Re: [Zope] Zope and security vulnerability: 20121106
We are running Zope 2.13.10. (So this may not be too helpful.) We are testing
the hotfix. This is the output in our event log.
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied setHeader patch
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied allow_module patch
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied
get_request_var_or_attr patch
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply gtbn
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
membership_tool
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
queryCatalog
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
uid_catalog
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
renameObjectsByPaths
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
at_download
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
safe_html
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied python_scripts
patch
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied ftp patch
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied atat patch
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
random_string
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Hotfix installed
Without knowing how to specifically break things I can't say if it is good to
be running this or not. I'm sure a new Zope2 release will include these
updates?
-Chris
Christopher N. Deckard | Lead Web Systems Developer
c...@ecn.purdue.edu|Engineering Computer Network
http://eng.purdue.edu/ECN/| Purdue University
zlib.decompress('x\234K\316Kq((-J)M\325KM)\005\000)\005w') ---
On Nov 13, 2012, at 4:30 AM, Jens Vagelpohl j...@dataflake.org wrote:
On Nov 13, 2012, at 10:16 , Jürgen Herrmann juergen.herrm...@xlhost.de
wrote:
I successfully applied these hotfixes to Zope 2.13 versions
without any problems. What puzzles me though is why was there
no announcement for theses fixes here on zope ml? Or are these
fixes not critical for pure Zope2 users? Or are these all fixed
in the latest version of Zope2?
There was no announcement here because those patches were prepared by Plone
developers without our knowledge and announced without our knowledge. The
Zope developers know as much about these patches (meaning little to nothing)
as any other Zope user.
jens
___
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )
___
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 from the security announcement page: https://plone.org/products/plone/security/advisories/20121106-announcement This patch is compatible with all supported Plone versions (i.e. Plone 3 and Plone 4), it may work on earlier versions of Plone, but as these are unsupported they have had less testing done. so probably zope versions from 2.10.11 onwards are supported. see: http://dist.plone.org/release/3-latest/versions.cfg other versions UNSUPPORTED. if you really need to know which versions exactly are affected, you HAVE to find out yourself. either by trying it out in a test environment or by analyzing the whole commit history of affected modules in zope. people reported successful patching of Plone2.1 and i patched a Zope 2.8 instance too. but this is informal, not an official statement. On 11/13/2012 12:49 AM, Marcus Schopen wrote: Am Montag, den 12.11.2012, 11:13 -0700 schrieb Sean Upton: On Mon, Nov 12, 2012 at 5:31 AM, Marcus Schopen li...@localguru.de wrote: Am Montag, den 12.11.2012, 12:07 + schrieb Richard Harley: So, to clarify, does this affect plain Zope 2.10, no Plone? That's still the question to me ;) Why not try product installation and running your instance in the foreground. If anything breaks, comment out any specific inapplicable hotfix in __init__.py. A brief look at the source will tell you that it is unlikely you should need to do this, as conditional imports check what to apply. Yes, we all can go the long way of try and error and code inspection ... without knowing anything for sure in the end. Ciao! ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) - -- programmatic web development di(fh) johannes raggam / thet python plone zope development mail: off...@programmatic.pro web: http://programmatic.pro http://bluedynamics.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCiDWIACgkQW4mNMQxDgAc/sQCfShPVev83pbsd4KVk/RrVGsxJ GAQAoN5wbj//fgCUXPR8lsI0cBBj06SR =Tk6+ -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
