[Zope-dev] Resolved security-related collector issues for the public?

[Clemens Robbenhaar]

Jamie Heilman writes:
 > Clemens Robbenhaar wrote:
 > > malicious Python Scripts on my site (I guess ;-), and I do not use DTML
 > > or some Tree-stuff -- thus I did not upgrade yet, and You may feel free
 > 
 > Actually... unless you've altered the ZMI and HelpSys, you do use
 > dtml-tree ...and HelpSys is publically traversable by default.

 Thanks for the clarification. I just tried to argue from a rather
ignorant point of view ... I could argue some more about why these
issues look not so dangerous to me, but even if I try hard, I cannot be
so ignorant ;)

 Actually I only tried to point out that if someone would tell me there
is another yet not published issue that would allow to read the password
of my users TTW or the like, this would make me upgrade even in very
ignorant mode.
 However when obscuring these issue this will ignorant (or just
busy) admins not help a lot; they will upgrade after these issues are
published, not after the fixes are released ... meanwhile black hats
checking with the CVS may have their exploits applied already.


 About the current discussion of a security (non-)disclosure policy: I
would be happy with a policy which makes  security issues public if a
fix from the public CVS is available. (Well, I am running Zope form the
CVS, so my position is maybe a little biased ;-)

Cheers,
Clemens