[Zope-Checkins] SVN: Zope/hotfixes/Hotfix_20060705/ Import July's
hotfix.
Tres Seaver
tseaver at palladion.com
Tue Aug 8 12:31:02 EDT 2006
Log message for revision 69376:
Import July's hotfix.
Changed:
A Zope/hotfixes/Hotfix_20060705/
A Zope/hotfixes/Hotfix_20060705/README.txt
A Zope/hotfixes/Hotfix_20060705/__init__.py
A Zope/hotfixes/Hotfix_20060705/version.txt
-=-
Added: Zope/hotfixes/Hotfix_20060705/README.txt
===================================================================
--- Zope/hotfixes/Hotfix_20060705/README.txt 2006-08-08 16:30:20 UTC (rev 69375)
+++ Zope/hotfixes/Hotfix_20060705/README.txt 2006-08-08 16:31:02 UTC (rev 69376)
@@ -0,0 +1,55 @@
+Hotfix-20060705 README
+
+ This hotfix corrects an information disclosure vulnerability in Zope2,
+ due to Zope2's use of the docutils module to parse and render
+ "restructured text".
+
+ Sites which allow untrusted users to create restructured text as
+ through-the-web content should apply this hotfix.
+
+ The hotfix may be removed after upgrading to a version of Zope2 more
+ recent than this hotfix.
+
+ Affected Versions
+
+ - Zope 2.7.0 - 2.7.8
+
+ - Zope 2.8.0 - 2.8.7
+
+ - Zope 2.9.0 - 2.9.2
+
+ Installing the Hotfix
+
+ This hotfix is installed as a standard Zope2 product. The following
+ examples assume that your Zope instance is located at
+ '/var/zope/instance': please adjust according to your actual
+ instance path. Also note that hotfix products are *not* intended
+ for installation into the "software home" of your Zope.
+
+ 1. Unpack the tarball / zipfile for the Hotfix into a temporary
+ location::
+
+ $ cd /tmp
+ $ tar xzf ~/Hotfix_20060704.tar.gz
+
+ 2. Copy or move the product directory from the unpacked directory
+ to the 'Products' directory of your Zope instance::
+
+ $ cp -a /tmp/Hotfix_20060704/ /var/zope/instance/Products/
+
+ 3. Restart Zope::
+
+ $ /var/zope/instance/bin/zopectl restart
+
+ Uninstalling the Hotfix
+
+ After upgrading Zope to one of the fixed versions, you should remove
+ this hotfix product from your Zope instance.
+
+ 1. Remove the product directory from your instance 'Products'::
+
+ $ rm -rf /var/zope/instance/Products/Hotfix_20060704/
+
+ 2. Restart Zope::
+
+ $ /var/zope/instance/bin/zopectl restart
Property changes on: Zope/hotfixes/Hotfix_20060705/README.txt
___________________________________________________________________
Name: svn:eol-style
+ native
Added: Zope/hotfixes/Hotfix_20060705/__init__.py
===================================================================
--- Zope/hotfixes/Hotfix_20060705/__init__.py 2006-08-08 16:30:20 UTC (rev 69375)
+++ Zope/hotfixes/Hotfix_20060705/__init__.py 2006-08-08 16:31:02 UTC (rev 69376)
@@ -0,0 +1,10 @@
+""" Hotfix_20060705
+
+Disable reStructuredText's 'raw' and 'include' directives, because they allow
+for information disclosuer and other nastiness.
+
+$Id$
+"""
+from docutils.parsers.rst.directives import misc
+del misc.raw
+del misc.include;
Property changes on: Zope/hotfixes/Hotfix_20060705/__init__.py
___________________________________________________________________
Name: svn:keywords
+ Id
Name: svn:eol-style
+ native
Added: Zope/hotfixes/Hotfix_20060705/version.txt
===================================================================
--- Zope/hotfixes/Hotfix_20060705/version.txt 2006-08-08 16:30:20 UTC (rev 69375)
+++ Zope/hotfixes/Hotfix_20060705/version.txt 2006-08-08 16:31:02 UTC (rev 69376)
@@ -0,0 +1 @@
+Hotfix_20060705
Property changes on: Zope/hotfixes/Hotfix_20060705/version.txt
___________________________________________________________________
Name: svn:eol-style
+ native
More information about the Zope-Checkins
mailing list