[Grok-dev] SERIOUS security issue in Grok: please upgrade
Martijn Faassen
faassen at startifact.com
Fri Dec 12 11:20:15 EST 2008
Security issue in Grok: please upgrade!
=======================================
December 12, 2008. The Grok team encountered a serious security issue
that exposes Grok installations to attacks that erase data as well as
remote denial of service attacks. We *strongly* urge people to upgrade
to newer versions of Grok immediately. We have supplied new bug fix
releases of Grok for Grok 0.11 up to the recent release, Grok 0.14.
Only projects that use Grok directly are affected by this security
issue. If your Zope 3 project uses the ``grokcore.*`` libraries or if
you use ``five.grok`` on Zope 2, there is no security problem.
How to upgrade Grok? We give instructions that you can apply in your
Grok projects. Please run ``buildout`` after making the changes - this
will download the fixed version of Grok. After this restart your
server!
The upgrade instructions assume two possible installation methods:
* Old versions of ``grokproject`` generated projects that only include
the ``extends=`` line in ``buildout.cfg``, and updating that line to
point to a newer version of Grok is sufficient.
* Newer versions of ``grokproject`` create projects that require you
to modify ``versions.cfg``. There is also a line pointing to a Grok
version in the ``eggbasket`` section in ``buildout.cfg``. While this
a download optimization only, we still recommend you update that
line as well.
Grok 0.14: upgrade to Grok 0.14.1
---------------------------------
In the file ``versions.cfg`` change the line::
grok = 0.14
to this::
grok = 0.14.1
If you have no ``versions.cfg``, go to your projects ``buildout.cfg`` and
adjust this line::
extends = http://grok.zope.org/releaseinfo/grok-0.14.cfg
to this::
extends = http://grok.zope.org/releaseinfo/grok-0.14.1.cfg
While not strictly required, we also recommend you modify the following
line in the ``[eggbasket]`` section (if present)::
url = http://grok.zope.org/releaseinfo/grok-eggs-0.14.tgz
to::
url = http://grok.zope.org/releaseinfo/grok-eggs-0.14.1.tgz
After this change, run ``buildout`` and restart the server.
This version should work properly with Python 2.4 and Python 2.5.
Grok 0.13: upgrade to Grok 0.13.1
---------------------------------
In the file ``versions.cfg`` change the line::
grok = 0.13
to this::
grok = 0.13.1
If you have no ``versions.cfg``, go to your projects ``buildout.cfg`` and
adjust this line::
extends = http://grok.zope.org/releaseinfo/grok-0.13.cfg
to this::
extends = http://grok.zope.org/releaseinfo/grok-0.13.1.cfg
While not strictly required, we also recommend you modify the following
line in the ``[eggbasket]`` section (if present)::
url = http://grok.zope.org/releaseinfo/grok-eggs-0.13.tgz
to::
url = http://grok.zope.org/releaseinfo/grok-eggs-0.13.1.tgz
After this change, run ``buildout`` and restart the server.
This version should work properly with Python 2.4 and Python 2.5.
Grok 0.12 and Grok 0.12.1: upgrade to Grok 0.12.2
-------------------------------------------------
In the file ``versions.cfg`` change the line::
grok = 0.12 (or 0.12.1)
to this::
grok = 0.12.2
If you have no ``versions.cfg``, go to your projects ``buildout.cfg`` and
adjust this line::
extends = http://grok.zope.org/releaseinfo/grok-0.12.cfg (or grok-0.12.1.cfg)
to this::
extends = http://grok.zope.org/releaseinfo/grok-0.12.2.cfg
While not strictly required, we also recommend you modify the following
line in the ``[eggbasket]`` section (if present)::
url = http://grok.zope.org/releaseinfo/grok-eggs-0.12.tgz (or grok-0.12.1.cfg)
to::
url = http://grok.zope.org/releaseinfo/grok-eggs-0.12.2.tgz
After this change, run ``buildout`` and restart the server.
Note: the integrated REST support does not function properly on Python
2.5 in this version. It does work with the recommended version Python
2.4.
Grok 0.11 and Grok 0.11.1: upgrade to Grok 0.11.2
-------------------------------------------------
In the file ``versions.cfg`` change the line::
grok = 0.11 (or 0.11.1)
to this::
grok = 0.11.2
If you have no ``versions.cfg``, go to your projects ``buildout.cfg`` and
adjust this line::
extends = http://grok.zope.org/releaseinfo/grok-0.11.cfg (or grok-0.11.1.cfg)
to this::
extends = http://grok.zope.org/releaseinfo/grok-0.11.2.cfg
We have not released a grok-eggs-0.11.2.tgz as we never maintained
such tarball releases for Grok 0.11.
After this change, run ``buildout`` and restart the server.
Note: the integrated REST support will not function properly on Python
2.5 in this version. It does work with the recommended version Python
2.4.
More information about the Grok-dev
mailing list