[Remember Mailing List] Security releases for Products.remember
Maurits van Rees
In the wake of the security release of Products.membrane from yesterday
I fixed a similar problem in Products.remember, also indicated by
Richard Mitchell, thanks.
The security problem is this: anonymous users could get the password
hash of a remember member. It is not an immediate problem, but it sure
makes it easier to crack passwords.
I have made three releases with this fix on PyPI, 1.1, 1.2, 1.9, all
listed here:
http://pypi.python.org/pypi/Products.remember
1.1 is the old 1.1b3 release from 2009 with the security fix added. Use
this when you were using that release and do not want a big upgrade.
Compatible with Plone 3.x and Products.membrane 1.1. Definitely NOT
with Plone 4 or Products.membrane 2.x.
1.2 has more changes; see the changelog. It has the changes that were
done on trunk before Ken started doing bigger changes leading to the 1.9
series. Compatible with Plone 3 and Products.membrane 1.1 or 2.x (2.1.1
recommended). Might work on Plone 4 but the automated tests say
otherwise; that might just be a problem with the tests though.
1.9 is the obvious choice when you were already running 1.9b1.
Compatible with Plone 4.x and Products.membrane 2.x (2.1.1 recommended).
Like always: make a backup of your Data.fs (and blobstorage if you have
it) before applying this upgrade and make sure you know how to restore
that backup and the previous software versions in case anything goes
wrong. And do some testing on a copy of your site first.
Got a question? Ask it on this list.
Note for developers of Products.remember: I have made branches 1.1 and
1.2 that can be used in case new releases need to be made in those
lines. New developments are likely to only happen on trunk (1.9),
though I myself have no current plans. If anyone wants to fix the 1.2
branch (or perhaps just the tests) so the tests run on both Plone 3 and
4, be my guest. All branches and trunk have a buildout.cfg for testing.
Kind regards,
--
Maurits van Rees http://maurits.vanrees.org/
Web App Programmer at Zest Software: http://zestsoftware.nl
"Logical thinking shows conclusively that logical thinking
is inconclusive." - My summary of G�del, Escher, Bach
--
Archive: http://www.coactivate.org/projects/remember/lists/remember/archive/2011/12/1322834418554
To unsubscribe send an email with subject "unsubscribe" to reme...@lists.coactivate.org. Please contact remember...@lists.coactivate.org for questions.
Mike Metcalfe
Hi list,
In the wake of the security release of Products.membrane from yesterday I fixed a similar problem in Products.remember, also indicated by Richard Mitchell, thanks.
The security problem is this: anonymous users could get the password hash of a remember member. It is not an immediate problem, but it sure makes it easier to crack passwords.
I have made three releases with this fix on PyPI, 1.1, 1.2, 1.9, all listed here:
http://pypi.python.org/pypi/Products.remember
1.1 is the old 1.1b3 release from 2009 with the security fix added. Use this when you were using that release and do not want a big upgrade. Compatible with Plone 3.x and Products.membrane 1.1. Definitely NOT with Plone 4 or Products.membrane 2.x.
1.2 has more changes; see the changelog. It has the changes that were done on trunk before Ken started doing bigger changes leading to the 1.9 series. Compatible with Plone 3 and Products.membrane 1.1 or 2.x (2.1.1 recommended). Might work on Plone 4 but the automated tests say otherwise; that might just be a problem with the tests though.
1.9 is the obvious choice when you were already running 1.9b1. Compatible with Plone 4.x and Products.membrane 2.x (2.1.1 recommended).
Like always: make a backup of your Data.fs (and blobstorage if you have it) before applying this upgrade and make sure you know how to restore that backup and the previous software versions in case anything goes wrong. And do some testing on a copy of your site first.
Got a question? Ask it on this list.
Note for developers of Products.remember: I have made branches 1.1 and 1.2 that can be used in case new releases need to be made in those lines. New developments are likely to only happen on trunk (1.9), though I myself have no current plans. If anyone wants to fix the 1.2 branch (or perhaps just the tests) so the tests run on both Plone 3 and 4, be my guest. All branches and trunk have a buildout.cfg for testing.
Kind regards,
--
Maurits van Rees http://maurits.vanrees.org/
Web App Programmer at Zest Software: http://zestsoftware.nl
"Logical thinking shows conclusively that logical thinking
is inconclusive." - My summary of Gödel, Escher, Bach
--
Archive: http://www.coactivate.org/projects/remember/lists/remember/archive/2011/12/1322834418554
To unsubscribe send an email with subject "unsubscribe" to reme...@lists.coactivate.org. Please contact remember-manager@lists.coactivate.org for questions.
Maurits van Rees
I have a Plone 3.3.5 site in production that has remember and membrane pegged at versions 1.1b3 and 1.1b3 respectively.
When I peg them at 1.2 and 2.1.1, the client's product that uses remember no longer appears in portal_quickinstaller (if I switch back and rebuild, it reappears).
I also tried remember 1.2 with membrane 1.1 but on starting zope, p.remember/content/member.py fails to import Products.membrane.at on line 36. (which isn't in membrane 1.1)
Cheers,
-- Maurits van Rees http://maurits.vanrees.org/ Web App Programmer at Zest Software: http://zestsoftware.nl "Logical thinking shows conclusively that logical thinking is inconclusive." - My summary of Gödel, Escher, Bach
Mike Metcalfe
Hm, kinda hard to say without having the code of that client's product. Perhaps the install method of this client product is expecting things in Products.remember or membrane that have been changed? Are you getting an error or warning in the logs (or on the foreground) when you look at the portal_quickinstaller?
Does the product end up in the products in the root Zope Control Panel or does it vanish (or show an error) there as well?
For clarity I have just released Products.remember 1.2.1 that has an official requirement on Products.membrane>=2.0dev.