[Security advisory] Zope 2.7 + 2.8
Synopsis: Due to an error in the cAccessControl module of Zope it is possible to bring down a complete Zope site as documented in http://mail.zope.org/pipermail/zope-dev/2004-December/024087.html This exploit causes a segmentation fault of the Python interpreter. Vulnerable for this exploit are at least all Zope installations that allow untrusted users to edit ZPTs (possibly DTML as well) either through the ZMI or through the file system. Affected versions: Zope 2.7.X, Zope 2.8.X Recommended solution: Turn off cAccessControl and enable the Python AccessControl implementation in etc/zope.conf (this line is commented in the default configuration): security-policy-implemenation python A fixed implementation of cAccessControl will be included in the upcoming Zope 2.7.4 beta 2 release. ---- Andreas Jung Zope 2 Release Manager
There's a typo in the configuration below. It should be: security-policy-implementation python Not: security-policy-implemenation python On Thu, Dec 09, 2004, Andreas Jung wrote:
Synopsis:
Due to an error in the cAccessControl module of Zope it is possible to bring down a complete Zope site as documented in
http://mail.zope.org/pipermail/zope-dev/2004-December/024087.html
This exploit causes a segmentation fault of the Python interpreter. Vulnerable for this exploit are at least all Zope installations that allow untrusted users to edit ZPTs (possibly DTML as well) either through the ZMI or through the file system.
Affected versions:
Zope 2.7.X, Zope 2.8.X
Recommended solution:
Turn off cAccessControl and enable the Python AccessControl implementation in etc/zope.conf (this line is commented in the default configuration):
security-policy-implemenation python
A fixed implementation of cAccessControl will be included in the upcoming Zope 2.7.4 beta 2 release.
---- Andreas Jung Zope 2 Release Manager
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Bill -- INTERNET: bill@Celestial.COM Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ Many companies that have made themselves dependent on [the equipment of a certain major manufacturer] (and in doing so have sold their soul to the devil) will collapse under the sheer weight of the unmastered complexity of their data processing systems. -- Edsger W. Dijkstra, SIGPLAN Notices, Volume 17, Number 5
--On Donnerstag, 9. Dezember 2004 10:20 Uhr -0800 Bill Campbell <bill@celestial.net> wrote:
There's a typo in the configuration below. It should be:
security-policy-implementation python
Not: security-policy-implemenation python
Ups, of course. Just uncomment the line and you have nothing to type :-) -aj
On Thu, Dec 09, 2004, Andreas Jung wrote:
--On Donnerstag, 9. Dezember 2004 10:20 Uhr -0800 Bill Campbell <bill@celestial.net> wrote:
There's a typo in the configuration below. It should be:
security-policy-implementation python
Not: security-policy-implemenation python
Ups, of course. Just uncomment the line and you have nothing to type :-)
In my case, I'm running the OpenPKG.org version of zope, and their default zope.conf file has been stripped of most comments so I had to go back to the source to find it. Bill -- INTERNET: bill@Celestial.COM Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``Rightful liberty is unobstructed action according to our will within limits drawn around us by the equal rights of others. I do not add 'within the limits of the law' because law is often but the tyrant's will, and always so when it violates the rights of the individual.'' -Thomas Jefferson
Hi Andreas (and anyone else who does security releases) Might I suggest also announcing this to bugtraq@securityfocus.com? Also, it would be handy for those of us that use mail server plugins to cut down on duplicate messages if you could send messages to the announce list that don't CC the zope list, or any other bulk list. This message got filed in with the bulk stuff and so I haven't seen it for weeks :-S cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
--On Mittwoch, 12. Januar 2005 12:49 Uhr +0000 Chris Withers <chris@simplistix.co.uk> wrote:
Hi Andreas (and anyone else who does security releases)
Might I suggest also announcing this to bugtraq@securityfocus.com?
Could do :-)
Also, it would be handy for those of us that use mail server plugins to cut down on duplicate messages if you could send messages to the announce list that don't CC the zope list, or any other bulk list. This message got filed in with the bulk stuff and so I haven't seen it for weeks :-S
...just a question how you manage your emails :-) -aj
participants (3)
-
Andreas Jung -
Bill Campbell -
Chris Withers