A vulnerability was discovered in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allowed an attacker to run arbitrary python code within the Zope/Plone process.
Created attachment 248361 [details] Plone hotfix
Some Plone components are shipped in conga - luci. Module statusmessages seems to be included. James, can you please confirm whether conga packages are affected by this issue? Thanks!
Hi, we're (luci) not affected by this. We broke this functionality on purpose. Even though the code is shipped with luci because of dependencies, the code path can (AFAICS) never be tripped, as we've stripped down the default page templates substantially. Confirm by trying something like https://<luci_server_host>:8084/luci/homebase?portal_status_message=NOTHING_HERE_TO_SEE We'll upgrade to the latest versions of Zope and Plone for the next version we ship, though, to be safe.
Ryan is spot on with his comment above. Thanks, Ryan.
Now public at http://plone.org/about/security/advisories/cve-2007-5741/ removing embargo