[Zope-CMF] CMF security patches in Products.PloneHotfix20121106
Charlie Clark
charlie.clark at clark-consulting.eu
Fri Nov 9 19:23:39 UTC 2012
Am 09.11.2012, 17:02 Uhr, schrieb Jens Vagelpohl <jens at dataflake.org>:
> Hi all,
>
> I don't recall any information being provided to the CMF developers
> about CMF fixes in the most recent Plone Hotfix:
>
> http://plone.org/products/plone-hotfix/releases/20121106
>
> For example, there's a monkey patch to make sure getToolByName only
> returns valid tool objects and nothing else, see the attached file.
>
> I'm not sure if there's an oversight of not forwarding this information
> to us or if it was determined this fix is not relevant for the CMF.
> Would any list member who also works on Plone have an insight?
>
> Thanks!
>
> jens
I got this back from David Glick after asking security at plone.org:
"""
Thanks. We haven't had a chance to start applying the patches in the
hotfix back to where they really belong, but we'll do so soon. Note that
for the time being it should be possible to apply the Plone hotfix to pure
CMF sites as well to patch this issue.
"""
Still no wiser as to why we weren't informed.
Charlie
--
Charlie Clark
Managing Director
Clark Consulting & Research
German Office
Kronenstr. 27a
Düsseldorf
D- 40217
Tel: +49-211-600-3657
Mobile: +49-178-782-6226
More information about the Zope-CMF
mailing list