Document Actions
Plone System Upgrade
We've just run an emergency upgrade against Plone 2.5.2 instances
This was as a result of a critical security vulnerability issued just now by the Plone Foundation. We've checked a number of sites and there seem to be no ill effects, however if you spot a problem with your site, please let us know and we'll investigate asap.
(the upgrade should just be security fixes, there have been no major changes)
- We are now running Plone version 2.5.4 rev 2.
Issue Details
CVE-2007-5741: Unsafe data interpreted as pickles
This upgrade corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process.
This issue has been assigned CVE-2007-5741.
Affected versions
- Plone 2.5 up to and including 2.5.4
- Plone 3.0 up to and including 3.0.2
These fixes are included in the 2.5.5 and 3.0.3 releases, at which point this hotfix can be removed.
Installing the hotfix
If an updated Plone is not released by the time you read this, or you can not upgrade your Plone, you can install Plone Hotifix 2007-11-06. The hotfix can be installed as a normal Zope product:
- Extract it in the Products directory of your Zope instance
- Restart Zope
- Verify that the hotfix is listed in the product management page in the Zope Control Panel
Reported incidents
No incidents of this happening to sites in the wild have been reported.
System Upgrades
Plone Conference 2008 Sessions Announced!