A vulnerability in both the statusmessages and linkintegrity modules
has been identified, where untrusted network data was treated as a
pickle and loaded. This allows an attacker to run arbitrary python
code within the Zope/Plone process.
This issue has been assigned CVE-2007-5741
Affected versions
-----------------
This hotfix applies to Plone 2.5 up to and including 2.5.4, and Plone
3.0 up
to and including 3.0.2.
These fixes will be included in the upcoming 2.5.5 and 3.0.3 releases,
at
which point this hotfix can be removed.
Earlier plone releases (versions 2.1.x and below) are not affected.
Plone Hotfix 2007-11-06
-----------------------
A hotfix that addresses this vulnerability can be downloaded at:
http://plone.org/products/plone-hotfix/releases/20071106The hotfix should be installed as soon as possible. To install, simply
extract the archive into your Zope/Plone products directory and
restart the server.
Martijn Pieters
The Plone Security Response Team
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>
http://get.splunk.com/_______________________________________________
Plone-Announce mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-announce
