[Zope-Annce] Two low-impact security issues in Products.PluggableAuthService

Jens Vagelpohl jens at netz.ooo
Fri Feb 26 16:39:01 GMT 2021

Hi all,

Two low-impact security issues have been identified in Products.PluggableAuthService:

- an information disclosure issue involving the ZODB Role Manager plugin. See https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p75f-g7gx-2r7p for details.

- an open redirect issue in the Cookie Auth Helper. See https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr for details.

Both issues are mitigated by updating to Products.PluggableAuthService version 2.6.1 or higher. The Plone release managers will apply this update with Plone bugfix releases they are planning to publish within the next few days.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mail.zope.org/pipermail/zope-announce/attachments/20210226/c387ab0e/attachment.sig>

More information about the Zope-Announce mailing list