[Zope-dev] Hotfix for security vulnerability

Tres Seaver tseaver at palladion.com
Mon Oct 24 21:54:28 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On behalf of the Zope security response team, I would like to announce
the availability of a hotfix for a vulnerability inadvertently
published earlier today.

'Products.Zope_Hotfix_20111024' README
======================================

Overview
- --------

This hotfix addresses a serious vulnerability in the Zope2
application server.  Affected versions of Zope2 include:

- - 2.12.x <= 2.12.20

- - 2.13.x <= 2.13.6

Older releases (2.11.x, 2.10.x, etc.) are not vulnerable.

The Zope2 security response team recommends that all users of
these releases upgrade to an unaffected release (2.12.21 or
2.13.11) as soon as they become available.

Until that upgrade is feasible, deploying this hotfix also
mitigates the vulnerability.


Installing the Hotfix:  Via 'easy_install'
- -------------------------------------------

If the Python which runs your Zope instance has 'setuptools'
installed (or is a 'virtualenv'), you can install the hotfix
directly from PyPI::

  $ /prefix/bin/easy_install Products.Zope_Hotfix_20111024

and then restart the Zope instance, e.g.:

  $ /path/to/instance/bin/zopectl restart


Installing the Hotfix:  Via 'zc.buildout'
- -----------------------------------------

If your Zope instance is managed via 'zc.buildout', you can
install the hotfix directly from PyPI.  Edit the 'buildout.cfg'
file, adding "Products.Zope_Hotfix_20111024" to the "eggs"
section of the instance.  E.g.::

  [instance] recipe = plone.recipe.zope2instance #...  eggs =
  ${buildout:eggs} Products.Zope_Hotfix_20111024

Next, re-run the buildout::

  $ /path/to/buildout/bin/buildout

and then restart the Zope instance, e.g.:

  $ /path/to/buildout/bin/instance restart


Installing the Hotfix:  Manual Installation
- -------------------------------------------

You may also install this hotfix manually.  Download the tarball from
the PyPI page:

 http://pypi.python.org/pypi/Products.Zope_Hotfix_20111024

Unpack the tarball and add a 'products' key to the 'etc/zope.conf' of
your instance.  E.g.::

  products /path/to/Products.Zope_Hotfix_20111024/Products

and restart.


Verifying the Installation
- --------------------------

After restarting the Zope instance, check the
'Control_Panel/Products' folder in the Zope Management Interface,
e.g.:

  http://localhost:8080/Control_Panel/Products/manage_main

You should see the 'Zope_Hotfix_20111024' product folder there.



Tres.
- -- 
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6l3pQACgkQ+gerLs4ltQ66AgCfT1cd94LXzBtdzNiBqKXnGBIF
7dwAoISO0AkuvERn+cw4W0cPo82c5r+D
=xRBY
-----END PGP SIGNATURE-----


More information about the Zope-Dev mailing list