Many (most?) of the hotfixes have to do with fixing security holes which are a problem if and only if you allow untrusted (or semitrusted users) to write DTML/Python on your website via the through-the-web interface. If you don't allow this (most people don't... most people can't even conceive of it, because they have no concept that it can actually be done, and no other platforms provide for such a feature), the number of Zope security-related problems over the last few years goes down considerably. I count six (out of a total of 11) of them that are *not* related to through-the-web scripting since last June, one of which doesn't allow for meaningful elevation of privilege in any way. This leaves five "critical" security-related bugs in a year, all of which have fixes. Consider also that Zope contains a webserver, a database, its own templating language, and its own search engine. Advise your admin to check the number of combined security reports for Apache, MySQL, embperl, and HTdig for the last year, and compare them against the number reported and fixed in Zope. I'd imagine they're comparable. - C ----- Original Message ----- From: "Alastair Burt" <burt@dfki.de> To: <zope@zope.org> Sent: Tuesday, May 15, 2001 10:15 AM Subject: [Zope] Zope Security
I am getting aggravation from our sysadmin, who is reluctant to poke holes in our new firewall for my Zope ports. He claims he knows of no software in the last few years that has so many security holes. Is there anything to justify this claim? I know there are an alarmingly large number of Zope hotfixes on the security mailing lists and that login passwords get sent in the clear, when not using ssl. On the other hand, I know of no attempt to hack a Zope site.
--- Alastair
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )