ANNOUNCE: cgi.py vulnerability hotfix for Zope...
This hotfix addresses a potential denial-of-service vulnerability in applications that use the Python cgi module (cgi.py) for parsing of "multipart" Web form data (Zope uses this functionality internally). More detailed information is available in the Python bug tracker at SourceForge: http://sourceforge.net/tracker/?group_id=5470&atid=105470&func=detail&aid=44 3120 While we are not aware of any instances of abuse of this vulnerability, we *highly* recommend that any Zope site running versions of Zope up to and including 2.4.0 have this hotfix product installed to mitigate this issue. (Zope 2.4.1 will not require the installation of a separate hotfix). http://www.zope.org/Products/Zope/Hotfix_2001-07-25/README.txt http://www.zope.org/Products/Zope/Hotfix_2001-07-25/Hotfix_2001-07-25.tgz Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com
This hotfix kills my Zope no matter what URL I try to visit. Error Type: TypeError Error Value: object is not callable: None <!-- Traceback (innermost last): File /usr/local/zope-2.4.0/lib/python/ZPublisher/Publish.py, line 223, in publish_module File /usr/local/zope-2.4.0/lib/python/ZPublisher/Publish.py, line 187, in publish File /usr/local/zope-2.4.0/lib/python/Zope/__init__.py, line 226, in zpublisher_exception_hook (Object: ApplicationDefaultPermissions) File /usr/local/zope-2.4.0/lib/python/ZPublisher/Publish.py, line 136, in publish File /usr/local/zope-2.4.0/lib/python/ZPublisher/HTTPRequest.py, line 405, in processInputs File /var/tmp/python-2.1-root/usr/lib/python2.1/cgi.py, line 449, in __init__ TypeError: (see above) --> _______________________ Ron Bickers Logic Etc, Inc.
-----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Brian Lloyd Sent: Wednesday, July 25, 2001 4:37 PM To: zope-announce@zope.org; zope@zope.org Subject: [Zope] ANNOUNCE: cgi.py vulnerability hotfix for Zope...
This hotfix addresses a potential denial-of-service vulnerability in applications that use the Python cgi module (cgi.py) for parsing of "multipart" Web form data (Zope uses this functionality internally).
Hi list, hi Ron, I had a similar error: "None has no attribute argv" I hope someone can comment on this. By Erich Ron Bickers wrote:
This hotfix kills my Zope no matter what URL I try to visit.
Error Type: TypeError Error Value: object is not callable: None
<!-- Traceback (innermost last): File /usr/local/zope-2.4.0/lib/python/ZPublisher/Publish.py, line 223, in publish_module File /usr/local/zope-2.4.0/lib/python/ZPublisher/Publish.py, line 187, in publish File /usr/local/zope-2.4.0/lib/python/Zope/__init__.py, line 226, in zpublisher_exception_hook (Object: ApplicationDefaultPermissions) File /usr/local/zope-2.4.0/lib/python/ZPublisher/Publish.py, line 136, in publish File /usr/local/zope-2.4.0/lib/python/ZPublisher/HTTPRequest.py, line 405, in processInputs File /var/tmp/python-2.1-root/usr/lib/python2.1/cgi.py, line 449, in __init__ TypeError: (see above)
ZC pulled the original Hotfix and corrected the problem. The updated one I installed yesterday hasn't caused any problems. _______________________ Ron Bickers Logic Etc, Inc.
-----Original Message----- From: E. Seifert [mailto:e.seifert@gmx.net] Sent: Friday, July 27, 2001 12:22 PM To: Ron Bickers; zope@zope.org Subject: Re: [Zope] Hotfix kills my Zope -- (ANNOUNCE: cgi.py vulnerability hotfix for Zope...)
Hi list, hi Ron,
I had a similar error: "None has no attribute argv" I hope someone can comment on this.
The reported problem with this hotfix and Zope 2.4 has been resolved, and the file has been updated on www.zope.org at the URL mentioned in the original announcement: Brian Lloyd wrote:
This hotfix addresses a potential denial-of-service vulnerability in applications that use the Python cgi module (cgi.py) for parsing of "multipart" Web form data (Zope uses this functionality internally).
More detailed information is available in the Python bug tracker at SourceForge:
http://sourceforge.net/tracker/?group_id=5470&atid=105470&func=detail&aid=44...
While we are not aware of any instances of abuse of this vulnerability, we *highly* recommend that any Zope site running versions of Zope up to and including 2.4.0 have this hotfix product installed to mitigate this issue. (Zope 2.4.1 will not require the installation of a separate hotfix).
http://www.zope.org/Products/Zope/Hotfix_2001-07-25/README.txt
http://www.zope.org/Products/Zope/Hotfix_2001-07-25/Hotfix_2001-07-25.tar.gz
participants (5)
-
Brian Lloyd -
E. Seifert -
Evan Simpson -
Ron Bickers -
Ron Bickers