thr3ads.net - Secure testing team - [Secure-testing-team] Bug#525943: CVE-2009-0662: privilege escalation [Apr 2009]

If this information is useful, please help other people find it:
Share via:

Steffen Joeris

2009-Apr-28 02:18 UTC

[Secure-testing-team] Bug#525943: CVE-2009-0662: privilege escalation

Package: plone3
Severity: grave
Tags: security, patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for plone3.

CVE-2009-0662[0]:
| The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product
| for Plone, does not properly handle the login form, which allows
| remote authenticated users to acquire the identity of an arbitrary
| user via unspecified vectors.

The description states PlonePAS, but as you confirmed in the mail that
plone3 uses it, I am writing the bugreport now for reference.

The upstream patch can be found here[1]. As already discussed via mail,
please also prepare updated packages for lenny incorporating this fix
and some of the other CVEs, which are fixed by upstream already.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0662
    http://security-tracker.debian.net/tracker/CVE-2009-0662
[1] http://klecker.debian.org/~white/plone3/CVE-2009-0662.patch

Secure testing team - Apr 2009 - Bug#525943: CVE-2009-0662: privilege escalation

[Secure-testing-team] Bug#525943: CVE-2009-0662: privilege escalation