Zope-Announce

zope-announce@zope.dev

October 2011

1 participants
1 discussions

Hotfix for security vulnerability
by Tres Seaver 24 Oct '11

24 Oct '11

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On behalf of the Zope security response team, I would like to announce the availability of a hotfix for a vulnerability inadvertently published earlier today. 'Products.Zope_Hotfix_20111024' README ====================================== Overview - -------- This hotfix addresses a serious vulnerability in the Zope2 application server. Affected versions of Zope2 include: - - 2.12.x <= 2.12.20 - - 2.13.x <= 2.13.6 Older releases (2.11.x, 2.10.x, etc.) are not vulnerable. The Zope2 security response team recommends that all users of these releases upgrade to an unaffected release (2.12.21 or 2.13.11) as soon as they become available. Until that upgrade is feasible, deploying this hotfix also mitigates the vulnerability. Installing the Hotfix: Via 'easy_install' - ------------------------------------------- If the Python which runs your Zope instance has 'setuptools' installed (or is a 'virtualenv'), you can install the hotfix directly from PyPI:: $ /prefix/bin/easy_install Products.Zope_Hotfix_20111024 and then restart the Zope instance, e.g.: $ /path/to/instance/bin/zopectl restart Installing the Hotfix: Via 'zc.buildout' - ----------------------------------------- If your Zope instance is managed via 'zc.buildout', you can install the hotfix directly from PyPI. Edit the 'buildout.cfg' file, adding "Products.Zope_Hotfix_20111024" to the "eggs" section of the instance. E.g.:: [instance] recipe = plone.recipe.zope2instance #... eggs = ${buildout:eggs} Products.Zope_Hotfix_20111024 Next, re-run the buildout:: $ /path/to/buildout/bin/buildout and then restart the Zope instance, e.g.: $ /path/to/buildout/bin/instance restart Installing the Hotfix: Manual Installation - ------------------------------------------- You may also install this hotfix manually. Download the tarball from the PyPI page: http://pypi.python.org/pypi/Products.Zope_Hotfix_20111024 Unpack the tarball and add a 'products' key to the 'etc/zope.conf' of your instance. E.g.:: products /path/to/Products.Zope_Hotfix_20111024/Products and restart. Verifying the Installation - -------------------------- After restarting the Zope instance, check the 'Control_Panel/Products' folder in the Zope Management Interface, e.g.: http://localhost:8080/Control_Panel/Products/manage_main You should see the 'Zope_Hotfix_20111024' product folder there. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver(a)palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6l3pQACgkQ+gerLs4ltQ66AgCfT1cd94LXzBtdzNiBqKXnGBIF 7dwAoISO0AkuvERn+cw4W0cPo82c5r+D =xRBY -----END PGP SIGNATURE-----

1 0