Zope-Announce

zope-announce@zope.dev

September 2009

2 participants
2 discussions

Grok 1.0b2 released!
by Martijn Faassen 17 Sep '09

17 Sep '09

Hi there, The Grok team is happy to announce the release of Grok 1.0b2. With Grok 1.0 we will deliver a stable, powerful, featureful framework for Python-based web development. Grok 1.0b2 is feature complete for Grok 1.0. We hope it is the final beta before Grok 1.0 final. Changes Grok 1.0b2 has the following changes compared to Grok 1.0a4: * grokproject layout changed again. we store the database and logfiles under the var directory in the buildout. * Running the server with debug.ini and the exception middleware in there won't require you to use a different login location for the admin ui. Just going to http://localhost:8080 should give you a login prompt. This release also contains a number of bugfixes. This is actually the first beta of Grok 1.0; beta 1 should be ignored and we consider it not officially released. See the more extensive announcement here for more information: http://grok.zope.org/project/releases/1.0b2 Regards, Martijn

1 0

CVE-2009-2701: Releases to fix ZODB ZEO server vulnerability
by Jim Fulton 01 Sep '09

01 Sep '09

A vulnerability has been found in the Zope Object Database (ZODB) Zope Enterprise Objects (ZEO) server implementation that allows any file readable by the server to be read by clients and any file removable by the server to be removed. The vulnerability only applies if - you are using ZEO to share a database among multiple applications or application instances, - you allow untrused clients to connect to your ZEO server, and - the ZEO server is configured to support blobs. The vulnerability was introduced in ZODB 3.8. Overview -------- This vulnerability is addressed by updates to ZODB. A new release of ZODB is available here: http://pypi.python.org/pypi/ZODB3/3.8.3 (There is also a new development release at http://pypi.python.org/pypi/ZODB3/3.9.0c2.) If you are using blobs, we recommend updating any ZEO storage servers you're running to ZODB 3.8.3 (or ZODB 3.9.0c2). These versions support ZEO clients as old as ZODB 3.2. It isn't necessary to update client software (such as Zope application servers). Restricting access to ZEO storage servers ----------------------------------------- It is very important to restrict write access to ZODB databases. These releases only protect against vulnerabilities in the ZEO network protocol. ZODB uses Python pickles to store data. Loading data from the database can cause arbitrary code to be executed as part of object deserialization. Clients have full access to manipulate database data. For this reason, it is very important that only trusted clients be allowed to write to ZODB databases. Jim -- Jim Fulton

1 0