Karen Chan of Isotoma Limited found a bug in the login form handling of Plone
3.x. An already authenticated user could exploit this error and assume the
identity of another user
This issue has been assigned CVE-2009-0662.
Affected versions
=================
All Plone 3.x releases are affected.
Plone 2.5 and earlier releases are not affected.
Installing the hotfix
======================
If you are using Plone 3.0.x or 3.1.x you can download and install a new
PlonePAS product release. The product can be installed as a normal Plone
product:
* For Plone 3.0 use version 3.2.2 of PlonePAS. Verify the md5 hash of the
hotfix package - it should be "f88c542bdf8e22674d284418e58c0da8".
* For Plone 3.1 and 3.2 use version 3.9 of PlonePAS. Verify the md5 hash of the
hotfix package - it should be "9ddc4d9b3505fe71f2c3e17513680c50".
* Extract it in the Products directory of your Zope instance
* Restart Zope
If you are using Plone 3.2.x you can use the Products.PlonePAS egg release. If
you are using buildout you can update the version pin for this package by
adding this entry to your buildout.cfg file:
[versions]
Products.PlonePAS = 3.9
After making this change you need to run buildout to update your Zope instance.
If you are not using buildout you can use the easy_install command to install
an updated version of Products.PlonePAS:
$ easy_install -U Products.PlonePAS==3.9
Reported incidents
==================
No incidents of this vulnerability being exploited have been reported.
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32.
http://p.sf.net/sfu/p_______________________________________________
Plone-Announce mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-announce