Am 13.11.2012 10:05, schrieb johannes raggam: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 from the security announcement page: https://plone.org/products/plone/security/advisories/20121106-announcement This patch is compatible with all supported Plone versions (i.e. Plone 3 and Plone 4), it may work on earlier versions of Plone, but as these are unsupported they have had less testing done. so probably zope versions from 2.10.11 onwards are supported. see: http://dist.plone.org/release/3-latest/versions.cfg other versions UNSUPPORTED. if you really need to know which versions exactly are affected, you HAVE to find out yourself. either by trying it out in a test environment or by analyzing the whole commit history of affected modules in zope. people reported successful patching of Plone2.1 and i patched a Zope 2.8 instance too. but this is informal, not an official statement. Hi! I successfully applied these hotfixes to Zope 2.13 versions without any problems. What puzzles me though is why was there no announcement for theses fixes here on zope ml? Or are these fixes not critical for pure Zope2 users? Or are these all fixed in the latest version of Zope2? kind regards, Jürgen On 11/13/2012 12:49 AM, Marcus Schopen wrote: Am Montag, den 12.11.2012, 11:13 -0700 schrieb Sean Upton: On Mon, Nov 12, 2012 at 5:31 AM, Marcus Schopen li...@localguru.de wrote: Am Montag, den 12.11.2012, 12:07 + schrieb Richard Harley: So, to clarify, does this affect plain Zope 2.10, no Plone? That's still the question to me ;) Why not try product installation and running your instance in the foreground. If anything breaks, comment out any specific inapplicable hotfix in __init__.py. A brief look at the source will tell you that it is unlikely you should need to do this, as conditional imports check what to apply. Yes, we all can go the long way of try and error and code inspection ... without knowing anything for sure in the end. Ciao! ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) - -- programmatic web development di(fh) johannes raggam / thet python plone zope development mail: off...@programmatic.pro web: http://programmatic.pro http://bluedynamics.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCiDWIACgkQW4mNMQxDgAc/sQCfShPVev83pbsd4KVk/RrVGsxJ GAQAoN5wbj//fgCUXPR8lsI0cBBj06SR =Tk6+ -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) -- XLhost.de ® - Webhosting von supersmall bis eXtra Large XLhost.de GmbH Jürgen Herrmann, Geschäftsführer Boelckestrasse 21, 93051 Regensburg, Germany Geschäftsführer: Jürgen Herrmann Registriert unter: HRB9918 Umsatzsteuer-Identifikationsnummer: DE245931218 Fon: +49 (0)800 XLHOSTDE [0800 95467833] Fax: +49 (0)800 95467830 Web: http://www.XLhost.de ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
On Nov 13, 2012, at 10:16 , Jürgen Herrmann juergen.herrm...@xlhost.de wrote: I successfully applied these hotfixes to Zope 2.13 versions without any problems. What puzzles me though is why was there no announcement for theses fixes here on zope ml? Or are these fixes not critical for pure Zope2 users? Or are these all fixed in the latest version of Zope2? There was no announcement here because those patches were prepared by Plone developers without our knowledge and announced without our knowledge. The Zope developers know as much about these patches (meaning little to nothing) as any other Zope user. jens smime.p7s Description: S/MIME cryptographic signature ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 it was overseen. quoting David Glick on [Zope-CMF] from 9-11-2012: We should have informed you earlier. There are a lot of tasks associated with preparing a hotfix (and this one in particular covered many vulnerabilities), and it got missed. I apologize. In the future, what's the best place to report possible CMF security issues? zope-cmf Launchpad? On 11/13/2012 10:30 AM, Jens Vagelpohl wrote: On Nov 13, 2012, at 10:16 , Jürgen Herrmann juergen.herrm...@xlhost.de wrote: I successfully applied these hotfixes to Zope 2.13 versions without any problems. What puzzles me though is why was there no announcement for theses fixes here on zope ml? Or are these fixes not critical for pure Zope2 users? Or are these all fixed in the latest version of Zope2? There was no announcement here because those patches were prepared by Plone developers without our knowledge and announced without our knowledge. The Zope developers know as much about these patches (meaning little to nothing) as any other Zope user. jens ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) - -- programmatic web development di(fh) johannes raggam / thet python plone zope development mail: off...@programmatic.pro web: http://programmatic.pro http://bluedynamics.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCiITIACgkQW4mNMQxDgAcF9wCfcPZIoMnXwVR62lEjZhoqOi6W 1ugAnRSO9u05s/s3jTz/hiwbUflgVT2L =q6NB -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The affected versions go back a long time. I don't know it exactly, but people have used it successfully with Plone 2.1 (from ancient times) and I have patched Zope 2.8 instances too. On 11/11/2012 09:43 PM, Allen Schmidt wrote: For which zope versions? On Nov 11, 2012 2:16 PM, johannes raggam raggam...@adm.at mailto:raggam...