Re: [Zope] Zope and security vulnerability: 20121106
We are running Zope 2.13.10. (So this may not be too helpful.) We are testing
the hotfix. This is the output in our event log.
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied setHeader patch
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied allow_module patch
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied
get_request_var_or_attr patch
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply gtbn
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
membership_tool
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
queryCatalog
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
uid_catalog
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
renameObjectsByPaths
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
at_download
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
safe_html
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied python_scripts
patch
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied ftp patch
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied atat patch
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
random_string
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Hotfix installed
Without knowing how to specifically break things I can't say if it is good to
be running this or not. I'm sure a new Zope2 release will include these
updates?
-Chris
Christopher N. Deckard | Lead Web Systems Developer
c...@ecn.purdue.edu|Engineering Computer Network
http://eng.purdue.edu/ECN/| Purdue University
zlib.decompress('x\234K\316Kq((-J)M\325KM)\005\000)\005w') ---
On Nov 13, 2012, at 4:30 AM, Jens Vagelpohl j...@dataflake.org wrote:
On Nov 13, 2012, at 10:16 , Jürgen Herrmann juergen.herrm...@xlhost.de
wrote:
I successfully applied these hotfixes to Zope 2.13 versions
without any problems. What puzzles me though is why was there
no announcement for theses fixes here on zope ml? Or are these
fixes not critical for pure Zope2 users? Or are these all fixed
in the latest version of Zope2?
There was no announcement here because those patches were prepared by Plone
developers without our knowledge and announced without our knowledge. The
Zope developers know as much about these patches (meaning little to nothing)
as any other Zope user.
jens
___
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )
___
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 from the security announcement page: https://plone.org/products/plone/security/advisories/20121106-announcement This patch is compatible with all supported Plone versions (i.e. Plone 3 and Plone 4), it may work on earlier versions of Plone, but as these are unsupported they have had less testing done. so probably zope versions from 2.10.11 onwards are supported. see: http://dist.plone.org/release/3-latest/versions.cfg other versions UNSUPPORTED. if you really need to know which versions exactly are affected, you HAVE to find out yourself. either by trying it out in a test environment or by analyzing the whole commit history of affected modules in zope. people reported successful patching of Plone2.1 and i patched a Zope 2.8 instance too. but this is informal, not an official statement. On 11/13/2012 12:49 AM, Marcus Schopen wrote: Am Montag, den 12.11.2012, 11:13 -0700 schrieb Sean Upton: On Mon, Nov 12, 2012 at 5:31 AM, Marcus Schopen li...@localguru.de wrote: Am Montag, den 12.11.2012, 12:07 + schrieb Richard Harley: So, to clarify, does this affect plain Zope 2.10, no Plone? That's still the question to me ;) Why not try product installation and running your instance in the foreground. If anything breaks, comment out any specific inapplicable hotfix in __init__.py. A brief look at the source will tell you that it is unlikely you should need to do this, as conditional imports check what to apply. Yes, we all can go the long way of try and error and code inspection ... without knowing anything for sure in the end. Ciao! ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) - -- programmatic web development di(fh) johannes raggam / thet python plone zope development mail: off...@programmatic.pro web: http://programmatic.pro http://bluedynamics.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCiDWIACgkQW4mNMQxDgAc/sQCfShPVev83pbsd4KVk/RrVGsxJ GAQAoN5wbj//fgCUXPR8lsI0cBBj06SR =Tk6+ -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
