Bug#473571: plone3: CVE-2008-139[3-6] multiple vulnerabilities
Nico Golde
nion at debian.org
Mon Mar 31 12:24:12 UTC 2008
Source: plone3
Version: 3.0.6-1
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for plone3.
CVE-2008-1396[0]:
| Plone CMS 3.x uses invariant data (a client username and a server
| secret) when calculating an HMAC-SHA1 value for an authentication
| cookie, which makes it easier for remote attackers to gain permanent
| access to an account by sniffing the network.
CVE-2008-1395[1]:
| Plone CMS does not record users' authentication states, and implements
| the logout feature solely on the client side, which makes it easier
| for context-dependent attackers to reuse a logged-out session.
CVE-2008-1394[2]:
| Plone CMS before 3 places a base64 encoded form of the username and
| password in the __ac cookie for all user accounts, which makes it
| easier for remote attackers to obtain access by sniffing the network.
CVE-2008-1393[3]:
| Plone CMS 3.0.5, and probably other 3.x versions, places a base64
| encoded form of the username and password in the __ac cookie for the
| admin account, which makes it easier for remote attackers to obtain
| administrative privileges by sniffing the network.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
Can you please check if those affect Debian? I did not find
any statement regarding a fixed version by the upstream, did
not see any patches, no installation to try it out and the
advisory doesn't reference any code.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1396
http://security-tracker.debian.net/tracker/CVE-2008-1396
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1395
http://security-tracker.debian.net/tracker/CVE-2008-1395
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1394
http://security-tracker.debian.net/tracker/CVE-2008-1394
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1393
http://security-tracker.debian.net/tracker/CVE-2008-1393
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-zope-developers/attachments/20080331/be71cc47/attachment.pgp
More information about the pkg-zope-developers
mailing list