plone3.
>
> To say the truth, I don't really think these security problems are real;
> I have the impression that upstream things so, too: there are no patches
> available and no new upstream release fixing these problems.
>
> In any case, I'll try to ask on IRC.
While I agree that the cookie issues and the session id
issue is not of an high impact I still think that at least
the CSRF issue should be fixed cause the exploit scenario
has a certain real life importance.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-zope-developers/attachments/20080331/b6026e1a/attachment.pgp
More information about the pkg-zope-developers
mailing list