[Zope-Checkins] SVN: Zope/hotfixes/Products.Zope_Hotfix_20111024/ Hotfix for vulnerability reported today.
Log message for revision 123147: Hotfix for vulnerability reported today. Changed: A Zope/hotfixes/Products.Zope_Hotfix_20111024/ A Zope/hotfixes/Products.Zope_Hotfix_20111024/tags/ A Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/ -=- ___ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins
[Zope-Checkins] SVN: Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/ Add hotfix for vulnerability reported today.
Log message for revision 123148:
Add hotfix for vulnerability reported today.
Changed:
A Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/CHANGES.txt
A Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/Products/
A
Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/Products/Zope_Hotfix_20111024/
A
Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/Products/Zope_Hotfix_20111024/__init__.py
A Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/Products/__init__.py
A Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/README.txt
A Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/setup.py
-=-
Added: Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/CHANGES.txt
===
--- Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/CHANGES.txt
(rev 0)
+++ Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/CHANGES.txt
2011-10-24 21:46:18 UTC (rev 123148)
@@ -0,0 +1,8 @@
+'Products.Zope_Hotfix_20111024' Changelog
+=
+
+
+1.0 (2011-10-24)
+
+
+- Initial release.
Added:
Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/Products/Zope_Hotfix_20111024/__init__.py
===
---
Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/Products/Zope_Hotfix_20111024/__init__.py
(rev 0)
+++
Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/Products/Zope_Hotfix_20111024/__init__.py
2011-10-24 21:46:18 UTC (rev 123148)
@@ -0,0 +1,4 @@
+def initialize(context):
+from AccessControl.User import BasicUserFolder
+from App.class_init import InitializeClass
+InitializeClass(BasicUserFolder)
Added: Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/Products/__init__.py
===
--- Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/Products/__init__.py
(rev 0)
+++ Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/Products/__init__.py
2011-10-24 21:46:18 UTC (rev 123148)
@@ -0,0 +1,6 @@
+# See http://peak.telecommunity.com/DevCenter/setuptools#namespace-packages
+try:
+__import__('pkg_resources').declare_namespace(__name__)
+except ImportError:
+from pkgutil import extend_path
+__path__ = extend_path(__path__, __name__)
Added: Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/README.txt
===
--- Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/README.txt
(rev 0)
+++ Zope/hotfixes/Products.Zope_Hotfix_20111024/trunk/README.txt
2011-10-24 21:46:18 UTC (rev 123148)
@@ -0,0 +1,78 @@
+'Products.Zope_Hotfix_20111024' README
+==
+
+Overview
+
+
+This hotfix addresses a serious vulnerability in the Zope2 application
+server. Affected versions of Zope2 include:
+
+- 2.12.x = 2.12.20
+
+- 2.13.x = 2.13.6
+
+Older releases (2.11.x, 2.10.x, etc.) are not vulnerable.
+
+The Zope2 security response team recommends that all users of these
+releases upgrade to an unaffected release (2.12.21 or 2.13.11) as soon as
+they become available.
+
+Until that upgrade is feasible, deploying this hotfix also mitigates the
+vulnerability.
+
+
+Installing the Hotfix: Via 'easy_install'
+---
+
+If the Python which runs your Zope instance has 'setuptools' installed (or
+is a 'virtualenv'), you can install the hotfix directly from PyPI::
+
+ $ /prefix/bin/easy_install Products.Zope_Hotfix_20111024
+
+and then restart the Zope instance, e.g.:
+
+ $ /path/to/instance/bin/zopectl restart
+
+
+Installing the Hotfix: Via 'zc.buildout'
+-
+
+If your Zope instance is managed via 'zc.buildout', you can install
+the hotfix directly from PyPI. Edit the 'buildout.cfg' file, adding
+Products.Zope_Hotfix_20111024 to the eggs section of the instance.
+E.g.::
+
+ [instance]
+ recipe = plone.recipe.zope2instance
+ #...
+ eggs =
+${buildout:eggs}
+Products.Zope_Hotfix_20111024
+
+Next, re-run the buildout::
+
+ $ /path/to/buildout/bin/buildout
+
+and then restart the Zope instance, e.g.:
+
+ $ /path/to/buildout/bin/instance restart
+
+
+Installing the Hotfix: Manual Installation
+---
+
+You may also install this hotfix by unpacking the tarball and adding a
+'products' key to the 'etc/zope.conf' of your instance. E.g.::
+
+ products /path/to/Products.Zope_Hotfix_20111024/Products
+
+
+Verifying the Installation
+--
+
+After restarting the Zope instance, check the 'Control_Panel/Products'
+folder in the Zope Management Interface, e.g.:
+
+ http://localhost:8080/Control_Panel/Products/manage_main
+
+You should see the 'Zope_Hotfix_20111024' product folder there.
