[Zope-Annce] Hotfix for Further reST Integration Issue

Jim Fulton jim at zope.com
Mon Aug 21 16:06:38 EDT 2006


After reviewing the docutils / reStructuredText integration in Zope  
2, we have discovered that versions 2.7.0 - 2.7.8 and 2.8.0 - 2.8.8  
are vulnerable to a further information disclosure exploit.

Overview

This hotfix removes the exploit by disabling the reStructuredText  
feature which exposes the vulnerability. This vulnerability has been  
fixed on the 2.8 branch, and will thus not be present in any future  
release from that branch (2.8.9 or later).

Zope2 versions from 2.9 and the trunk are not vulnerable to this  
exploit.

Note that this hotfix fixes a problem not attressed by the earlier  
reStructuredText integration hotfix ; that hotfix needs to remain  
installed until after upgrading to a fixed version of Zope.
Hotfix

We have prepared a hot fix for this problem at:

http://www.zope.org/Products/Zope/Hotfix-2006-08-21/Hotfix-20060821/.

This hotfix should be installed as soon as possible.

To install, simply extract the archive into your Products directory  
in your Zope installation.

See: http://www.zope.org/Products/Zope/Hotfix-2006-08-21/ 
Hotfix-20060821/README.txt,

for installation instructions.

It is important to install this hotfix as soon as possible.

This fix will disable the reStructuredText csv-table directive.

Jim

--
Jim Fulton			mailto:jim at zope.com		Python Powered!
CTO 				(540) 361-1714			http://www.python.org
Zope Corporation	http://www.zope.com		http://www.zope.org





More information about the Zope-Announce mailing list