[Zope-Annce] UPDATE: cgi.py vulnerability hotfix for Zope...

Evan Simpson evan@4-am.com
Thu, 26 Jul 2001 10:02:42 -0400


The reported problem with this hotfix and Zope 2.4 has been resolved, 
and the file has been updated on www.zope.org at the URL mentioned in 
the original announcement:

Brian Lloyd wrote:

>   This hotfix addresses a potential denial-of-service vulnerability
>   in applications that use the Python cgi module (cgi.py) for parsing
>   of "multipart" Web form data (Zope uses this functionality internally).
> 
>   More detailed information is available in the Python bug tracker at
>   SourceForge:
> 
> 
> http://sourceforge.net/tracker/?group_id=5470&atid=105470&func=detail&aid=443120
> 
>   While we are not aware of any instances of abuse of this
>   vulnerability, we *highly* recommend that any Zope site running versions
>   of Zope up to and including 2.4.0  have this hotfix product installed
>   to mitigate this issue. (Zope 2.4.1 will not require the
>   installation of a separate hotfix).
> 
>   http://www.zope.org/Products/Zope/Hotfix_2001-07-25/README.txt
> 
>   http://www.zope.org/Products/Zope/Hotfix_2001-07-25/Hotfix_2001-07-25.tar.gz