@adm.at wrote: You can just apply the Plone hotfix for Zope only installations. The Plone patches are not applied then. Johannes On 11/11/2012 06:32 PM, Marcus Schopen wrote: Hi, is a standard Zope affected by this security vulnerability or only if Plone is installed: http://plone.org/products/plone/security/advisories/20121106-announcement The patch is replacing some basic classes therefore it looks to me that Zope itself without any Plone is vulnerable too. If so is there a Hotfix for Zope or new Zope version which fixes these bugs? Ciao Marcus ___ Zope maillist - Zope@zope.org mailto:Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org mailto:Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) - -- programmatic web development di(fh) johannes raggam / thet python plone zope development mail: off...@programmatic.pro web: http://programmatic.pro http://bluedynamics.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCg5WkACgkQW4mNMQxDgAfsyACgvbuoNO8ocpordzJmbH3X0OA2 gCsAnAkFNozMy1TRGWTKQjaYQgzLIisM =DpGn -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
So, to clarify, does this affect plain Zope 2.10, no Plone? Rich On 12/11/12 12:02, johannes raggam wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The affected versions go back a long time. I don't know it exactly, but people have used it successfully with Plone 2.1 (from ancient times) and I have patched Zope 2.8 instances too. On 11/11/2012 09:43 PM, Allen Schmidt wrote: For which zope versions? On Nov 11, 2012 2:16 PM, johannes raggamraggam...@adm.at mailto:raggam...@adm.at wrote: You can just apply the Plone hotfix for Zope only installations. The Plone patches are not applied then. Johannes On 11/11/2012 06:32 PM, Marcus Schopen wrote: Hi, is a standard Zope affected by this security vulnerability or only if Plone is installed: http://plone.org/products/plone/security/advisories/20121106-announcement The patch is replacing some basic classes therefore it looks to me that Zope itself without any Plone is vulnerable too. If so is there a Hotfix for Zope or new Zope version which fixes these bugs? Ciao Marcus ___ Zope maillist - Zope@zope.orgmailto:Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.orgmailto:Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) - -- programmatic web development di(fh) johannes raggam / thet python plone zope development mail: off...@programmatic.pro web: http://programmatic.pro http://bluedynamics.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCg5WkACgkQW4mNMQxDgAfsyACgvbuoNO8ocpordzJmbH3X0OA2 gCsAnAkFNozMy1TRGWTKQjaYQgzLIisM =DpGn -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
Am Montag, den 12.11.2012, 12:07 + schrieb Richard Harley: So, to clarify, does this affect plain Zope 2.10, no Plone? That's still the question to me ;) Ciao! ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
On Mon, Nov 12, 2012 at 5:31 AM, Marcus Schopen li...@localguru.de wrote: Am Montag, den 12.11.2012, 12:07 + schrieb Richard Harley: So, to clarify, does this affect plain Zope 2.10, no Plone? That's still the question to me ;) Why not try product installation and running your instance in the foreground. If anything breaks, comment out any specific inapplicable hotfix in __init__.py. A brief look at the source will tell you that it is unlikely you should need to do this, as conditional imports check what to apply. Sean ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
Am Montag, den 12.11.2012, 11:13 -0700 schrieb Sean Upton: On Mon, Nov 12, 2012 at 5:31 AM, Marcus Schopen li...@localguru.de wrote: Am Montag, den 12.11.2012, 12:07 + schrieb Richard Harley: So, to clarify, does this affect plain Zope 2.10, no Plone? That's still the question to me ;) Why not try product installation and running your instance in the foreground. If anything breaks, comment out any specific inapplicable hotfix in __init__.py. A brief look at the source will tell you that it is unlikely you should need to do this, as conditional imports check what to apply. Yes, we all can go the long way of try and error and code inspection ... without knowing anything for sure in the end. Ciao! ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You can just apply the Plone hotfix for Zope only installations. The Plone patches are not applied then. Johannes On 11/11/2012 06:32 PM, Marcus Schopen wrote: Hi, is a standard Zope affected by this security vulnerability or only if Plone is installed: http://plone.org/products/plone/security/advisories/20121106-announcement The patch is replacing some basic classes therefore it looks to me that Zope itself without any Plone is vulnerable too. If so is there a Hotfix for Zope or new Zope version which fixes these bugs? Ciao Marcus ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) - -- programmatic web development di(fh) johannes raggam / thet python plone zope development mail: off...@programmatic.pro web: http://programmatic.pro http://bluedynamics.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCf+YkACgkQW4mNMQxDgAfzewCg5VPyH+ADX/75eSBDxxy1BEWK RaQAoIXSX+Mj8J+yrWd4KD6HKglDQHtu =cxZJ -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] [Zope-dev] Security announcement update
