Security vulnerability: 20121106 - Multiple vectors

by Matthew Wilkes last modified Nov 07, 2012 04:18 PM
Patches to Zope and Plone for a variety of issues, including arbitrary code execution and privilege escalation.

Versions Affected: All current Plone versions.
Versions Not Affected: None.

The patch was released  at 2012-11-06 15:01 UTC. It can be added to buildouts as Products.PloneHotfix20121106 (available from PyPI) or downloaded from Plone.org

This patch is compatible with all supported Plone versions (i.e. Plone 3 and Plone 4), it may work on earlier versions of Plone, but as these are unsupported they have had less testing done.

This fix covers 24 separate vulnerabilities spanning multiple versions of Plone.

Installation

Full installation instructions are available on the HotFix release page.

Extra Help

Should you not have in-house server administrators or a service agreement looking after your website, you can find consulting companies at plone.org/support/network.

There is also free support available online via Plone mailing lists and the Plone IRC channels.


Questions and Answers

Q: Why is the patch called 20120830, then renamed to 20121106?
A: We mistakenly put the incorrect patch name on the original announcement.

Q: When will the patch be made available?
A: The Plone Security Team will release the patch at 2012-11-06 15:00 UTC.

Q. What will be involved in applying the patch?
A. Patches are made available as tarball-style archives that may be unpacked into the “products” folder of a buildout installation and as Python packages that may be installed by editing a buildout configuration file and running buildout.  Patching is generally easy and quick to accomplish.

Q: How were these vulnerability found?
A: The majority of issues were found as part of audits performed by the Plone Security team. A subset were reported by users. More details will be available upon release of the patch.

Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
A: No. The patch will be made available to all users at the same time. There are no exceptions.

Q: If the patch has been developed already, why isn't it made available to the public now?
A: The Security Team is still testing the patch and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Plone installation(s). Some consultancy organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients.

Q: How does one exploit the vulnerability?
A: This information will not be made public until after the patch is made available.

General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums. If you have specific questions about this vulnerability or its handling, contact the Plone Security Team.

To report potentially security-related issues, e-mail the Plone Security Team at security@plone.org. We are always happy to credit individuals and companies who make responsible disclosures.

Information for Vulnerability Database Maintainers

We have already applied for CVE numbers for these issues. Further information on individual vulnerabilities (including CVSS scores, CWE identifiers and summaries) is available at the full vulnerability list