Bug#473571: plone3: CVE-2008-139[3-6] multiple vulnerabilities

2008-04-12 Thread Nico Golde
retitle 473571 plone3: CVE-2008-139[3-6],CVE-2008-0164 multiple vulnerabilities thanks Hi, there is another CVE id that was assigned to this: CVE-2008-0164[0]: | Multiple cross-site request forgery (CSRF) vulnerabilities in Plone | CMS 3.0.5 and 3.0.6 allow remote attackers to (1) add arbitrary |

Bug#473571: plone3: CVE-2008-139[3-6] multiple vulnerabilities

2008-04-06 Thread Nico Golde
Hi Fabio, * Fabio Tranchitella <[EMAIL PROTECTED]> [2008-04-05 19:27]: > * 2008-04-05 14:01, Florian Weimer wrote: > > * Nico Golde: > > > > > While I agree that the cookie issues and the session id > > > issue is not of an high impact I still think that at least > > > the CSRF issue should be f

Bug#473571: plone3: CVE-2008-139[3-6] multiple vulnerabilities

2008-04-05 Thread Fabio Tranchitella
Hello, * 2008-04-05 14:01, Florian Weimer wrote: > * Nico Golde: > > > While I agree that the cookie issues and the session id > > issue is not of an high impact I still think that at least > > the CSRF issue should be fixed cause the exploit scenario > > has a certain real life importance. >

Bug#473571: plone3: CVE-2008-139[3-6] multiple vulnerabilities

2008-04-05 Thread Florian Weimer
* Nico Golde: > While I agree that the cookie issues and the session id > issue is not of an high impact I still think that at least > the CSRF issue should be fixed cause the exploit scenario > has a certain real life importance. The __ac cookie issue is significant as well if the secure flag

Bug#473571: plone3: CVE-2008-139[3-6] multiple vulnerabilities

2008-03-31 Thread Fabio Tranchitella
Hello, * 2008-03-31 15:40, Nico Golde wrote: > While I agree that the cookie issues and the session id issue is not of > an high impact I still think that at least the CSRF issue should be fixed > cause the exploit scenario has a certain real life importance. I fully agree, but it seems that upst

Bug#473571: plone3: CVE-2008-139[3-6] multiple vulnerabilities

2008-03-31 Thread Nico Golde
Hi Fabio, * Fabio Tranchitella <[EMAIL PROTECTED]> [2008-03-31 15:09]: > * 2008-03-31 14:31, Nico Golde wrote: [...] > > the following CVE (Common Vulnerabilities & Exposures) ids were > > published for plone3. > > To say the truth, I don't really think these security problems are real; > I have

Bug#473571: plone3: CVE-2008-139[3-6] multiple vulnerabilities

2008-03-31 Thread Fabio Tranchitella
Hi Nico, * 2008-03-31 14:31, Nico Golde wrote: > Source: plone3 > Version: 3.0.6-1 > Severity: grave > Tags: security > > Hi, > the following CVE (Common Vulnerabilities & Exposures) ids were > published for plone3. To say the truth, I don't really think these security problems are real; I have

Bug#473571: plone3: CVE-2008-139[3-6] multiple vulnerabilities

2008-03-31 Thread Nico Golde
Source: plone3 Version: 3.0.6-1 Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) ids were published for plone3. CVE-2008-1396[0]: | Plone CMS 3.x uses invariant data (a client username and a server | secret) when calculating an HMAC-SHA1 value for an auth