[Zope-CMF] CMF security patches in Products.PloneHotfix20121106
David Glick (Plone)
david.glick at plone.org
Fri Nov 9 19:29:07 UTC 2012
On 11/9/12 11:23 AM, Charlie Clark wrote:
> Am 09.11.2012, 17:02 Uhr, schrieb Jens Vagelpohl <jens at dataflake.org>:
>
>> Hi all,
>>
>> I don't recall any information being provided to the CMF developers
>> about CMF fixes in the most recent Plone Hotfix:
>>
>> http://plone.org/products/plone-hotfix/releases/20121106
>>
>> For example, there's a monkey patch to make sure getToolByName only
>> returns valid tool objects and nothing else, see the attached file.
>>
>> I'm not sure if there's an oversight of not forwarding this
>> information to us or if it was determined this fix is not relevant
>> for the CMF. Would any list member who also works on Plone have an
>> insight?
>>
>> Thanks!
>>
>> jens
>
> I got this back from David Glick after asking security at plone.org:
>
> """
> Thanks. We haven't had a chance to start applying the patches in the
> hotfix back to where they really belong, but we'll do so soon. Note
> that for the time being it should be possible to apply the Plone
> hotfix to pure CMF sites as well to patch this issue.
> """
>
> Still no wiser as to why we weren't informed.
We should have informed you earlier. There are a lot of tasks associated
with preparing a hotfix (and this one in particular covered many
vulnerabilities), and it got missed. I apologize.
In the future, what's the best place to report possible CMF security
issues? zope-cmf Launchpad?
David
More information about the Zope-CMF
mailing list