[Remember Mailing List] Products.membrane security fix
Maurits van Rees
Richard Mitchell has responsibly disclosed a security vulnerability in
Products.membrane, reported to the maintainers he could track down. Thanks!
The vulnerability is an information disclosure. An anonymous user could
for example get the e-mail address of a membrane user or his password.
Normally that should only be a hashed password, like is the case when
you use Products.remember. So it should usually be no big deal, but it
is certainly better not to give away such a hash in the first place.
Use Products.membrane 2.1.1 when you are on Plone 3.3 or 4.x:
http://pypi.python.org/pypi/Products.membrane/2.1.1
Use Products.membrane 1.1 when you are on any Plone 3 version:
http://pypi.python.org/pypi/Products.membrane/1.1
The 1.1 version is basically the old 1.1b5 release from early 2009 with
an uninstall profile added plus this security fix. If you are currently
a happy user of 1.1b5 and are scared of a sudden big version increase to
2.1.1 then version 1.1 is a safe upgrade.
Like always: make a backup of your Data.fs (and blobstorage if you have
it) before applying this upgrade and make sure you know how to restore
that backup and the previous software versions in case anything goes
wrong. And do some testing on a copy of your site first.
Got a question? Ask it on this list.
Kind regards,
--
Maurits van Rees http://maurits.vanrees.org/
Web App Programmer at Zest Software: http://zestsoftware.nl
"Logical thinking shows conclusively that logical thinking
is inconclusive." - My summary of G�del, Escher, Bach
--
Archive: http://www.coactivate.org/projects/remember/lists/remember/archive/2011/12/1322770677912
To unsubscribe send an email with subject "unsubscribe" to reme...@lists.coactivate.org. Please contact remember...@lists.coactivate.org for questions.
Clayton Parker
Clayton
--
Six Feet Up, Inc. | Where sophisticated web projects thrive
Direct Line: +1 (317) 861-5948 x603
Email: cla...@sixfeetup.com
Try Plone 4 Today at: http://plone4demo.com
On Dec 1, 2011, at 3:17 PM, Maurits van Rees wrote:
> Hi all,
>
> Richard Mitchell has responsibly disclosed a security vulnerability in Products.membrane, reported to the maintainers he could track down. Thanks!
>
> The vulnerability is an information disclosure. An anonymous user could for example get the e-mail address of a membrane user or his password. Normally that should only be a hashed password, like is the case when you use Products.remember. So it should usually be no big deal, but it is certainly better not to give away such a hash in the first place.
>
> Use Products.membrane 2.1.1 when you are on Plone 3.3 or 4.x:
> http://pypi.python.org/pypi/Products.membrane/2.1.1
>
> Use Products.membrane 1.1 when you are on any Plone 3 version:
> http://pypi.python.org/pypi/Products.membrane/1.1
>
> The 1.1 version is basically the old 1.1b5 release from early 2009 with an uninstall profile added plus this security fix. If you are currently a happy user of 1.1b5 and are scared of a sudden big version increase to 2.1.1 then version 1.1 is a safe upgrade.
>
> Like always: make a backup of your Data.fs (and blobstorage if you have it) before applying this upgrade and make sure you know how to restore that backup and the previous software versions in case anything goes wrong. And do some testing on a copy of your site first.
>
> Got a question? Ask it on this list.
>
> Kind regards,
>
> --
> Maurits van Rees http://maurits.vanrees.org/
> Web App Programmer at Zest Software: http://zestsoftware.nl
> "Logical thinking shows conclusively that logical thinking
> is inconclusive." - My summary of Gödel, Escher, Bach
>
>
>
> --
> Archive: http://www.coactivate.org/projects/remember/lists/remember/archive/2011/12/1322770677912
> To unsubscribe send an email with subject "unsubscribe" to reme...@lists.coactivate.org. Please contact remember...@lists.coactivate.org for questions.
>
--
Archive: http://www.coactivate.org/projects/remember/lists/remember/archive/2011/12/1322835482714