(Tue, Jun 28, 2011 at 12:57:02PM +0100) Laurence Rowe wrote/schrieb/egrapse: This is an update on today's security hotfix release. Thank you for the update, most helpful! The fix will be released at 15:00 UTC today, Tuesday 28th June, 2011 (11:00am US EDT.) Updated versions of Zope 2 containing the security fix will be released at the same time. For details on which versions of Zope and Plone are affected, please see: http://plone.org/products/plone/security/advisories/20110622 It says Zope 2.10 and 2.11 users who have not installed PloneHotfix20110720 are not affected - can I conclude from that, that Zope 2.9 would not be affected either? Regards, Sascha ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] [Zope-dev] Security announcement update
On Tue, Jun 28, 2011 at 15:30, Sascha Welter zopel...@betabug.ch wrote: It says Zope 2.10 and 2.11 users who have not installed PloneHotfix20110720 are not affected - can I conclude from that, that Zope 2.9 would not be affected either? Indeed, Zope 2.9 is not affected, with or without the previous hotfix. -- Martijn Pieters ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] [Zope-dev] Security announcement update
This should be clarified too: You should, however, make sure that you are running either Zope 2.10.13 or Zope 2.11.8 and PluggableAuthService 1.5.5, 1.6.5 or 1.7.5 Why must PluggableAuthService (+ its dependencies) even be installed? -N On 6/28/2011 3:30 PM, Sascha Welter wrote: (Tue, Jun 28, 2011 at 12:57:02PM +0100) Laurence Rowe wrote/schrieb/egrapse: This is an update on today's security hotfix release. Thank you for the update, most helpful! The fix will be released at 15:00 UTC today, Tuesday 28th June, 2011 (11:00am US EDT.) Updated versions of Zope 2 containing the security fix will be released at the same time. For details on which versions of Zope and Plone are affected, please see: http://plone.org/products/plone/security/advisories/20110622 It says Zope 2.10 and 2.11 users who have not installed PloneHotfix20110720 are not affected - can I conclude from that, that Zope 2.9 would not be affected either? Regards, Sascha ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] [Zope-dev] Security announcement update
On Tue, Jun 28, 2011 at 15:40, Norbert Marrale norbertmarr...@yahoo.com wrote: Why must PluggableAuthService (+ its dependencies) even be installed? It is a dependency of Plone itself. -- Martijn Pieters ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] [Zope-dev] Security announcement update
On 28 June 2011 14:40, Norbert Marrale norbertmarr...@yahoo.com wrote: This should be clarified too: You should, however, make sure that you are running either Zope 2.10.13 or Zope 2.11.8 and PluggableAuthService 1.5.5, 1.6.5 or 1.7.5 Why must PluggableAuthService (+ its dependencies) even be installed? The Plone Hotfix for CVE-2011-0720 included patches to PluggableAuthService. If you use PluggableAuthService outside of Plone then you need to update to a release that includes that fix. If you don't run PluggableAuthService it is not required to install it. Laurence ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope Intros Security
PR JANSE VAN RENSBURG wrote: I dont know if i have subscribed to the correct mailing list, You are :-) i need to import a small web page into zope and create users etc. You might want to look at loadsite.py. I've never used it but you can download it from here: http://zope.nipltd.com/public/lists/zope-archive.nsf/ByKey/EBABAF83050A8D06 I don't knwo if there's more documentation anywhere else... Where can i find step by step instructions about how to use zope. Sadly no step-by-step instructions (that I know of ;-) There's the QuickStart in Zope (very out of date) The Tutorial in Zope version 2.2.0 and above might be what you want, but I don't know how to get it started... There's also the O'Reilly Zope Book, bits of which are online at: http://www.zope.org/Members/michel/Projects/ZB I don't kbnow if that's the most up to date URL... :-S If i am a visitor to a site controlled by zope do i need to be included as a user in Zope or is this just for admin personel. That depends, if you want your site to be visible by anyone, then visitors don't need to be defined in Zope. If there's confidential information, you may want to protect your site a bit more... I am currently the superuser on the system and i have also created a dummy user to be a manager. This dummy user can only add files etc. when he is a manager, and not when he is a user. I'm not sure that makes sense... I need to know how can i run this site to see what it looks like? The site is 'running' if Zope is running, so I'm not sure what you mean :-S cheers, Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope and Security
