Plone Hotfix 20071106 (Nov 17, 2007)

This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process.

For additional information about this project, please visit the overview page .

Available downloads

PloneHotfix20071106.tar.gz

For all platforms (0 kB)

Release Notes

Tested with Plone 2.5, Plone 3
StateFinal release
LicenseGPL
Release Manager Plone Security Response Team
Released2007/11/06

Plone Hotfix 2007-11-06

This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process.

Affected versions

This hotfix applies to Plone 2.5 up to and including 2.5.4, and Plone 3.0 up to and including 3.0.2.

These fixes will be included in the upcoming 2.5.5 and 3.0.3 releases, at which point this hotfix can be removed.

Earlier plone releases (versions 2.1.x and below) are not affected.

Installation

  • Untar 'PloneHotfix20071106.tar.gz' into the Products directory of your Plone instance.
  • Restart Zope

Uninstallation

  • Remove 'PloneHotfix20071106' from the Products directory of your Plone instance.
  • Restart Zope

References

CVE
CVE-2007-5741

Change log