[Zope] UPDATE: cgi.py vulnerability hotfix for Zope...
Evan Simpson
evan@4-am.com
Thu, 26 Jul 2001 10:02:42 -0400
The reported problem with this hotfix and Zope 2.4 has been resolved,
and the file has been updated on www.zope.org at the URL mentioned in
the original announcement:
Brian Lloyd wrote:
> This hotfix addresses a potential denial-of-service vulnerability
> in applications that use the Python cgi module (cgi.py) for parsing
> of "multipart" Web form data (Zope uses this functionality internally).
>
> More detailed information is available in the Python bug tracker at
> SourceForge:
>
>
> http://sourceforge.net/tracker/?group_id=5470&atid=105470&func=detail&aid=443120
>
> While we are not aware of any instances of abuse of this
> vulnerability, we *highly* recommend that any Zope site running versions
> of Zope up to and including 2.4.0 have this hotfix product installed
> to mitigate this issue. (Zope 2.4.1 will not require the
> installation of a separate hotfix).
>
> http://www.zope.org/Products/Zope/Hotfix_2001-07-25/README.txt
>
> http://www.zope.org/Products/Zope/Hotfix_2001-07-25/Hotfix_2001-07-25.tar.gz