Plone Hotfix 20071106-2 (Nov 18, 2007)
This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process. Version 2 of the hotfix corrects several bugs found in the original release.
For additional information about this project, please visit the overview page .
Available downloads
Release Notes
| Tested with | Plone 2.5, Plone 3 |
|---|---|
| State | Final release |
| License | GPL |
| Release Manager | Plone Security Response Team |
| Released | 2007/11/17 |
Plone Hotfix 2007-11-06
This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process.
Affected versions
This hotfix applies to Plone 2.5 up to and including 2.5.4, and Plone 3.0 up to and including 3.0.2.
These fixes will be included in the upcoming 2.5.5 and 3.0.3 releases, at which point this hotfix can be removed.
Earlier plone releases (versions 2.1.x and below) are not affected.
Installation
- Untar 'PloneHotfix20071106.tar.gz' into the Products directory of your Plone instance.
- Restart Zope
Uninstallation
- Remove 'PloneHotfix20071106' from the Products directory of your Plone instance.
- Restart Zope
References
- CVE
- CVE-2007-5741
Signature
- PloneHotfix20071106.tar.gz md5:
- 760cc9adab5fc8f677cf425d87f5a08f
Change log
20071106-2 (Released 2007-11-17)
- Ensured that the statusmessages cookie has no newlines in it (#7323/#7325)
- Added missing imports for the decode cookie exceptions code branch (#7337)
- Ensured that the translation patch is applied to statusmessages (#7320)
- Add a log message when the hotfix is applied.
20071106 (Released 2007-11-06)
- Initial release
