Bug#473571: unclarity about plone bugs

Thijs Kinkhorst thijs at debian.org
Sun Jun 15 12:18:29 UTC 2008


clone 473571 -1
reassign -1 zope-cmfplone
severity 473571 important
thanks

Wichert, thank you for your information. I've marked the issues as "low"
since they're against best practices, and am cloning this report for
zope-cmfplone in stable. I also think that justifies lowering the impact
of this bug.


Thijs

On Sun, June 15, 2008 13:14, Wichert Akkerman wrote:
> CVE-2008-1396 is only a problem if you don't follow best practices. Best
> practice here means setting up automated cycling of the server secret.

> CVE-2008-1395: same thing. The reason we use such a method is that
> anything else is incredibly expensive on busy sites.
>
> CVE-2008-1394 only holds for Plone < 3.0. Plone 3.0 uses a completely
> different session implementation.
>
> CVE-2008-1393 is not true for Plone accounts. It only holds when using
> accounts defined outside the Plone site (such as the Zope root admin
> account) inside the Plone site. Again, this is against best practices.
>
> The CSRF issues mentioned later in the bugreport have seen a hotfix for
> Plone 3.0 and are fixed in Plone 3.1. They will not be fixed in Plone 2.5.








More information about the pkg-zope-developers mailing list