Plone security hotfix addressing CVE 2011-0720

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for davisagli from gravatar.com davisagli Avatar for esteele from gravatar.com esteele Avatar for evilbungle from gravatar.com evilbungle Avatar for hannosch from gravatar.com hannosch Avatar for MatthewWilkes from gravatar.com MatthewWilkes

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: GPL

Author: Plone security team

Tags security, hotfix, patch

Classifiers

Project description

This is a critical security hotfix which should be applied to the following versions of Plone:

  • Plone 4 <= 4.0.3

  • Plone 3 <= 3.3.5

  • Any version of Plone 2.5, 2.1, or 2.0

Additional information about the hotfix including frequently asked questions is available at http://plone.org/products/plone/security/advisories/cve-2011-0720

This hotfix applies the following modifications to improve Plone security:

  • Applies security declarations to some methods that were missing them, in order to address the vulnerability identified in CVE 2011-0720. The vulnerability discussed there affects Plone 2.5 and greater.

  • Applies security declarations and removal of docstrings to some additional methods that were identified by the Plone security team in an audit following the identification of CVE 2011-0720. This includes some methods present in Plone 2.0 and 2.1.

  • If necessary, applies a patch to the ZPublisher to fix an issue with the checking of whether traversed methods are publishable. This issue affects Plone 3.0 and higher, and is also available in the following new Zope2 releases: 2.10.13, 2.11.8, 2.12.15, 2.13.4

Installation

Installation instructions can be found at http://plone.org/products/plone-hotfix/releases/CVE-2011-0720

Changelog

1.1 (2011-02-08)

  • Try 2 ways to delete the docstring as we had one report of the way we were using not working (thanks Andrew Mleczko for the report). [davisagli]

  • Fix issue with application to some recent revisions of Zope 2.10. Thanks to Ethan Jucovy for calling this to our attention. [davisagli]

1.0 (2011-02-08)

  • Initial release [Plone security team]

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for davisagli from gravatar.com davisagli Avatar for esteele from gravatar.com esteele Avatar for evilbungle from gravatar.com evilbungle Avatar for hannosch from gravatar.com hannosch Avatar for MatthewWilkes from gravatar.com MatthewWilkes

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: GPL

Author: Plone security team

Tags security, hotfix, patch

Classifiers

Release history Release notifications | RSS feed

1.2

This version

1.1

1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

Products.PloneHotfix20110720-1.1.zip (9.6 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page