[Security advisory] Zope 2.7 + 2.8
Synopsis: Due to an error in the cAccessControl module of Zope it is possible to bring down a complete Zope site as documented in http://mail.zope.org/pipermail/zope-dev/2004-December/024087.html This exploit causes a segmentation fault of the Python interpreter. Vulnerable for this exploit are at least all Zope installations that allow untrusted users to edit ZPTs (possibly DTML as well) either through the ZMI or through the file system. Affected versions: Zope 2.7.X, Zope 2.8.X Recommended solution: Turn off cAccessControl and enable the Python AccessControl implementation in etc/zope.conf (this line is commented in the default configuration): security-policy-implemenation python A fixed implementation of cAccessControl will be included in the upcoming Zope 2.7.4 beta 2 release. ---- Andreas Jung Zope 2 Release Manager
Hi Andreas (and anyone else who does security releases) Might I suggest also announcing this to bugtraq@securityfocus.com? Also, it would be handy for those of us that use mail server plugins to cut down on duplicate messages if you could send messages to the announce list that don't CC the zope list, or any other bulk list. This message got filed in with the bulk stuff and so I haven't seen it for weeks :-S cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
participants (2)
-
Andreas Jung -
Chris Withers