Hotfix for security vulnerability
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On behalf of the Zope security response team, I would like to announce the availability of a hotfix for a vulnerability inadvertently published earlier today. 'Products.Zope_Hotfix_20111024' README ====================================== Overview - -------- This hotfix addresses a serious vulnerability in the Zope2 application server. Affected versions of Zope2 include: - - 2.12.x <= 2.12.20 - - 2.13.x <= 2.13.6 Older releases (2.11.x, 2.10.x, etc.) are not vulnerable. The Zope2 security response team recommends that all users of these releases upgrade to an unaffected release (2.12.21 or 2.13.11) as soon as they become available. Until that upgrade is feasible, deploying this hotfix also mitigates the vulnerability. Installing the Hotfix: Via 'easy_install' - ------------------------------------------- If the Python which runs your Zope instance has 'setuptools' installed (or is a 'virtualenv'), you can install the hotfix directly from PyPI:: $ /prefix/bin/easy_install Products.Zope_Hotfix_20111024 and then restart the Zope instance, e.g.: $ /path/to/instance/bin/zopectl restart Installing the Hotfix: Via 'zc.buildout' - ----------------------------------------- If your Zope instance is managed via 'zc.buildout', you can install the hotfix directly from PyPI. Edit the 'buildout.cfg' file, adding "Products.Zope_Hotfix_20111024" to the "eggs" section of the instance. E.g.:: [instance] recipe = plone.recipe.zope2instance #... eggs = ${buildout:eggs} Products.Zope_Hotfix_20111024 Next, re-run the buildout:: $ /path/to/buildout/bin/buildout and then restart the Zope instance, e.g.: $ /path/to/buildout/bin/instance restart Installing the Hotfix: Manual Installation - ------------------------------------------- You may also install this hotfix manually. Download the tarball from the PyPI page: http://pypi.python.org/pypi/Products.Zope_Hotfix_20111024 Unpack the tarball and add a 'products' key to the 'etc/zope.conf' of your instance. E.g.:: products /path/to/Products.Zope_Hotfix_20111024/Products and restart. Verifying the Installation - -------------------------- After restarting the Zope instance, check the 'Control_Panel/Products' folder in the Zope Management Interface, e.g.: http://localhost:8080/Control_Panel/Products/manage_main You should see the 'Zope_Hotfix_20111024' product folder there. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6l3pQACgkQ+gerLs4ltQ66AgCfT1cd94LXzBtdzNiBqKXnGBIF 7dwAoISO0AkuvERn+cw4W0cPo82c5r+D =xRBY -----END PGP SIGNATURE-----
Hello, Both of these url are not available: - http://download.zope.org/Zope2/index/2.12.21/versions.cfg - http://download.zope.org/Zope2/index/2.13.11/versions.cfg Regards, Encolpe DEGOUTE Le 24/10/2011 23:54, Tres Seaver a écrit :
On behalf of the Zope security response team, I would like to announce the availability of a hotfix for a vulnerability inadvertently published earlier today.
'Products.Zope_Hotfix_20111024' README ======================================
Overview --------
This hotfix addresses a serious vulnerability in the Zope2 application server. Affected versions of Zope2 include:
- 2.12.x <= 2.12.20
- 2.13.x <= 2.13.6
Older releases (2.11.x, 2.10.x, etc.) are not vulnerable.
The Zope2 security response team recommends that all users of these releases upgrade to an unaffected release (2.12.21 or 2.13.11) as soon as they become available.
Until that upgrade is feasible, deploying this hotfix also mitigates the vulnerability.
Installing the Hotfix: Via 'easy_install' -------------------------------------------
If the Python which runs your Zope instance has 'setuptools' installed (or is a 'virtualenv'), you can install the hotfix directly from PyPI::
$ /prefix/bin/easy_install Products.Zope_Hotfix_20111024
and then restart the Zope instance, e.g.:
$ /path/to/instance/bin/zopectl restart
Installing the Hotfix: Via 'zc.buildout' -----------------------------------------
If your Zope instance is managed via 'zc.buildout', you can install the hotfix directly from PyPI. Edit the 'buildout.cfg' file, adding "Products.Zope_Hotfix_20111024" to the "eggs" section of the instance. E.g.::
[instance] recipe = plone.recipe.zope2instance #... eggs = ${buildout:eggs} Products.Zope_Hotfix_20111024
Next, re-run the buildout::
$ /path/to/buildout/bin/buildout
and then restart the Zope instance, e.g.:
$ /path/to/buildout/bin/instance restart
Installing the Hotfix: Manual Installation -------------------------------------------
You may also install this hotfix manually. Download the tarball from the PyPI page:
http://pypi.python.org/pypi/Products.Zope_Hotfix_20111024
Unpack the tarball and add a 'products' key to the 'etc/zope.conf' of your instance. E.g.::
products /path/to/Products.Zope_Hotfix_20111024/Products
and restart.
Verifying the Installation --------------------------
After restarting the Zope instance, check the 'Control_Panel/Products' folder in the Zope Management Interface, e.g.:
http://localhost:8080/Control_Panel/Products/manage_main
You should see the 'Zope_Hotfix_20111024' product folder there.
Tres. _______________________________________________ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Am Dienstag, 25. Oktober 2011, 12:52:33 schrieb Encolpe Degoute:
Hello,
Both of these url are not available: - http://download.zope.org/Zope2/index/2.12.21/versions.cfg - http://download.zope.org/Zope2/index/2.13.11/versions.cfg
As i understand the hotfix posting right, the new full ZOPE versions (2.12.21 and 2.13.11) will come up later. For now there are only hotfixes available to close the hole. cheers, Niels. -- --- Niels Dettenbach Syndicat IT&Internet http://www.syndicat.com/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/25/2011 06:52 AM, Encolpe Degoute wrote:
Hello,
Both of these url are not available: - http://download.zope.org/Zope2/index/2.12.21/versions.cfg - http://download.zope.org/Zope2/index/2.13.11/versions.cfg
The hotfix announcement says, "as soon as they become available." Those releases have not yet been made. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6mxVMACgkQ+gerLs4ltQ75+ACg0awuEwyyiq3M8qx96jKPTFcO j/sAoJVbpnQwJtmNBiH1RU5PX7Z8wwry =OanC -----END PGP SIGNATURE-----
On 24 October 2011 22:54, Tres Seaver <tseaver@palladion.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On behalf of the Zope security response team, I would like to announce the availability of a hotfix for a vulnerability inadvertently published earlier today.
'Products.Zope_Hotfix_20111024' README ======================================
Overview - --------
This hotfix addresses a serious vulnerability in the Zope2 application server. Affected versions of Zope2 include:
- - 2.12.x <= 2.12.20
- - 2.13.x <= 2.13.6
Older releases (2.11.x, 2.10.x, etc.) are not vulnerable.
Can you confirm whether or not Zope 2.13.6 through 2.13.10 are affected? Laurence
Am Dienstag, 25. Oktober 2011, 12:28:39 schrieb Laurence Rowe:
Can you confirm whether or not Zope 2.13.6 through 2.13.10 are affected?
For me 2.13.10 seems to be affected (which makes sense as there would not be a 2.13.11 announced in the advisory). Is this possibly a typo? cheers, Niels. -- --- Niels Dettenbach Syndicat IT&Internet http://www.syndicat.com/
participants (4)
-
Encolpe Degoute -
Laurence Rowe -
Niels Dettenbach -
Tres Seaver