Im interested in setting up a Zope site for an accountant. I'd like to have his clients be able to review and submit information online, but Im concerned about security issues, such as entering social security #s etc. I have Zope running with Apache v1.3.x Does anyone know of any links covering possible solutions? Have any ideas? Tom Scheidt | www.falsemirror.com | [EMAIL PROTECTED] --- ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and Security
On Wed, 5 Jul 2000, Tom Scheidt wrote: information online, but Im concerned about security issues, such as entering social security #s etc. I have Zope running with Apache v1.3.x Zope has pretty strong internal security and delegation ability. If you couple that with SSL support either through Apache or the medusa version, you should have a pretty good solution. Apache/SSL/Zope has a howto somewhere on Zope.org. I believe the SSL enabled version of ZServer is available on Zope.org as well. --RDM ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope 2.2b2 security conundrum
-Original Message- From: Bill Anderson [mailto:[EMAIL PROTECTED]] Sent: Monday, June 26, 2000 1:42 PM To: Jay, Dylan Cc: '[EMAIL PROTECTED]' Subject: Re: [Zope] Zope 2.2b2 security conundrum "Jay, Dylan" wrote: I am playing with ZDP-Tools which are ZClassed based. When I try to add a new object I get security failure. H2Zope Error/H2 PZope has encountered an error while publishing this resource. /P PSTRONGUnauthorized/STRONG/P You are not authorized to access emmanage_editProperties/em. !-- Traceback (innermost last): File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 222, in publish_module File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 187, in publish File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 171, in publish File D:\PROGRA~1\Zope22\lib\python\ZPublisher\mapply.py, line 160, in mapply (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 112, in call_object (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 168, in __call__ (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_String.py, line 500, in __call__ (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_With.py, line 146, in render (Object: FAQQuestionClass.createInObjectManager(REQUEST['id'], REQUEST)) File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 164, in __call__ (Object: DocumentFolderClass_add_fragment_exec) File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_String.py, line 500, in __call__ (Object: DocumentFolderClass_add_fragment_exec) File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_Util.py, line 339, in eval (Object: propertysheets.Info.manage_editProperties(REQUEST)) (Info: REQUEST) File lt;stringgt;, line 0, in ? File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_Util.py, line 140, in careful_getattr File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 187, in validate (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\AccessControl\SecurityManager.py, line 139, in validate File D:\PROGRA~1\Zope22\lib\python\AccessControl\ZopeSecurityPolicy.py, line 208, in validate Unauthorized: (see above) I figure this is due to the new security model. The user I am using doesn't have Manager privlidges but has permission to add this object. I get the add form however when I try to submit the above occurs. I think this might have something to do with the ownership of FAQQuestionClass_add. However I can't see who owns FAQQuestionClass_add. How is the new security model supposed to work with ZClasses and how do I get round this problem so I can give a user the ability to add a new object. Check fo rthe permission "Manage Properties". This one threw me for a while. I posted this a week or two back, you should be able to find it in the archives. This works wehn I call the addForm directly, yet when I use a form local to the direntoy and s the "dmtl-with ..." technique from the FAQ As I use in KnowledgeKit), it doesn't seem happy, requesting authentication through Basic Auth, as opposed to the Cookie Login form I use currently (Membership 0.6.0). I am working on this, and will pst a fix as soon as I have one. I solved this by giving the piece of code that changes the properties the Proxy Manager role. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope 2.2b2 security conundrum
