The observation and recommendation is specifically generated by Foundstone Labs' software. It's my fault to suggest that might be related to Hotfix-2008-08-12.
From my side, I will try to stop improper information from Foundstone lab.
Thanks, marr On Mon, Jul 20, 2009 at 12:20 PM, Andreas Jung <lists@zopyx.com> wrote:
On 20.07.09 04:06, TsungWei Hu wrote:
I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a security notice as follows. Is it sufficient to fix this just installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/
Although the Zope development environment is one of the largest and most widely supported open source web content management solutions, it has been plagued with exploitable vulnerabilities. Due to the nature of the software and shear number of vulnerabilities, Foundstone Labs recommends you consider utilizing a different content management solution and at a minimum upgrade your software. Zope updates can be freely downloaded from www.zope.org <http://www.zope.org>
TsungWei, with respect but you are telling barely nonsense. The mentioned issue only affected sites where managers gave ZMI access to untrusted users. So this issue is of limited importance. In addition it has been fixed within less than one day (compare this to other systems). In addition: Zope is an application server, not a CMS. Also: compare the number of critical bugs within Zope to other systems.
ZOPE IS VERY SECURE.
So please stop with such postings spreading FUD and containing improper information.
Andreas Jung Zope 2 Release Manager