On Mon, Jul 20, 2009 at 12:20 PM, Andreas Jung <lists@zopyx.com> wrote:

On 20.07.09 04:06, TsungWei Hu wrote:
> I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a
> security notice as follows. Is it sufficient to fix this just
> installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ?
> Thanks, /marr/
>
>

> Although the Zope development environment is one of the largest and
> most widely supported open source web content management solutions, it
> has been plagued with exploitable vulnerabilities. Due to the nature
> of the software and shear number of vulnerabilities, Foundstone Labs
> recommends you consider utilizing a different content management
> solution and at a minimum upgrade your software. Zope updates can be

> freely downloaded from www.zope.org <http://www.zope.org>

TsungWei, with respect but you are telling barely nonsense. The
mentioned issue only affected
sites where managers gave ZMI access to untrusted users. So this issue
is of limited importance.
In addition it has been fixed within less than one day (compare this to
other systems).
In addition: Zope is an application server, not a CMS. Also: compare the
number of critical
bugs within Zope to other systems.

ZOPE IS VERY SECURE.

So please stop with such postings spreading FUD and containing improper
information.

Andreas Jung
Zope 2 Release Manager