I am playing with ZDP-Tools which are ZClassed based. When I try to add a new object I get security failure. H2Zope Error/H2 PZope has encountered an error while publishing this resource. /P PSTRONGUnauthorized/STRONG/P You are not authorized to access emmanage_editProperties/em. !-- Traceback (innermost last): File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 222, in publish_module File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 187, in publish File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 171, in publish File D:\PROGRA~1\Zope22\lib\python\ZPublisher\mapply.py, line 160, in mapply (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 112, in call_object (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 168, in __call__ (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_String.py, line 500, in __call__ (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_With.py, line 146, in render (Object: FAQQuestionClass.createInObjectManager(REQUEST['id'], REQUEST)) File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 164, in __call__ (Object: DocumentFolderClass_add_fragment_exec) File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_String.py, line 500, in __call__ (Object: DocumentFolderClass_add_fragment_exec) File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_Util.py, line 339, in eval (Object: propertysheets.Info.manage_editProperties(REQUEST)) (Info: REQUEST) File lt;stringgt;, line 0, in ? File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_Util.py, line 140, in careful_getattr File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 187, in validate (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\AccessControl\SecurityManager.py, line 139, in validate File D:\PROGRA~1\Zope22\lib\python\AccessControl\ZopeSecurityPolicy.py, line 208, in validate Unauthorized: (see above) I figure this is due to the new security model. The user I am using doesn't have Manager privlidges but has permission to add this object. I get the add form however when I try to submit the above occurs. I think this might have something to do with the ownership of FAQQuestionClass_add. However I can't see who owns FAQQuestionClass_add. How is the new security model supposed to work with ZClasses and how do I get round this problem so I can give a user the ability to add a new object. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope 2.2b2 security conundrum
"Jay, Dylan" wrote: I am playing with ZDP-Tools which are ZClassed based. When I try to add a new object I get security failure. H2Zope Error/H2 PZope has encountered an error while publishing this resource. /P PSTRONGUnauthorized/STRONG/P You are not authorized to access emmanage_editProperties/em. !-- Traceback (innermost last): File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 222, in publish_module File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 187, in publish File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 171, in publish File D:\PROGRA~1\Zope22\lib\python\ZPublisher\mapply.py, line 160, in mapply (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\ZPublisher\Publish.py, line 112, in call_object (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 168, in __call__ (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_String.py, line 500, in __call__ (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_With.py, line 146, in render (Object: FAQQuestionClass.createInObjectManager(REQUEST['id'], REQUEST)) File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 164, in __call__ (Object: DocumentFolderClass_add_fragment_exec) File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_String.py, line 500, in __call__ (Object: DocumentFolderClass_add_fragment_exec) File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_Util.py, line 339, in eval (Object: propertysheets.Info.manage_editProperties(REQUEST)) (Info: REQUEST) File lt;stringgt;, line 0, in ? File D:\PROGRA~1\Zope22\lib\python\DocumentTemplate\DT_Util.py, line 140, in careful_getattr File D:\PROGRA~1\Zope22\lib\python\OFS\DTMLMethod.py, line 187, in validate (Object: FAQQuestionClass_add) File D:\PROGRA~1\Zope22\lib\python\AccessControl\SecurityManager.py, line 139, in validate File D:\PROGRA~1\Zope22\lib\python\AccessControl\ZopeSecurityPolicy.py, line 208, in validate Unauthorized: (see above) I figure this is due to the new security model. The user I am using doesn't have Manager privlidges but has permission to add this object. I get the add form however when I try to submit the above occurs. I think this might have something to do with the ownership of FAQQuestionClass_add. However I can't see who owns FAQQuestionClass_add. How is the new security model supposed to work with ZClasses and how do I get round this problem so I can give a user the ability to add a new object. Check fo rthe permission "Manage Properties". This one threw me for a while. I posted this a week or two back, you should be able to find it in the archives. This works wehn I call the addForm directly, yet when I use a form local to the direntoy and s the "dmtl-with ..." technique from the FAQ As I use in KnowledgeKit), it doesn't seem happy, requesting authentication through Basic Auth, as opposed to the Cookie Login form I use currently (Membership 0.6.0). I am working on this, and will pst a fix as soon as I have one. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
