===================================================================== CERT-Renater Note d'Information No. 2007/VULN551 _____________________________________________________________________ DATE : 28/12/2007 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running zope-cmfplone. ====================================================================== - -------------------------------------------------------------------------- Debian Security Advisory DSA 1405-3 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst December 1st, 2007 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : zope-cmfplone Vulnerability : missing input sanitising Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-5741 Debian Bug : 449523 The Plone developers discovered that their hotfix, released as DSA 1405, introduced two regressions. This update corrects these flaws. For completeness, the original advisory text below: It was discovered that Plone, a web content management system, allows remote attackers to execute arbitrary code via specially crafted web browser cookies. The oldstable distribution (sarge) is not affected by this problem. For the stable distribution (etch) this problem has been fixed in version 2.5.1-4etch3. For the unstable distribution (sid) this problem has been fixed in version 2.5.2-3. We recommend that you upgrade your zope-cmfplone package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/z/zope-cmfplone/zope-cmfplone_2.5.1.orig.tar.gz Size/MD5 checksum: 1064993 b48215d46aafa9e1f12196263d86a191 http://security.debian.org/pool/updates/main/z/zope-cmfplone/zope-cmfplone_2.5.1-4etch3.diff.gz Size/MD5 checksum: 11282 5333207df578b0ddfe05207225b09e76 http://security.debian.org/pool/updates/main/z/zope-cmfplone/zope-cmfplone_2.5.1-4etch3.dsc Size/MD5 checksum: 1114 73489e05e1e2c706a70279e50759b7c5 Architecture independent packages: http://security.debian.org/pool/updates/main/z/zope-cmfplone/plone-site_2.5.1-4etch3_all.deb Size/MD5 checksum: 9956 105cbe8680cf1da7956b7a201d53df1f http://security.debian.org/pool/updates/main/z/zope-cmfplone/zope-cmfplone_2.5.1-4etch3_all.deb Size/MD5 checksum: 1190972 68583a0c4662b6fd8f19e01cdf4b0f9b These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================