Added:
[Zope-Checkins] SVN: Zope/hotfixes/Products.Zope_Hotfix_20111024/tags/1.0/ Tag hotfix for vulnerability reported today.
Log message for revision 123149: Tag hotfix for vulnerability reported today. Changed: A Zope/hotfixes/Products.Zope_Hotfix_20111024/tags/1.0/ -=- ___ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins
[Zope-Checkins] SVN: Zope/branches/2.12/ Fix serious authentication vulnerability in stock configuration.
Log message for revision 123150: Fix serious authentication vulnerability in stock configuration. Changed: U Zope/branches/2.12/doc/CHANGES.rst U Zope/branches/2.12/src/AccessControl/User.py -=- Modified: Zope/branches/2.12/doc/CHANGES.rst === --- Zope/branches/2.12/doc/CHANGES.rst 2011-10-24 21:47:09 UTC (rev 123149) +++ Zope/branches/2.12/doc/CHANGES.rst 2011-10-24 22:23:09 UTC (rev 123150) @@ -8,6 +8,7 @@ 2.12.21 (unreleased) +- Fixed serious authentication vulnerability in stock configuration. 2.12.20 (2011-10-04) Modified: Zope/branches/2.12/src/AccessControl/User.py === --- Zope/branches/2.12/src/AccessControl/User.py2011-10-24 21:47:09 UTC (rev 123149) +++ Zope/branches/2.12/src/AccessControl/User.py2011-10-24 22:23:09 UTC (rev 123150) @@ -1027,7 +1027,9 @@ returns true if domain auth mode is set to true return getattr(self, '_domain_auth_mode', None) +InitializeClass(BasicUserFolder) + class UserFolder(BasicUserFolder): Standard UserFolder object ___ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins
[Zope-Checkins] SVN: Zope/branches/2.12/src/AccessControl/tests/testUser.py Add a unittest for today's fix.
Log message for revision 123151: Add a unittest for today's fix. Changed: U Zope/branches/2.12/src/AccessControl/tests/testUser.py -=- Modified: Zope/branches/2.12/src/AccessControl/tests/testUser.py === --- Zope/branches/2.12/src/AccessControl/tests/testUser.py 2011-10-24 22:23:09 UTC (rev 123150) +++ Zope/branches/2.12/src/AccessControl/tests/testUser.py 2011-10-24 22:29:40 UTC (rev 123151) @@ -227,7 +227,15 @@ # TODO class Test_readUserAccessFile(unittest.TestCase) -# TODO class BasicUserFoldertests(unittest.TestCase) +class BasicUserFolderTests(unittest.TestCase): + +def _getTargetClass(self): +from AccessControl.User import BasicUserFolder +return BasicUserFolder + +def test_manage_users_security_initialized(self): +uf = self._getTargetClass()() +self.assertTrue(hasattr(uf, 'manage_users__roles__')) class UserFolderTests(unittest.TestCase): @@ -494,11 +502,12 @@ def test_suite(): -suite = unittest.TestSuite() -suite.addTest(unittest.makeSuite(BasicUserTests)) -suite.addTest(unittest.makeSuite(SimpleUserTests)) -suite.addTest(unittest.makeSuite(SpecialUserTests)) -suite.addTest(unittest.makeSuite(UnrestrictedUserTests)) -suite.addTest(unittest.makeSuite(NullUnrestrictedUserTests)) -suite.addTest(unittest.makeSuite(UserFolderTests)) -return suite +return unittest.TestSuite(( +unittest.makeSuite(BasicUserTests), +unittest.makeSuite(SimpleUserTests), +unittest.makeSuite(SpecialUserTests), +unittest.makeSuite(UnrestrictedUserTests), +unittest.makeSuite(NullUnrestrictedUserTests), +unittest.makeSuite(BasicUserFolderTests), +unittest.makeSuite(UserFolderTests), +)) ___ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins
[Zope-Checkins] SVN: Zope/branches/2.13/ Fix serious authentication vulnerability in stock configuration.
