[Zope] [Security advisory] Zope 2.7 + 2.8
Bill Campbell
bill at celestial.net
Thu Dec 9 13:20:49 EST 2004
There's a typo in the configuration below. It should be:
security-policy-implementation python
Not:
security-policy-implemenation python
On Thu, Dec 09, 2004, Andreas Jung wrote:
>
>Synopsis:
>
> Due to an error in the cAccessControl module of Zope it is possible to
> bring down a complete Zope site as documented in
>
> http://mail.zope.org/pipermail/zope-dev/2004-December/024087.html
>
> This exploit causes a segmentation fault of the Python interpreter.
> Vulnerable for this exploit are at least all Zope installations
> that allow untrusted users to edit ZPTs (possibly DTML as well) either
> through the ZMI or through the file system.
>
>
>Affected versions:
>
> Zope 2.7.X, Zope 2.8.X
>
>
>Recommended solution:
>
> Turn off cAccessControl and enable the Python AccessControl
>implementation
> in etc/zope.conf (this line is commented in the default configuration):
>
> security-policy-implemenation python
>
>
>A fixed implementation of cAccessControl will be included in the upcoming
>Zope 2.7.4 beta 2 release.
>
>
>----
>Andreas Jung
>Zope 2 Release Manager
>
>_______________________________________________
>Zope maillist - Zope at zope.org
>http://mail.zope.org/mailman/listinfo/zope
>** No cross posts or HTML encoding! **
>(Related lists -
>http://mail.zope.org/mailman/listinfo/zope-announce
>http://mail.zope.org/mailman/listinfo/zope-dev )
>
--
Bill
--
INTERNET: bill at Celestial.COM Bill Campbell; Celestial Software LLC
UUCP: camco!bill PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/
Many companies that have made themselves dependent on [the equipment of a
certain major manufacturer] (and in doing so have sold their soul to the
devil) will collapse under the sheer weight of the unmastered complexity of
their data processing systems.
-- Edsger W. Dijkstra, SIGPLAN Notices, Volume 17, Number 5
More information about the Zope
mailing list