Am 13.11.2012 10:05, schrieb johannes raggam: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 from the security announcement page: https://plone.org/products/plone/security/advisories/20121106-announcement This patch is compatible with all supported Plone versions (i.e. Plone 3 and Plone 4), it may work on earlier versions of Plone, but as these are unsupported they have had less testing done. so probably zope versions from 2.10.11 onwards are supported. see: http://dist.plone.org/release/3-latest/versions.cfg other versions UNSUPPORTED. if you really need to know which versions exactly are affected, you HAVE to find out yourself. either by trying it out in a test environment or by analyzing the whole commit history of affected modules in zope. people reported successful patching of Plone2.1 and i patched a Zope 2.8 instance too. but this is informal, not an official statement. Hi! I successfully applied these hotfixes to Zope 2.13 versions without any problems. What puzzles me though is why was there no announcement for theses fixes here on zope ml? Or are these fixes not critical for pure Zope2 users? Or are these all fixed in the latest version of Zope2? kind regards, Jürgen On 11/13/2012 12:49 AM, Marcus Schopen wrote: Am Montag, den 12.11.2012, 11:13 -0700 schrieb Sean Upton: On Mon, Nov 12, 2012 at 5:31 AM, Marcus Schopen li...@localguru.de wrote: Am Montag, den 12.11.2012, 12:07 + schrieb Richard Harley: So, to clarify, does this affect plain Zope 2.10, no Plone? That's still the question to me ;) Why not try product installation and running your instance in the foreground. If anything breaks, comment out any specific inapplicable hotfix in __init__.py. A brief look at the source will tell you that it is unlikely you should need to do this, as conditional imports check what to apply. Yes, we all can go the long way of try and error and code inspection ... without knowing anything for sure in the end. Ciao! ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) - -- programmatic web development di(fh) johannes raggam / thet python plone zope development mail: off...@programmatic.pro web: http://programmatic.pro http://bluedynamics.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCiDWIACgkQW4mNMQxDgAc/sQCfShPVev83pbsd4KVk/RrVGsxJ GAQAoN5wbj//fgCUXPR8lsI0cBBj06SR =Tk6+ -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) -- XLhost.de ® - Webhosting von supersmall bis eXtra Large XLhost.de GmbH Jürgen Herrmann, Geschäftsführer Boelckestrasse 21, 93051 Regensburg, Germany Geschäftsführer: Jürgen Herrmann Registriert unter: HRB9918 Umsatzsteuer-Identifikationsnummer: DE245931218 Fon: +49 (0)800 XLHOSTDE [0800 95467833] Fax: +49 (0)800 95467830 Web: http://www.XLhost.de ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
On Nov 13, 2012, at 10:16 , Jürgen Herrmann juergen.herrm...@xlhost.de wrote: I successfully applied these hotfixes to Zope 2.13 versions without any problems. What puzzles me though is why was there no announcement for theses fixes here on zope ml? Or are these fixes not critical for pure Zope2 users? Or are these all fixed in the latest version of Zope2? There was no announcement here because those patches were prepared by Plone developers without our knowledge and announced without our knowledge. The Zope developers know as much about these patches (meaning little to nothing) as any other Zope user. jens smime.p7s Description: S/MIME cryptographic signature ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 it was overseen. quoting David Glick on [Zope-CMF] from 9-11-2012: We should have informed you earlier. There are a lot of tasks associated with preparing a hotfix (and this one in particular covered many vulnerabilities), and it got missed. I apologize. In the future, what's the best place to report possible CMF security issues? zope-cmf Launchpad? On 11/13/2012 10:30 AM, Jens Vagelpohl wrote: On Nov 13, 2012, at 10:16 , Jürgen Herrmann juergen.herrm...@xlhost.de wrote: I successfully applied these hotfixes to Zope 2.13 versions without any problems. What puzzles me though is why was there no announcement for theses fixes here on zope ml? Or are these fixes not critical for pure Zope2 users? Or are these all fixed in the latest version of Zope2? There was no announcement here because those patches were prepared by Plone developers without our knowledge and announced without our knowledge. The Zope developers know as much about these patches (meaning little to nothing) as any other Zope user. jens ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) - -- programmatic web development di(fh) johannes raggam / thet python plone zope development mail: off...@programmatic.pro web: http://programmatic.pro http://bluedynamics.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCiITIACgkQW4mNMQxDgAcF9wCfcPZIoMnXwVR62lEjZhoqOi6W 1ugAnRSO9u05s/s3jTz/hiwbUflgVT2L =q6NB -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The affected versions go back a long time. I don't know it exactly, but people have used it successfully with Plone 2.1 (from ancient times) and I have patched Zope 2.8 instances too. On 11/11/2012 09:43 PM, Allen Schmidt wrote: For which zope versions? On Nov 11, 2012 2:16 PM, johannes raggam raggam...@adm.at mailto:raggam...