Log message for revision 123152: Fix serious authentication vulnerability in stock configuration. Changed: U Zope/branches/2.13/doc/CHANGES.rst U Zope/branches/2.13/src/OFS/tests/test_userfolder.py U Zope/branches/2.13/src/OFS/userfolder.py -=- Modified: Zope/branches/2.13/doc/CHANGES.rst === --- Zope/branches/2.13/doc/CHANGES.rst 2011-10-24 22:29:40 UTC (rev 123151) +++ Zope/branches/2.13/doc/CHANGES.rst 2011-10-24 22:39:13 UTC (rev 123152) @@ -8,6 +8,7 @@ 2.13.11 (unreleased) +- Fixed serious authentication vulnerability in stock configuration. 2.13.10 (2011-10-04) Modified: Zope/branches/2.13/src/OFS/tests/test_userfolder.py === --- Zope/branches/2.13/src/OFS/tests/test_userfolder.py 2011-10-24 22:29:40 UTC (rev 123151) +++ Zope/branches/2.13/src/OFS/tests/test_userfolder.py 2011-10-24 22:39:13 UTC (rev 123152) @@ -17,7 +17,15 @@ # TODO class Test_readUserAccessFile(unittest.TestCase) -# TODO class BasicUserFoldertests(unittest.TestCase) +class BasicUserFolderTests(unittest.TestCase): + +def _getTargetClass(self): +from OFS.userfolder import BasicUserFolder +return BasicUserFolder + +def test_manage_users_security_initialized(self): +uf = self._getTargetClass()() +self.assertTrue(hasattr(uf, 'manage_users__roles__')) class UserFolderTests(unittest.TestCase): @@ -171,6 +179,8 @@ def test_suite(): -suite = unittest.TestSuite() -suite.addTest(unittest.makeSuite(UserFolderTests)) +suite = unittest.TestSuite(( +unittest.makeSuite(BasicUserFolderTests), +unittest.makeSuite(UserFolderTests), +)) return suite Modified: Zope/branches/2.13/src/OFS/userfolder.py === --- Zope/branches/2.13/src/OFS/userfolder.py2011-10-24 22:29:40 UTC (rev 123151) +++ Zope/branches/2.13/src/OFS/userfolder.py2011-10-24 22:39:13 UTC (rev 123152) @@ -293,7 +293,9 @@ message='Cannot change the id of a UserFolder', action='./manage_main')) +InitializeClass(BasicUserFolder) + class UserFolder(accesscontrol_userfolder.UserFolder, BasicUserFolder): Standard UserFolder object ___ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins
[Zope-Checkins] SVN: Zope/trunk/ Fix serious authentication vulnerability in stock configuration.
Log message for revision 123153: Fix serious authentication vulnerability in stock configuration. Changed: U Zope/trunk/doc/CHANGES.rst U Zope/trunk/src/OFS/tests/test_userfolder.py U Zope/trunk/src/OFS/userfolder.py -=- Modified: Zope/trunk/doc/CHANGES.rst === --- Zope/trunk/doc/CHANGES.rst 2011-10-24 22:39:13 UTC (rev 123152) +++ Zope/trunk/doc/CHANGES.rst 2011-10-24 22:41:46 UTC (rev 123153) @@ -11,6 +11,8 @@ Bugs Fixed ++ +- Fixed serious authentication vulnerability in stock configuration. + - Fixed a regression in webdav support that broke external editor feature. - Restore ability to undo multiple transactions from the ZMI by using the Modified: Zope/trunk/src/OFS/tests/test_userfolder.py === --- Zope/trunk/src/OFS/tests/test_userfolder.py 2011-10-24 22:39:13 UTC (rev 123152) +++ Zope/trunk/src/OFS/tests/test_userfolder.py 2011-10-24 22:41:46 UTC (rev 123153) @@ -17,7 +17,15 @@ # TODO class Test_readUserAccessFile(unittest.TestCase) -# TODO class BasicUserFoldertests(unittest.TestCase) +class BasicUserFolderTests(unittest.TestCase): + +def _getTargetClass(self): +from OFS.userfolder import BasicUserFolder +return BasicUserFolder + +def test_manage_users_security_initialized(self): +uf = self._getTargetClass()() +self.assertTrue(hasattr(uf, 'manage_users__roles__')) class UserFolderTests(unittest.TestCase): @@ -171,6 +179,8 @@ def test_suite(): -suite = unittest.TestSuite() -suite.addTest(unittest.makeSuite(UserFolderTests)) +suite = unittest.TestSuite(( +unittest.makeSuite(BasicUserFolderTests), +unittest.makeSuite(UserFolderTests), +)) return suite Modified: Zope/trunk/src/OFS/userfolder.py === --- Zope/trunk/src/OFS/userfolder.py2011-10-24 22:39:13 UTC (rev 123152) +++ Zope/trunk/src/OFS/userfolder.py2011-10-24 22:41:46 UTC (rev 123153) @@ -293,7 +293,9 @@ message='Cannot change the id of a UserFolder', action='./manage_main')) +InitializeClass(BasicUserFolder) + class UserFolder(accesscontrol_userfolder.UserFolder, BasicUserFolder): Standard UserFolder object ___ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins
Re: [Zope-dev] zope-tests - FAILED: 21, OK: 31
