Bug#525943: CVE-2009-0662: privilege escalation
Steffen Joeris
steffen.joeris at skolelinux.de
Tue Apr 28 02:18:48 UTC 2009
Package: plone3
Severity: grave
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for plone3.
CVE-2009-0662[0]:
| The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product
| for Plone, does not properly handle the login form, which allows
| remote authenticated users to acquire the identity of an arbitrary
| user via unspecified vectors.
The description states PlonePAS, but as you confirmed in the mail that
plone3 uses it, I am writing the bugreport now for reference.
The upstream patch can be found here[1]. As already discussed via mail,
please also prepare updated packages for lenny incorporating this fix
and some of the other CVEs, which are fixed by upstream already.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0662
http://security-tracker.debian.net/tracker/CVE-2009-0662
[1] http://klecker.debian.org/~white/plone3/CVE-2009-0662.patch
More information about the pkg-zope-developers
mailing list