Fwd: [Plone-Announce] Vulnerability in PloneFormGen requires immediate update

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Fwd: [Plone-Announce] Vulnerability in PloneFormGen requires immediate update

Veit Schiele
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hallo Plonistas,

FYI:


- -------- Original-Nachricht --------
To: [hidden email]
From: Announcement of Plone releases and security-related
Subject: [Plone-Announce] Vulnerability in PloneFormGen requires



PloneFormGen, a widely used response-form-creation add-on for the Plone
Content Management System, has been discovered to have a serious
vulnerability that allows an anonymous attacker to execute arbitrary
code with the privileges of the system user running the server.

Installations of Plone that do not use the PloneFormGen add-on are not
affected by this vulnerability.

The vulnerability is present in PloneFormGen versions 1.7.4 (2012-11-04)
through 1.7.8. Users of any of these versions should immediately upgrade
to Products.PloneFormGen version 1.7.9. 1.7.9 has been released today to
the Plone and Python package repositories.

Another serious vulnerability affects most earlier versions of
PloneFormGen. This vulnerability affects forms that have custom script
adapters, and allows an anonymous attacker to gain control over the
handling of data submitted through the form. This vulnerability is
addressed in version 1.7.9. Users of PloneFormGen in the 1.6 series,
which runs on Plone 3.x, 4.0 and 4.1 should upgrade to version 1.6.7,
also released today.

Thanks to The Code Distillery's security analysts for the responsible
disclosure of the vulnerabilities, and for their suggestions for
addressing the issues.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Darwin)

iQEcBAEBAgAGBQJRpi2wAAoJEFhMi+4XysVgrvsIAKc9g+lPRmeuK0NNpjMqQJM9
BD3PCKnlmQDQBPofUEPy/ioKF2WpwRMDk+f1cs3MgzKLxJoNZaTmPccO6tBdy6dx
EjwQnKJ5t3FBXkIQXqpi41VJHY+6oD/pVt7JW+92B4FtSK2Au+ex5SHFq24cD1Qp
iVu2szD/NDkaUfuTVDRUeijLeyh9/BVO0DJHpqSryUQTKC+dY4Gr34qfyvQgR9cM
aGjSNIiwPjodtVI1s5a6PfvtmgwHAcoXU1zy0l8R8QgkiexVgpLlyWO8WZbB2PHB
fO7inBlTWzb0CMfntCnC4V3mLQ4Km/vDnKUycwZUz+mPrrxQ+AKAwy+XEyqD1ZI=
=pdly
-----END PGP SIGNATURE-----


_______________________________________________
zope mailing list
[hidden email]
https://mail.dzug.org/mailman/listinfo/zope