[Zope-Annce] Hotfix for Further reST Integration Issue
Jim Fulton
jim at zope.com
Mon Aug 21 16:06:38 EDT 2006
After reviewing the docutils / reStructuredText integration in Zope
2, we have discovered that versions 2.7.0 - 2.7.8 and 2.8.0 - 2.8.8
are vulnerable to a further information disclosure exploit.
Overview
This hotfix removes the exploit by disabling the reStructuredText
feature which exposes the vulnerability. This vulnerability has been
fixed on the 2.8 branch, and will thus not be present in any future
release from that branch (2.8.9 or later).
Zope2 versions from 2.9 and the trunk are not vulnerable to this
exploit.
Note that this hotfix fixes a problem not attressed by the earlier
reStructuredText integration hotfix ; that hotfix needs to remain
installed until after upgrading to a fixed version of Zope.
Hotfix
We have prepared a hot fix for this problem at:
http://www.zope.org/Products/Zope/Hotfix-2006-08-21/Hotfix-20060821/.
This hotfix should be installed as soon as possible.
To install, simply extract the archive into your Products directory
in your Zope installation.
See: http://www.zope.org/Products/Zope/Hotfix-2006-08-21/
Hotfix-20060821/README.txt,
for installation instructions.
It is important to install this hotfix as soon as possible.
This fix will disable the reStructuredText csv-table directive.
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope-Announce
mailing list