Bug 203255

Summary: www/plone: security/vuxml: multiple security advisories
Product: Ports & Packages Reporter: Jason Unovitch <junovitch>
Component: Individual Port(s)Assignee: Ruslan Makhmatkhanov <rm>
Status: Closed FIXED    
Severity: Affects Only Me CC: ports-secteam, rm, zope
Priority: --- Keywords: security
Version: Latest   
Hardware: Any   
OS: Any   

Description Jason Unovitch freebsd_committer freebsd_triage 2015-09-22 00:41:20 UTC 
Maintainer of www/plone,

Multiple security advisories have been posted for issues in Plone.

http://www.openwall.com/lists/oss-security/2015/09/19/2
http://www.openwall.com/lists/oss-security/2015/09/19/3
http://www.openwall.com/lists/oss-security/2015/09/19/4
http://www.openwall.com/lists/oss-security/2015/09/19/5

I haven't looked into these further but it looks like these issues will need VuXML and an update to the port.
Comment 1 commit-hook freebsd_committer freebsd_triage 2015-10-05 03:09:37 UTC 
A commit references this bug:

Author: junovitch
Date: Mon Oct  5 03:09:25 UTC 2015
New revision: 398628
URL: https://svnweb.freebsd.org/changeset/ports/398628

Log:
  Document 20150910 Plone advisories

  PR:		203255
  Security:	6b3374d4-6b0b-11e5-9909-002590263bf5

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2015-10-05 03:15:54 UTC 
The first two are for the current version of Plone.  The second two are for Plone 3 or 4.2.x.

There are immediate action steps for the end user in the advisory for the self-registration feature and the end user can patch their local instance or disable the vulnerable feature.  However as the XSS feature did not have a hotfix patch I felt it would be prudent to just document 4.3.7 as fixed.
Comment 3 Ruslan Makhmatkhanov freebsd_committer freebsd_triage 2016-01-10 23:14:01 UTC 
Plone was just updated to 4.3.7. Thank you for the vuxml entry, Jason.