On Thu, Oct 20, 2011 at 11:58:09AM -0400, Tres Seaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [1]FAILED ZTK 1.0dev / Python2.4.6 Linux 64bit https://mail.zope.org/pipermail/zope-tests/2011-October/051353.html [2]FAILED ZTK 1.0dev / Python2.5.5 Linux 64bit https://mail.zope.org/pipermail/zope-tests/2011-October/051351.html [3]FAILED ZTK 1.0dev / Python2.6.5 Linux 64bit https://mail.zope.org/pipermail/zope-tests/2011-October/051352.html These are all failing due to a missing version pin for 'six', which should not happen: the ZTK 1.0 package set should not include the new version of 'zope.schema' which introduced this dependency. [4]FAILED ZTK 1.1 / Python2.5.5 Linux 64bit https://mail.zope.org/pipermail/zope-tests/2011-October/051398.html [5]FAILED ZTK 1.1 / Python2.6.5 Linux 64bit https://mail.zope.org/pipermail/zope-tests/2011-October/051397.html [6]FAILED ZTK 1.1 / Python2.7.2 Linux 64bit https://mail.zope.org/pipermail/zope-tests/2011-October/051396.html This failure is due to the unexpected presence of a 'Data.fs' file in what is supposed to be a newly-created tempdir. I don't understand how that is supposed to work, but the bug seems real. [7]FAILED ZTK 1.1dev / Python2.5.5 Linux 64bit https://mail.zope.org/pipermail/zope-tests/2011-October/051354.html Syntax errors due to Py3k compatibility changes in 'zope.schema'. The ZTK 1.1dev checkouts pull in the trunk of 'zope.schema', which is now backward-incompatible (it drops support for Python 2.5). I think we should be creating a '3.8' branch of 'zope.schema' (copied from 3.8.1), and make the ZTK 1.1dev checkout use that. Thanks for fixing these. I didn't realize that the buildouts would break because of my change. I should have though. (I've also given up looking at the buildout perma-failures a long time ago) Meanwhile, I think we should update the 'zope.schema' trunk to indicate that it is targeting a new major version, 4.0, due to new dependencies and dropping Python 2.5 compatibility. I've done this. [8]FAILED ZTK 1.1dev / Python2.6.5 Linux 64bit https://mail.zope.org/pipermail/zope-tests/2011-October/051356.html There is an odd 'zope.testrunner' failure here: Usage: test [options] [MODULE] [TEST] test: error: option --profile: invalid choice: 'cProfile' (choose from ) Failure in test /home/ccomb/ztk1.1dev-slave/Python2.6.5-Linux-64bit/build/src/zope.testrunner/src/zope/testrunner/testrunner-subunit.txt Failed doctest test for testrunner-subunit.txt And also the unexpected Data.fs issue which affected #4, 5, and 6. [9]FAILED ZTK 1.1dev / Python2.7.2 Linux 64bit https://mail.zope.org/pipermail/zope-tests/2011-October/051355.html This is the unexpected Data.fs issue which affected #4, 5, and 6. I'm ignoring the 'z3c.*' failures: I still want these tests either fixed or else dropped from the daily report. [21] FAILED winbot / ztk_dev py_254_win32 https://mail.zope.org/pipermail/zope-tests/2011-October/051382.html This is the same Python 2.5 incompatibility problem which afflicts #7. This is a tricky issue, there are 2 parts: * Supporting python 2.5 in zope.schema is not hard, but will make the code quite ugly (no class decorator for implements) * I'm not sure if the next version of the ZTK will need to support Python 2.5 So there seem to be 3 options to fix this buildout issue: 1. Point the ZTK trunk at the zope.schema 3.8 branch 2. Make the zope.schema code uglier and support 2.5 3. Declare that the next ZTK version drops support for 2.5 and stop the buildbot for Python 2.5 + ZTK trunk I'm partial to option 1 to get the buildbot working and defer the Python 2.5/ugly code decision to later. -- Brian Sutherland ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope-tests - FAILED: 21, OK: 31
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/24/2011 07:24 AM, Brian Sutherland wrote: On Thu, Oct 20, 2011 at 11:58:09AM -0400, Tres Seaver wrote: Syntax errors due to Py3k compatibility changes in 'zope.schema'. The ZTK 1.1dev checkouts pull in the trunk of 'zope.schema', which is now backward-incompatible (it drops support for Python 2.5). I think we should be creating a '3.8' branch of 'zope.schema' (copied from 3.8.1), and make the ZTK 1.1dev checkout use that. Thanks for fixing these. I didn't realize that the buildouts would break because of my change. I should have though. (I've also given up looking at the buildout perma-failures a long time ago) We should probably look at *all* '/trunk' dependencies in the ZTK as future sources of such problems: people working on trunk development know that the released ZTK pins versions, but may not realize that the '-dev' checkouts are possibly affected. Preemptively switching ZTK dev checkouts to use only release branches would make that problem go away, but at the cost of requiring bugfix-only changes to be backported: today, in many packages, the trunk remains identical to a release branch for a long time. Rather than such a drastic step, I think we need to adopt