Bonsoir à tous, (english version below) Zope a annoncé un correctif à chaud pour une vulnérabilité de type cross-site-scripting. Après vérification sur http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1104 et http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1104, il semblerait que Zope 2.9.12 et 2.10.12, les versions les plus courantes sur lesquelles tourne CPS 3.5 ne soit pas affectées. Ce sont notamment les versions qu'on retrouve dans les paquets Debian de apt.cps-cms.org.
---- A hotfix has been announced for a cross-site-scripting vulnerability on the zope mailing-list. After checking on http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1104 and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1104, it seems that Zope 2.9.12 and 2.10.12, which are the most common versions on which CPS-3.5 are not vulnerable to this issue. These versions are precisely those that have are available as Debian packages on apt.cps-cms.org. -------- Message original -------- Sujet: [Zope-dev] Annoucment: CVE-2010-1104, hotfix, Zope 2.12.22 and 2.13.12 releases Date : Wed, 18 Jan 2012 17:30:30 -0500 De : Tres Seaver <[email protected]> Pour : [email protected], [email protected], Zope Developers <[email protected]>, [email protected] Overview ======== In response to the cross-site scripting vulnerability in Zope2 reported as 'CVE 2010-1104'[1], the Zope security response team announces the availablility of a hotfix product (for Zope < 2.12), and new releases for the Zope 2.12 and 2.13 lines: Hotfix: http://pypi.python.org/pypi/Products.Zope_Hotfix_CVE_2010_1104 Zope 2.12.22: http://pypi.python.org/pypi/Zope2/2.12.22 Zope 2.13.12: http://pypi.python.org/pypi/Zope2/2.13.12 WARNING: Zope < 2.12 is no longer officially supported, and may have other unpatched vulnerabilities. You are encouraged to upgrade to a supported Zope 2. Installing the Hotfix ===================== The hotfix has been tested with Zope instances using Zope 2.8.x - 2.11.x. Users of Zope 2.12.x and 2.13.x should instead update to the latest corresponding minor revision, which already includes this fix. Download the tarball from the PyPI page: http://pypi.python.org/pypi/Products.Zope_Hotfix_CVE_2010_1104 Unpack the tarball and add a 'products' key to the 'etc/zope.conf' of your instance. E.g.:: products /path/to/Products.Zope_Hotfix_CVE_2010_1104/Products and restart. Alternatively, you may copy or symlink the 'Products' directory into the 'Products' subdirectory of your Zope instance. E.g.:: $ cp -r /path/to/Products.Zope_Hotfix_CVE_2010_1104/Products \ /path/to/instance/Products/ Verifying the Installation -------------------------- After restarting the Zope instance, check the 'Control_Panel/Products' folder in the Zope Management Interface, e.g.: http://localhost:8080/Control_Panel/Products/manage_main You should see the 'Zope_Hotfix_CVE_2010_1104' product folder there. [1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1104 Tres. _______________________________________________ Zope-Dev maillist - [email protected] https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cps-devel mailing list http://lists.nuxeo.com/mailman/listinfo/cps-devel