@adm.at wrote: You can just apply the Plone hotfix for Zope only installations. The Plone patches are not applied then. Johannes On 11/11/2012 06:32 PM, Marcus Schopen wrote: Hi, is a standard Zope affected by this security vulnerability or only if Plone is installed: http://plone.org/products/plone/security/advisories/20121106-announcement The patch is replacing some basic classes therefore it looks to me that Zope itself without any Plone is vulnerable too. If so is there a Hotfix for Zope or new Zope version which fixes these bugs? Ciao Marcus ___ Zope maillist - Zope@zope.org mailto:Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org mailto:Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) - -- programmatic web development di(fh) johannes raggam / thet python plone zope development mail: off...@programmatic.pro web: http://programmatic.pro http://bluedynamics.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCg5WkACgkQW4mNMQxDgAfsyACgvbuoNO8ocpordzJmbH3X0OA2 gCsAnAkFNozMy1TRGWTKQjaYQgzLIisM =DpGn -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
So, to clarify, does this affect plain Zope 2.10, no Plone? Rich On 12/11/12 12:02, johannes raggam wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The affected versions go back a long time. I don't know it exactly, but people have used it successfully with Plone 2.1 (from ancient times) and I have patched Zope 2.8 instances too. On 11/11/2012 09:43 PM, Allen Schmidt wrote: For which zope versions? On Nov 11, 2012 2:16 PM, johannes raggamraggam...@adm.at mailto:raggam...@adm.at wrote: You can just apply the Plone hotfix for Zope only installations. The Plone patches are not applied then. Johannes On 11/11/2012 06:32 PM, Marcus Schopen wrote: Hi, is a standard Zope affected by this security vulnerability or only if Plone is installed: http://plone.org/products/plone/security/advisories/20121106-announcement The patch is replacing some basic classes therefore it looks to me that Zope itself without any Plone is vulnerable too. If so is there a Hotfix for Zope or new Zope version which fixes these bugs? Ciao Marcus ___ Zope maillist - Zope@zope.orgmailto:Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.orgmailto:Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) - -- programmatic web development di(fh) johannes raggam / thet python plone zope development mail: off...@programmatic.pro web: http://programmatic.pro http://bluedynamics.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCg5WkACgkQW4mNMQxDgAfsyACgvbuoNO8ocpordzJmbH3X0OA2 gCsAnAkFNozMy1TRGWTKQjaYQgzLIisM =DpGn -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
Am Montag, den 12.11.2012, 12:07 + schrieb Richard Harley: So, to clarify, does this affect plain Zope 2.10, no Plone? That's still the question to me ;) Ciao! ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
On Mon, Nov 12, 2012 at 5:31 AM, Marcus Schopen li...@localguru.de wrote: Am Montag, den 12.11.2012, 12:07 + schrieb Richard Harley: So, to clarify, does this affect plain Zope 2.10, no Plone? That's still the question to me ;) Why not try product installation and running your instance in the foreground. If anything breaks, comment out any specific inapplicable hotfix in __init__.py. A brief look at the source will tell you that it is unlikely you should need to do this, as conditional imports check what to apply. Sean ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
Am Montag, den 12.11.2012, 11:13 -0700 schrieb Sean Upton: On Mon, Nov 12, 2012 at 5:31 AM, Marcus Schopen li...@localguru.de wrote: Am Montag, den 12.11.2012, 12:07 + schrieb Richard Harley: So, to clarify, does this affect plain Zope 2.10, no Plone? That's still the question to me ;) Why not try product installation and running your instance in the foreground. If anything breaks, comment out any specific inapplicable hotfix in __init__.py. A brief look at the source will tell you that it is unlikely you should need to do this, as conditional imports check what to apply. Yes, we all can go the long way of try and error and code inspection ... without knowing anything for sure in the end. Ciao! ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and security vulnerability: 20121106
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You can just apply the Plone hotfix for Zope only installations. The Plone patches are not applied then. Johannes On 11/11/2012 06:32 PM, Marcus Schopen wrote: Hi, is a standard Zope affected by this security vulnerability or only if Plone is installed: http://plone.org/products/plone/security/advisories/20121106-announcement The patch is replacing some basic classes therefore it looks to me that Zope itself without any Plone is vulnerable too. If so is there a Hotfix for Zope or new Zope version which fixes these bugs? Ciao Marcus ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) - -- programmatic web development di(fh) johannes raggam / thet python plone zope development mail: off...@programmatic.pro web: http://programmatic.pro http://bluedynamics.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCf+YkACgkQW4mNMQxDgAfzewCg5VPyH+ADX/75eSBDxxy1BEWK RaQAoIXSX+Mj8J+yrWd4KD6HKglDQHtu =cxZJ -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