a new policy that the developer who makes the first non-bugfix change to the trunk (i.e., adding a new feature or dependency, a backward-incompatibility, or dropping support for a Python version) is also responsible for finding an fixing any ZTK breakage (e.g., by creating the release branch and changing the ZTK configuration to use it). [21] FAILED winbot / ztk_dev py_254_win32 https://mail.zope.org/pipermail/zope-tests/2011-October/051382.html This is the same Python 2.5 incompatibility problem which afflicts #7. This is a tricky issue, there are 2 parts: * Supporting python 2.5 in zope.schema is not hard, but will make the code quite ugly (no class decorator for implements) * I'm not sure if the next version of the ZTK will need to support Python 2.5 So there seem to be 3 options to fix this buildout issue: 1. Point the ZTK trunk at the zope.schema 3.8 branch 2. Make the zope.schema code uglier and support 2.5 3. Declare that the next ZTK version drops support for 2.5 and stop the buildbot for Python 2.5 + ZTK trunk I'm partial to option 1 to get the buildbot working and defer the Python 2.5/ugly code decision to later. I also prefer that we drop 2.5 compatibility on the ZTK trunk. The 2.5.6 release page says[1]: This release is most likely the final release of Python 2.5; under the current release policy, no security issues in Python 2.5 will be fixed after October, 2011. [1] http://www.python.org/download/releases/2.5.6/ Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6lf24ACgkQ+gerLs4ltQ53lgCcCAuxGG5Up+0XfFRquXyaLxtK XiMAnjhY+HzfjTddr3afk8kk66U345C/ =BJmV -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope-tests - FAILED: 21, OK: 31
On Mon, Oct 24, 2011 at 5:08 PM, Tres Seaver tsea...@palladion.com wrote: I also prefer that we drop 2.5 compatibility on the ZTK trunk. The 2.5.6 release page says[1]: This release is most likely the final release of Python 2.5; under the current release policy, no security issues in Python 2.5 will be fixed after October, 2011. [1] http://www.python.org/download/releases/2.5.6/ Fine by me. We have ZTK 1.1 which can keep Python 2.5 support. For Zope 2, we have dropped Python 2.5 long ago and only do Python 2.6 and 2.7 these days. Hanno ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Change in webmaster position
Thanks for all the hard work Michael! Best, -Simon ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] new wiki.zope.org editor login
Hey all.. the shared login for wiki.zope.org editing has been discovered by a spammer, so I've changed the password. The login is now zope, edit0r. See the message below for more context. Best, -Simon In 2011/05 I wrote: Dear all, edit spam across the wiki.zope.org wikis, gradually increasing over the years, has reached multiple incidents per day, multiple days per month. Current cleanup procedures take too much time (and are not 100% thorough - spam remains in history) and I don't want to spend time developing cleverer defenses. Therefore, from today making changes on any of the wiki.zope.org wikis requires authentication (a zwiki username cookie is no longer enough.) This marks the transition of our wikis from those early, lowest- possible-barrier-to-entry wiki days, to the modern era of mandatory access control. :-/ Since there is no member management software in place to allow you to self-register, to get a login you'll need to either - - ask an admin to make one for you. The current wiki.zope.org admin users are: Simon Michael, Andreas Jung, Baiju Muthukadan, Sascha Welter, Michael Haubenwallner, Fred Drake, Jim Fulton, Ken Manheimer, Kevin Teague. - - use this generic login: zope, zope. The downside of using this a lot is that edit history will become less useful. Also, on wikis using the default skin (all but the zope3 wiki), to trigger a login prompt you'll need to manually visit some restricted url. Eg append /editform to any page, like so: http://wiki.zope.org/zope2/Zope2Wiki/editform I hope this will stop the spam, and not inconvenience editors too much. Please let me know if you have authenticated and still can't edit. If you are interested in improving this setup, doing any other maintenance of the zope wikis, or taking over as zope wiki czar - please step forward! I'd be happy to mentor and provide all needed support. Best, - -Simon ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Hotfix for security vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On behalf of the Zope security response team, I would like to announce
the availability of a hotfix for a vulnerability inadvertently
published earlier today.
