Problem with Hotfix 2000-10-11 on 2.1.6
I'm having trouble installing Hotfix_2000-10-11 on Zope 2.1.6, although the README says: "The hotfix will work for all versions of Zope 2.2.0 and higher." If installed on 2.1.6, the product shows up as broken, since it tries to run "from OFS.ObjectManager import aq_base", which fails, since aq_base wasn't available in ObjectManager before 2.2.1 (!). Therefore I guess the Hotfix won't work for any versions prior to 2.2.1. According to the README, those versions are still vulnerable. Could somebody give me a hint if and how it's possible to backport the Hotfix to Zope 2.1.6 ? Gregor
Gregor Hoffleit wrote:
Could somebody give me a hint if and how it's possible to backport the Hotfix to Zope 2.1.6 ?
Surely it'd be better to move you servers forward to 2.2.5 or maybe 2.3.1 when it's out?! cheers, Chris
On Thu, Mar 29, 2001 at 12:34:16PM +0100, Chris Withers wrote:
Gregor Hoffleit wrote:
Could somebody give me a hint if and how it's possible to backport the Hotfix to Zope 2.1.6 ?
Surely it'd be better to move you servers forward to 2.2.5 or maybe 2.3.1 when it's out?!
It's about backwards compatibility. Debian's last release had a 2.1.6 package in it, and our release managers simply won't accept a new upstream version (i.e. 2.2.5 or 2.3) as security fix. Therefore, I have to try to backport security fixes to 2.1.6, silly as it might be, for those of our users that prefer stability over featurism ;-) Rest assured, though, that the next Debian *release* will feature 2.3.x. At this point, it simply stroke me as odd that the README is quite inaccurate, and it sounds as if there should be a simple for for this hole in 2.1.6, too. Gregor
Gregor Hoffleit wrote:
It's about backwards compatibility. Debian's last release had a 2.1.6 package in it, and our release managers simply won't accept a new upstream version (i.e. 2.2.5 or 2.3) as security fix.
Shoot your release managers ;-)
Therefore, I have to try to backport security fixes to 2.1.6, silly as it might be, for those of our users that prefer stability over featurism ;-)
Urm, 2.2.5 and 2.3 are _considerably_ more stable than 2.1.6, featurism has nothing to do with it... cheers, Chris
If installed on 2.1.6, the product shows up as broken, since it tries to run "from OFS.ObjectManager import aq_base", which fails, since aq_base wasn't available in ObjectManager before 2.2.1 (!).
Therefore I guess the Hotfix won't work for any versions prior to 2.2.1. According to the README, those versions are still vulnerable.
Could somebody give me a hint if and how it's possible to backport the Hotfix to Zope 2.1.6 ?
You could add this to the hotfix module: def aq_base(object): return getattr(object, 'aq_base', object) ...and use that instead of importing it. Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com
participants (3)
-
Brian Lloyd -
Chris Withers -
Gregor Hoffleit