[Zope-Annce] serious security issue in Grok: please upgrade

Martijn Faassen faassen at startifact.com
Fri Dec 12 11:20:43 EST 2008


Security issue in Grok: please upgrade!
=======================================

December 12, 2008. The Grok team encountered a serious security issue
that exposes Grok installations to attacks that erase data as well as
remote denial of service attacks. We *strongly* urge people to upgrade
to newer versions of Grok immediately. We have supplied new bug fix
releases of Grok for Grok 0.11 up to the recent release, Grok 0.14.

Only projects that use Grok directly are affected by this security
issue. If your Zope 3 project uses the ``grokcore.*`` libraries or if
you use ``five.grok`` on Zope 2, there is no security problem.

How to upgrade Grok? We give instructions that you can apply in your
Grok projects. Please run ``buildout`` after making the changes - this
will download the fixed version of Grok. After this restart your
server!

The upgrade instructions assume two possible installation methods:

* Old versions of ``grokproject`` generated projects that only include
  the ``extends=`` line in ``buildout.cfg``, and updating that line to
  point to a newer version of Grok is sufficient.

* Newer versions of ``grokproject`` create projects that require you
  to modify ``versions.cfg``. There is also a line pointing to a Grok
  version in the ``eggbasket`` section in ``buildout.cfg``. While this
  a download optimization only, we still recommend you update that
  line as well.

Grok 0.14: upgrade to Grok 0.14.1
---------------------------------

In the file ``versions.cfg`` change the line::

  grok = 0.14

to this::

  grok = 0.14.1

If you have no ``versions.cfg``, go to your projects ``buildout.cfg`` and
adjust this line::

  extends = http://grok.zope.org/releaseinfo/grok-0.14.cfg

to this::

  extends = http://grok.zope.org/releaseinfo/grok-0.14.1.cfg

While not strictly required, we also recommend you modify the following
line in the ``[eggbasket]`` section (if present)::

  url = http://grok.zope.org/releaseinfo/grok-eggs-0.14.tgz

to::

  url = http://grok.zope.org/releaseinfo/grok-eggs-0.14.1.tgz

After this change, run ``buildout`` and restart the server.

This version should work properly with Python 2.4 and Python 2.5.

Grok 0.13: upgrade to Grok 0.13.1
---------------------------------

In the file ``versions.cfg`` change the line::

  grok = 0.13

to this::

  grok = 0.13.1

If you have no ``versions.cfg``, go to your projects ``buildout.cfg`` and
adjust this line::

  extends = http://grok.zope.org/releaseinfo/grok-0.13.cfg

to this::

  extends = http://grok.zope.org/releaseinfo/grok-0.13.1.cfg

While not strictly required, we also recommend you modify the following
line in the ``[eggbasket]`` section (if present)::

  url = http://grok.zope.org/releaseinfo/grok-eggs-0.13.tgz

to::

  url = http://grok.zope.org/releaseinfo/grok-eggs-0.13.1.tgz

After this change, run ``buildout`` and restart the server.

This version should work properly with Python 2.4 and Python 2.5.

Grok 0.12 and Grok 0.12.1: upgrade to Grok 0.12.2
-------------------------------------------------

In the file ``versions.cfg`` change the line::

  grok = 0.12 (or 0.12.1)

to this::

  grok = 0.12.2

If you have no ``versions.cfg``, go to your projects ``buildout.cfg`` and
adjust this line::

  extends = http://grok.zope.org/releaseinfo/grok-0.12.cfg (or grok-0.12.1.cfg)

to this::

  extends = http://grok.zope.org/releaseinfo/grok-0.12.2.cfg

While not strictly required, we also recommend you modify the following
line in the ``[eggbasket]`` section (if present)::

  url = http://grok.zope.org/releaseinfo/grok-eggs-0.12.tgz (or grok-0.12.1.cfg)

to::

  url = http://grok.zope.org/releaseinfo/grok-eggs-0.12.2.tgz

After this change, run ``buildout`` and restart the server.

Note: the integrated REST support does not function properly on Python
2.5 in this version. It does work with the recommended version Python
2.4.

Grok 0.11 and Grok 0.11.1: upgrade to Grok 0.11.2
-------------------------------------------------

In the file ``versions.cfg`` change the line::

  grok = 0.11 (or 0.11.1)

to this::

  grok = 0.11.2

If you have no ``versions.cfg``, go to your projects ``buildout.cfg`` and
adjust this line::

  extends = http://grok.zope.org/releaseinfo/grok-0.11.cfg (or grok-0.11.1.cfg)

to this::

  extends = http://grok.zope.org/releaseinfo/grok-0.11.2.cfg

We have not released a grok-eggs-0.11.2.tgz as we never maintained
such tarball releases for Grok 0.11.

After this change, run ``buildout`` and restart the server.

Note: the integrated REST support will not function properly on Python
2.5 in this version. It does work with the recommended version Python
2.4.


More information about the Zope-Announce mailing list