'Products.Zope_Hotfix_20111024' README
==
Overview
-
This hotfix addresses a serious vulnerability in the Zope2
application server. Affected versions of Zope2 include:
- - 2.12.x = 2.12.20
- - 2.13.x = 2.13.6
Older releases (2.11.x, 2.10.x, etc.) are not vulnerable.
The Zope2 security response team recommends that all users of
these releases upgrade to an unaffected release (2.12.21 or
2.13.11) as soon as they become available.
Until that upgrade is feasible, deploying this hotfix also
mitigates the vulnerability.
Installing the Hotfix: Via 'easy_install'
- ---
If the Python which runs your Zope instance has 'setuptools'
installed (or is a 'virtualenv'), you can install the hotfix
directly from PyPI::
$ /prefix/bin/easy_install Products.Zope_Hotfix_20111024
and then restart the Zope instance, e.g.:
$ /path/to/instance/bin/zopectl restart
Installing the Hotfix: Via 'zc.buildout'
- -
If your Zope instance is managed via 'zc.buildout', you can
install the hotfix directly from PyPI. Edit the 'buildout.cfg'
file, adding Products.Zope_Hotfix_20111024 to the eggs
section of the instance. E.g.::
[instance] recipe = plone.recipe.zope2instance #... eggs =
${buildout:eggs} Products.Zope_Hotfix_20111024
Next, re-run the buildout::
$ /path/to/buildout/bin/buildout
and then restart the Zope instance, e.g.:
$ /path/to/buildout/bin/instance restart
Installing the Hotfix: Manual Installation
- ---
You may also install this hotfix manually. Download the tarball from
the PyPI page:
http://pypi.python.org/pypi/Products.Zope_Hotfix_20111024
Unpack the tarball and add a 'products' key to the 'etc/zope.conf' of
your instance. E.g.::
products /path/to/Products.Zope_Hotfix_20111024/Products
and restart.
Verifying the Installation
- --
After restarting the Zope instance, check the
'Control_Panel/Products' folder in the Zope Management Interface,
e.g.:
http://localhost:8080/Control_Panel/Products/manage_main
You should see the 'Zope_Hotfix_20111024' product folder there.
Tres.
- --
===
Tres Seaver +1 540-429-0999 tsea...@palladion.com
Palladion Software Excellence by Designhttp://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6l3pQACgkQ+gerLs4ltQ66AgCfT1cd94LXzBtdzNiBqKXnGBIF
7dwAoISO0AkuvERn+cw4W0cPo82c5r+D
=xRBY
-END PGP SIGNATURE-
___
Zope-Dev maillist - Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] zope-tests - FAILED: 11, OK: 40
This is the summary for test reports received on the zope-tests list between 2011-10-23 00:00:00 UTC and 2011-10-24 00:00:00 UTC: See the footnotes for test reports of unsuccessful builds. An up-to date view of the builders is also available in our buildbot documentation: http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds Reports received Bluebream / Python2.5.5 64bit linux Bluebream / Python2.6.5 64bit linux Bluebream / Python2.7.2 64bit linux ZTK 1.0 / Python2.4.6 Linux 64bit [1]ZTK 1.0 / Python2.5.5 Linux 64bit [2]ZTK 1.0 / Python2.6.5 Linux 64bit ZTK 1.0dev / Python2.4.6 Linux 64bit ZTK 1.0dev / Python2.5.5 Linux 64bit ZTK 1.0dev / Python2.6.5 Linux 64bit [3]ZTK 1.1 / Python2.5.5 Linux 64bit [4]ZTK 1.1 / Python2.6.5 Linux 64bit ZTK 1.1 / Python2.7.2 Linux 64bit ZTK 1.1dev / Python2.5.5 Linux 64bit [5]ZTK 1.1dev / Python2.6.5 Linux 64bit [6]ZTK 1.1dev / Python2.7.2 Linux 64bit Zope 3.4 KGS / Python2.4.6 64bit linux Zope 3.4 KGS / Python2.5.5 64bit linux Zope 3.4 Known Good Set / py2.4-32bit-linux Zope 3.4 Known Good Set / py2.4-64bit-linux Zope 3.4 Known Good Set / py2.5-32bit-linux Zope 3.4 Known Good Set / py2.5-64bit-linux Zope-2.10 Python-2.4.6 : Linux Zope-2.11 Python-2.4.6 : Linux Zope-2.12 Python-2.6.6 : Linux