Bug#473571: unclarity about plone bugs
Wichert Akkerman
wichert at wiggy.net
Sun Jun 15 11:14:38 UTC 2008
Thijs Kinkhorst wrote:
> Hoi Wichert,
>
> There's some unclarity about a set of security issues in Plone. This is in
> Debian bug #473571 (CC'ed). Could you please take a look and clarify which
> issues are fixed or are non-issues?
>
CVE-2008-1396 is only a problem if you don't follow best practices. Best
practice here means setting up automated cycling of the server secret.
CVE-2008-1395: same thing. The reason we use such a method is that
anything else is incredibly expensive on busy sites.
CVE-2008-1394 only holds for Plone < 3.0. Plone 3.0 uses a completely
different session implementation.
CVE-2008-1393 is not true for Plone accounts. It only holds when using
accounts defined outside the Plone site (such as the Zope root admin
account) inside the Plone site. Again, this is against best practices.
The CSRF issues mentioned later in the bugreport have seen a hotfix for
Plone 3.0 and are fixed in Plone 3.1. They will not be fixed in Plone 2.5.
Wichert.
--
Wichert Akkerman<wichert at wiggy.net> It is simple to make things.
http://www.wiggy.net/ It is hard to make things simple.
More information about the pkg-zope-developers
mailing list