[Zope-dev] Security vulnerabiity CVE 2011-3587: Arbitrary Code Execution
Hanno Schlichting
hanno at hannosch.eu
Tue Oct 4 10:02:02 EST 2011
The Zope security response team is announcing a fix for a
vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of
arbitrary code by anonymous users. The hotfix for this vulnerability
was pre-announced last week.
This is a severe vulnerability that allows an unauthenticated attacker
to employ a carefully crafted web request to execute arbitrary
commands with the privileges of the Zope service.
Versions Affected: Zope 2.12.x and Zope 2.13.x.
Versions Not Affected: Zope 2.11.x, Zope 2.10.x or prior
You can either install the Hotfix as an egg release from
http://pypi.python.org/pypi/Products.Zope_Hotfix_CVE_2011_3587 or as
an old-style product release available from
http://download.zope.org/Zope2/hotfixes/Zope_Hotfix_CVE_2011_3587-v10.tar.gz.
Alternatively you can upgrade to the latest bugfix release of Zope.
Versions 2.12.20 and 2.13.10 will be released today and include the
fix for this vulnerability.
Please refer to
http://zope2.zope.org/news/security-vulnerability-announcement-cve-2011-3587
for more details.
The Plone community has also released a security hotfix today covering
an additional security issue. If you are using Plone, please refer to
http://plone.org/products/plone/security/advisories/20110928.
On behalf of the Zope security response team,
Hanno Schlichting
More information about the Zope-Dev
mailing list