Zope-2.12-alltests Python-2.6.6 : Linux Zope-2.13 Python-2.6.6 : Linux Zope-2.13-alltests Python-2.6.6 : Linux Zope-trunk Python-2.6.6 : Linux Zope-trunk-alltests Python-2.6.6 : Linux winbot / ZODB_dev py_254_win32 winbot / ZODB_dev py_265_win32 winbot / ZODB_dev py_265_win64 winbot / ZODB_dev py_270_win32 winbot / ZODB_dev py_270_win64 [7]winbot / z3c.form_py_265_32 [8]winbot / zope.app.error_py_265_32 [9]winbot / zope.app.principalannotation_py_265_32 [10] winbot / zope.generations_py_265_32 winbot / ztk_10 py_254_win32 winbot / ztk_10 py_265_win32 winbot / ztk_10 py_265_win64 winbot / ztk_11 py_254_win32 winbot / ztk_11 py_265_win32 winbot / ztk_11 py_265_win64 winbot / ztk_11 py_270_win32 winbot / ztk_11 py_270_win64 [11] winbot / ztk_dev py_254_win32 winbot / ztk_dev py_265_win32 winbot / ztk_dev py_265_win64 winbot / ztk_dev py_270_win32 winbot / ztk_dev py_270_win64 Non-OK results -- [1]FAILED ZTK 1.0 / Python2.5.5 Linux 64bit https://mail.zope.org/pipermail/zope-tests/2011-October/051640.html [2]FAILED ZTK 1.0 / Python2.6.5 Linux 64bit https://mail.zope.org/pipermail/zope-tests/2011-October/051639.html [3]FAILED ZTK 1.1 / Python2.5.5 Linux 64bit https://mail.zope.org/pipermail/zope-tests/2011-October/051637.html [4]FAILED ZTK 1.1 / Python2.6.5 Linux 64bit https://mail.zope.org/pipermail/zope-tests/2011-October/051636.html [5]FAILED ZTK 1.1dev / Python2.6.5 Linux 64bit https://mail.zope.org/pipermail/zope-tests/2011-October/051651.html [6]FAILED ZTK 1.1dev / Python2.7.2 Linux 64bit https://mail.zope.org/pipermail/zope-tests/2011-October/051649.html [7]FAILED winbot / z3c.form_py_265_32 https://mail.zope.org/pipermail/zope-tests/2011-October/051654.html [8]FAILED winbot / zope.app.error_py_265_32 https://mail.zope.org/pipermail/zope-tests/2011-October/051658.html [9]FAILED winbot / zope.app.principalannotation_py_265_32 https://mail.zope.org/pipermail/zope-tests/2011-October/051653.html [10] FAILED winbot / zope.generations_py_265_32 https://mail.zope.org/pipermail/zope-tests/2011-October/051659.html [11] FAILED winbot / ztk_dev py_254_win32 https://mail.zope.org/pipermail/zope-tests/2011-October/051671.html ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
[Zope] serious security hole in manage users / Manage users permissions?
Dear Zope 2.12/.13 (4.0) devels, as far as i can see i may have found a serious security hole within Zope 2.12 / 2.13 (4.0 not tested yet) - I'm still investigate here further... problem: == Even on fresh Installs of Zope and fresh created instances on it anonymous / remote users able to access acl_users/manage_users by the web WITHOUT AUTHENTICATION. They can edit / delete / create users and serving roles as they want. Other management screens (as manage_main or manage_access aso. are protected as usual). In manage_access Manage user is only allowed for Manager (as by default). I don't believe that is any new behaviour of newer Zope versions... I've tested this with (last public) 2.13.10 and last 2.12.20 with python2.6. If any of the devels want to have a test url pls contact me directly. Fresh installed zope instances was configured with defaults configs, except setting user zope (and/or port-base). Tried it with now owner or the admin user as owner of the acl_users too. Can anyone prove this here too? If so, any solution / security fix? many thanks, best regards. Niels. -- --- Niels Dettenbach Syndicat ITInternet http://www.syndicat.com/ signature.asc Description: This is a digitally signed message part. ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] serious security hole in manage users / Manage users permissions?
