CVE-2012-6661

Advisory

Plone versions 4.2.3 and 4.3b1 include a fix for CVE-2012-6661, a vulnerability in its dependency "zope".

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6661
• https://plone.org/products/plone/security/advisories/20121106/24
• https://plone.org/products/plone-hotfix/releases/20121124
• https://bugs.launchpad.net/zope2/+bug/1071067
• http://www.openwall.com/lists/oss-security/2012/11/10/1
• https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt