security patch

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

security patch

Yuri-11
https://plone.org/security/announcements/security-patch-released-20161129

This hotfix fixes several security issues:

- A user could copy a public folder containing a private document and be
able to see the document in the copy.

- An anonymous user could see some settings of the site by accessing
widgets directly.
   This is for z3c.form widgets, which are widely used in Plone.

- A comment on a private document would be partly visible in the live
search.
   Access to the search result page would be denied if the results
contained such a comment.
   This is for the plone.app.discussion commenting system introduced in
Plone 4.1.
   See the required manual step below for further instructions.

==

Extra fixes
===========

- Related: a vulnerability in DTML was discovered that could allow Cross
Site Scripting attacks (XSS).
   This vulnerability is *not* fixed by this hotfix, because this was
not possible.
   An exploit is hard: an attacker would need to enter a character that
cannot normally be entered on a keyboard.
   On Plone 4.1 and higher, you should use DocumentTemplate 2.13.3,
which was released today.
   On Plone 4.0 and lower, DocumentTemplate was included in the Zope2
code, which will not get an updated release.

- The Zope Security Team fixed an issue where quoting of an SQL string
could fail.
   The ZSQLMethods product is available in all Plone sites, but no core
code uses it.
   An exploit is hard: an attacker would need to enter a character that
cannot normally be entered on a keyboard.
   On Plone 4.0 and higher, you should use Products.ZSQLMethods 2.13.5,
which was released a few weeks ago.
   On Plone 3.3 and lower, Products.ZSQLMethods was included in the
Zope2 code, which will not get an updated release.

_______________________________________________
Plone-IT mailing list
[hidden email]
https://lists.plone.org/mailman/listinfo/plone-plone-it
http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html
Reply | Threaded
Open this post in threaded view
|

Re: security patch

Vito
E speriamo sia l'ultima per quest'anno...

2016-11-29 16:57 GMT+01:00 Yuri <[hidden email]>:
https://plone.org/security/announcements/security-patch-released-20161129

This hotfix fixes several security issues:

- A user could copy a public folder containing a private document and be able to see the document in the copy.

- An anonymous user could see some settings of the site by accessing widgets directly.
  This is for z3c.form widgets, which are widely used in Plone.

- A comment on a private document would be partly visible in the live search.
  Access to the search result page would be denied if the results contained such a comment.
  This is for the plone.app.discussion commenting system introduced in Plone 4.1.
  See the required manual step below for further instructions.

==

Extra fixes
===========

- Related: a vulnerability in DTML was discovered that could allow Cross Site Scripting attacks (XSS).
  This vulnerability is *not* fixed by this hotfix, because this was not possible.
  An exploit is hard: an attacker would need to enter a character that cannot normally be entered on a keyboard.
  On Plone 4.1 and higher, you should use DocumentTemplate 2.13.3, which was released today.
  On Plone 4.0 and lower, DocumentTemplate was included in the Zope2 code, which will not get an updated release.

- The Zope Security Team fixed an issue where quoting of an SQL string could fail.
  The ZSQLMethods product is available in all Plone sites, but no core code uses it.
  An exploit is hard: an attacker would need to enter a character that cannot normally be entered on a keyboard.
  On Plone 4.0 and higher, you should use Products.ZSQLMethods 2.13.5, which was released a few weeks ago.
  On Plone 3.3 and lower, Products.ZSQLMethods was included in the Zope2 code, which will not get an updated release.

_______________________________________________
Plone-IT mailing list
[hidden email]
https://lists.plone.org/mailman/listinfo/plone-plone-it
http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html



--
Vito Falco
Designer & Front-end developer | Freelance
Bari, IT

_______________________________________________
Plone-IT mailing list
[hidden email]
https://lists.plone.org/mailman/listinfo/plone-plone-it
http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html