Potential security issues should not be discussed on public mailing lists but submitted to security-respo...@zope.org. Please submit the full information to that address and do not follow up further on this list. Laurence On 24 October 2011 15:05, Niels Dettenbach n...@syndicat.com wrote: Dear Zope 2.12/.13 (4.0) devels, as far as i can see i may have found a serious security hole within Zope 2.12 / 2.13 (4.0 not tested yet) - I'm still investigate here further... problem: == Even on fresh Installs of Zope and fresh created instances on it anonymous / remote users able to access acl_users/manage_users by the web WITHOUT AUTHENTICATION. They can edit / delete / create users and serving roles as they want. Other management screens (as manage_main or manage_access aso. are protected as usual). In manage_access Manage user is only allowed for Manager (as by default). I don't believe that is any new behaviour of newer Zope versions... I've tested this with (last public) 2.13.10 and last 2.12.20 with python2.6. If any of the devels want to have a test url pls contact me directly. Fresh installed zope instances was configured with defaults configs, except setting user zope (and/or port-base). Tried it with now owner or the admin user as owner of the acl_users too. Can anyone prove this here too? If so, any solution / security fix? many thanks, best regards. Niels. -- --- Niels Dettenbach Syndicat ITInternet http://www.syndicat.com/ ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] serious security hole in manage users / Manage userspermissions?
2.10.13 is not affected in direct link nor acquired link. ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Manipulating images in Zope/Python
I am looking for strategy to programmatically create a customized printable certificate of completion for our Learning Delivery System courses (the system is Zope/Python based). My current plan is to use the Python Imaging Library to create the image (probably by overlaying some text on a stock image of a completion certificate to create a new image). The final image will then be emailed as an attachment to users. Is this a reasonable approach? Any others that anybody can suggest? Any samples of doing anything like this that anyone can point to? ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Hotfix for security vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On behalf of the Zope security response team, I would like to announce
the availability of a hotfix for a vulnerability inadvertently
published earlier today.
'Products.Zope_Hotfix_20111024' README
==
Overview
-
This hotfix addresses a serious vulnerability in the Zope2
application server. Affected versions of Zope2 include:
- - 2.12.x = 2.12.20
- - 2.13.x = 2.13.6
Older releases (2.11.x, 2.10.x, etc.) are not vulnerable.
The Zope2 security response team recommends that all users of
these releases upgrade to an unaffected release (2.12.21 or
2.13.11) as soon as they become available.
Until that upgrade is feasible, deploying this hotfix also
mitigates the vulnerability.
Installing the Hotfix: Via 'easy_install'
- ---
If the Python which runs your Zope instance has 'setuptools'
installed (or is a 'virtualenv'), you can install the hotfix
directly from PyPI::
$ /prefix/bin/easy_install Products.Zope_Hotfix_20111024
and then restart the Zope instance, e.g.:
$ /path/to/instance/bin/zopectl restart
Installing the Hotfix: Via 'zc.buildout'
- -
If your Zope instance is managed via 'zc.buildout', you can
install the hotfix directly from PyPI. Edit the 'buildout.cfg'
file, adding Products.Zope_Hotfix_20111024 to the eggs
section of the instance. E.g.::
[instance] recipe = plone.recipe.zope2instance #... eggs =
${buildout:eggs} Products.Zope_Hotfix_20111024
Next, re-run the buildout::
$ /path/to/buildout/bin/buildout
and then restart the Zope instance, e.g.:
$ /path/to/buildout/bin/instance restart
Installing the Hotfix: Manual Installation
- ---
You may also install this hotfix manually. Download the tarball from
the PyPI page:
http://pypi.python.org/pypi/Products.Zope_Hotfix_20111024
Unpack the tarball and add a 'products' key to the 'etc/zope.conf' of
your instance. E.g.::
products /path/to/Products.Zope_Hotfix_20111024/Products
and restart.
Verifying the Installation
- --
After restarting the Zope instance, check the
'Control_Panel/Products' folder in the Zope Management Interface,
e.g.:
http://localhost:8080/Control_Panel/Products/manage_main
You should see the 'Zope_Hotfix_20111024' product folder there.
Tres.
- --
===
Tres Seaver +1 540-429-0999 tsea...@palladion.com
Palladion Software Excellence by Designhttp://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6l3pQACgkQ+gerLs4ltQ66AgCfT1cd94LXzBtdzNiBqKXnGBIF
7dwAoISO0AkuvERn+cw4W0cPo82c5r+D
=xRBY
-END PGP SIGNATURE-
___
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )
[Zope-CMF] cmf-tests - OK: 4
This is the summary for test reports received on the cmf-tests list between 2011-10-23 00:00:00 UTC and 2011-10-24 00:00:00 UTC: See the footnotes for test reports of unsuccessful builds. An up-to date view of the builders is also available in our buildbot documentation: http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds Reports received CMF-2.2 Zope-2.12 Python-2.6.6 : Linux CMF-2.2 Zope-2.13 Python-2.6.6 : Linux CMF-trunk Zope-2.13 Python-2.6.6 : Linux CMF-trunk Zope-trunk Python-2.6.6 : Linux Non-OK results -- ___ Zope-CMF maillist - Zope-CMF@zope.org https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
