It was reported [1] that Plone suffers from a vulnerability that can be exploited to bypass certain security restrictions. This is due to a vulnerable bundled version of Zope. Plone 3.x users that backported the fix for CVE-2011-0720 (PloneHotfix20110720) are affected due to the vulnerability being inadvertently backported via the hotfix. A new hotfix (20110622) is available [2] to correct the flaw. [1] http://plone.org/products/plone/security/advisories/20110622 [2] http://plone.org/products/plone-hotfix/releases/20110622
Created luci tracking bugs for this issue Affects: fedora-all [bug 718829]
Created plone tracking bugs for this issue Affects: epel-5 [bug 711497]
Also note the affects on Zope 2.12/2.13 (fixed upstream in 2.12.19 and 2.13.8): https://mail.zope.org/pipermail/zope-announce/2011-June/002260.html I do not believe we ship Zope at all in any products, other than some python-zope-* modules.
(In reply to comment #2) > Created luci tracking bugs for this issue > > Affects: fedora-all [bug 718829] luci does not use plone anylonger (or zope).
Per the plone site: "Other versions are not affected. Plone 2.5 and Zope 2.8/2.9 are unaffected; you should not install this hotifx on those sites." So we are unaffected because we're using Plone-2.5.5 and Zope-2.9.8
(In reply to comment #6) > Per the plone site: > > "Other versions are not affected. Plone 2.5 and Zope 2.8/2.9 are unaffected; > you should not install this hotifx on those sites." > > So we are unaffected because we're using Plone-2.5.5 and Zope-2.9.8 For which packages/platforms is the above referring to?
(In reply to comment #7) > (In reply to comment #6) > > Per the plone site: > > > > "Other versions are not affected. Plone 2.5 and Zope 2.8/2.9 are unaffected; > > you should not install this hotifx on those sites." > > > > So we are unaffected because we're using Plone-2.5.5 and Zope-2.9.8 > > For which packages/platforms is the above referring to? Sorry -- this pertains to conga on RHEL4 and RHEL5.
(In reply to comment #8) > > For which packages/platforms is the above referring to? > Sorry -- this pertains to conga on RHEL4 and RHEL5. Fantastic, thank you Ryan. I'm assuming that when you refer to RHEL4 you're talking about the cluster product, correct? (conga 0.11.2-4.el4). If that is the case, then only Plone in EPEL5 is affected by this. However, if that is indeed the case, then I'm wondering why we did an update for CVE-2011-0720 for RHEL4 and RHEL5, which seem to contain the patch that introduced this flaw. That would imply to me that we are indeed affected: https://www.redhat.com/security/data/cve/CVE-2011-0720.html Judging by that alone, we should be affected, shouldn't we?
(In reply to comment #9) > Fantastic, thank you Ryan. I'm assuming that when you refer to RHEL4 you're > talking about the cluster product, correct? (conga 0.11.2-4.el4). > > If that is the case, then only Plone in EPEL5 is affected by this. > > However, if that is indeed the case, then I'm wondering why we did an update > for CVE-2011-0720 for RHEL4 and RHEL5, which seem to contain the patch that > introduced this flaw. That would imply to me that we are indeed affected: > > https://www.redhat.com/security/data/cve/CVE-2011-0720.html > > Judging by that alone, we should be affected, shouldn't we? CVE-2011-0720 specified that Plone 2.5 was affected, which is why we applied the patch there. http://plone.org/products/plone/security/advisories/20110622 mentions that the vulnerability in Plone3 was introduced by the previous hotfix, but it doesn't say anything similar about any other versions of Plone. I guess the previous hotfix interacted with only Plone3 in a way so as to introduce the new problem. At the bottom of the FAQ page, they write: "Q: I see "ImportError: No module named traversing" on startup after installing the hotfix. You have installed the hotfix onto a Plone 2.5 or Zope 2.8/2.9 site. The Hotfix is not required; you should remove it."
Yes, the advisory indicates: "Other versions are not affected. Plone 2.5 and Zope 2.8/2.9 are unaffected; you should not install this hotifx on those sites." Great, thanks for the clarification Ryan. I'll note that RHEL is unaffected by this.
This has been assigned the name CVE-2011-2528: http://seclists.org/oss-sec/2011/q3/75