{ "info": { "author": "Plone security team", "author_email": "security@plone.org", "bugtrack_url": null, "classifiers": [ "Framework :: Plone", "Framework :: Zope2", "Programming Language :: Python" ], "description": "Plone Hotfix package, 2011-05-31\n********************************\n\n**Important note**: *This is version 2.0 of the hotfix and fixes a critical\nissue with version 1.0 of the hotfix. You should update your sites to version\n2.0 even if you have already applied version 1.0 of the hotfix. The Plone\nsecurity team apologizes for this error.*\n\nThis hotfix fixes the following four vulnerabilities:\n\n1. Reflected XSS attack: A crafted URL can display arbitrary HTML output.\n This is a vulnerability in CMFPlone affecting all versions of Plone.\n Thanks to **S. Streichsbier** of *SEC Consult* for the responsible\n disclosure.\n See `CVE-2011-1948`_ for details.\n\n2. Persistent XSS attack: Certain valid HTML will allow Javascript filtering to\n be bypassed. This is a vulnerability in Products.PortalTransforms affecting\n all versions of Plone using it, including 2.1 through 4.1. Thanks to \n **Daniel Berlin** and **Dan Bentley** both of *Google* and **Brian Peters** \n an independent researcher, for responsibly disclosing this independently of \n each other.\n See `CVE-2011-1949`_ for details.\n\n3. Unauthorized data changes: One form allows users to edit the properties of\n other users. This is a vulnerability in plone.app.users affecting Plone 4.0\n and 4.1. \n This vulnerability was not disclosed responsibly to the security team.\n See `CVE-2011-1950`_ for details.\n\n4. Denial of service: A user can prevent other users from logging in. This is\n a vulnerability in Products.PluggableAuthService affecting all versions of\n Plone using it, including 2.5 through 4.1. Thanks to **Alan Hoey** of\n *Team Rubber* for the responsible disclosure.\n See `PAS ticket #789858`_ for details.\n\n.. _`CVE-2011-1948`: http://plone.org/products/plone/security/advisories/CVE-2011-1948\n.. _`CVE-2011-1949`: http://plone.org/products/plone/security/advisories/CVE-2011-1949\n.. _`CVE-2011-1950`: http://plone.org/products/plone/security/advisories/CVE-2011-1950\n.. _`PAS ticket #789858`: https://bugs.launchpad.net/zope-pas/+bug/789858\n\nThis hotfix is supported on Plone 3 and 4. It is also known to work on Plone\n2.5, and may work on older versions of Plone.\n\nThe fixes included here will be incorporated into subsequent releases of Plone,\nso Plone 4.0.7, 4.1rc3, and greater should not require this hotfix.\n\n\nInstallation\n============\n\nInstallation instructions can be found at\nhttp://plone.org/products/plone-hotfix/releases/20110531\n\nChangelog\n=========\n\n2.0 (2011-06-02)\n----------------\n\n- Fix a critical issue preventing correct functioning of one of the patches.\n [davisagli]\n\n- Avoid trying to patch safe_html.StrippingParser if it is not present (as in\n very old versions of PortalTransforms).\n [davisagli]\n\n1.0 (2011-06-01)\n----------------\n\n- Initial release\n [Plone security team]", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "http://plone.org/products/plone-hotfix/releases/20110531", "keywords": "security hotfix patch", "license": "GPL", "maintainer": null, "maintainer_email": null, "name": "Products.PloneHotfix20110531", "package_url": "https://pypi.org/project/Products.PloneHotfix20110531/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/Products.PloneHotfix20110531/", "project_urls": { "Download": "UNKNOWN", "Homepage": "http://plone.org/products/plone-hotfix/releases/20110531" }, "release_url": "https://pypi.org/project/Products.PloneHotfix20110531/2.0/", "requires_dist": null, "requires_python": null, "summary": "Plone critical security hotfix addressing multiple vulnerabilities", "version": "2.0" }, "last_serial": 785078, "releases": { "1.0": [ { "comment_text": "", "digests": { "md5": "b89091a42780341116eff7aa2fd03f4a", "sha256": "806046c69b022a22884d518733eaec9af7d49a1aa792884c86b6bb6df0c913fd" }, "downloads": -1, "filename": "Products.PloneHotfix20110531-1.0.zip", "has_sig": false, "md5_digest": "b89091a42780341116eff7aa2fd03f4a", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 10420, "upload_time": "2011-06-01T17:24:41", "url": "https://files.pythonhosted.org/packages/c7/6f/ca9b03cf03b5d69f2a81df37bbd660c65e4bde4db6cc10fa2b86fbc847b4/Products.PloneHotfix20110531-1.0.zip" } ], "2.0": [ { "comment_text": "", "digests": { "md5": "42aa0aee41919298b65001607a6a0684", "sha256": "0ec322c9e847706128992207469022432596b973cefa18d014a734efdb46a279" }, "downloads": -1, "filename": "Products.PloneHotfix20110531-2.0.zip", "has_sig": false, "md5_digest": "42aa0aee41919298b65001607a6a0684", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 11202, "upload_time": "2011-06-02T18:12:35", "url": "https://files.pythonhosted.org/packages/c1/31/3c3c3852c968ad6b6adae0543998b02db4009fe0e1f945e4bc05a4eb81c1/Products.PloneHotfix20110531-2.0.zip" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "42aa0aee41919298b65001607a6a0684", "sha256": "0ec322c9e847706128992207469022432596b973cefa18d014a734efdb46a279" }, "downloads": -1, "filename": "Products.PloneHotfix20110531-2.0.zip", "has_sig": false, "md5_digest": "42aa0aee41919298b65001607a6a0684", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 11202, "upload_time": "2011-06-02T18:12:35", "url": "https://files.pythonhosted.org/packages/c1/31/3c3c3852c968ad6b6adae0543998b02db4009fe0e1f945e4bc05a4eb81c1/Products.PloneHotfix20110531-2.0.zip" } ] }