[Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Ryan_Permeh
I manage product security at McAfee, of which Foundstone is a part. I am not aware of releasing such an advisory, and am looking into this. Could we get details regarding where this was found? Was this posted to a web site? A security mailing list? And when was it posted? This may have a

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Andreas Jung
Hi, On 24.07.09 18:24, ryan_per...@mcafee.com wrote: I manage product security at McAfee, of which Foundstone is a part. I am not aware of releasing such an advisory, and am looking into this. Could we get details regarding where this was found? Was this posted to a web site? A

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Andreas Jung
On 24.07.09 18:43, Andreas Jung wrote: Hi, On 24.07.09 18:24, ryan_per...@mcafee.com wrote: I manage product security at McAfee, of which Foundstone is a part. I am not aware of releasing such an advisory, and am looking into this. Could we get details regarding where this was

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Ryan_Permeh
, but it obviously doesn't apply now. -Original Message- From: Andreas Jung [mailto:li...@zopyx.com] Sent: Friday, July 24, 2009 9:43 AM To: Permeh, Ryan Cc: zope@zope.org Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability Hi, On 24.07.09 18:24, ryan_per...@mcafee.com wrote: I manage

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Andrew Milton
+---[ ryan_per...@mcafee.com ]-- | | 1. This is likely a false positive, unless the original poster was running ridiculously old software. Ridiculously old software is not outside the realms of probability -- Andrew Milton a...@theinternet.com.au

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Ryan_Permeh
: zope@zope.org Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability It is not related the specified hotfix. I'm getting details now, but this is how it seems: 1. this is from the Foundstone product, not a public advisory. The Foundstone product is a vulnerability scanner

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Andreas Jung
of this list, so I may not see any replies or questions made only to the list. -Original Message- From: Permeh, Ryan Sent: Friday, July 24, 2009 9:53 AM To: li...@zopyx.com Cc: zope@zope.org Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability It is not related

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Ryan_Permeh
in question is very relevant on either side. -Original Message- From: Andreas Jung [mailto:li...@zopyx.com] Sent: Friday, July 24, 2009 10:22 AM To: Permeh, Ryan Cc: zope@zope.org Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability That's why I usually override the Server

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Ricardo Newbery
replies or questions made only to the list. -Original Message- From: Permeh, Ryan Sent: Friday, July 24, 2009 9:53 AM To: li...@zopyx.com Cc: zope@zope.org Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability It is not related the specified hotfix. I'm getting details

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Chris McDonough
: [Zope] HTTP Request Denial of Service Vulnerability It is not related the specified hotfix. I'm getting details now, but this is how it seems: 1. this is from the Foundstone product, not a public advisory. The Foundstone product is a vulnerability scanner, and it seems that it feels

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Ryan_Permeh
: zope@zope.org Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability It is not related the specified hotfix. I'm getting details now, but this is how it seems: 1. this is from the Foundstone product, not a public advisory. The Foundstone product is a vulnerability scanner

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread TsungWei Hu
To: li...@zopyx.com Cc: zope@zope.org Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability It is not related the specified hotfix. I'm getting details now, but this is how it seems: 1. this is from the Foundstone product, not a public advisory. The Foundstone product

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-21 Thread Ricardo Newbery
On Jul 19, 2009, at 11:04 PM, TsungWei Hu wrote: The observation and recommendation is specifically generated by Foundstone Labs' software. It's my fault to suggest that might be related to Hotfix-2008-08-12. From my side, I will try to stop improper information from Foundstone lab.

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-20 Thread TsungWei Hu
The observation and recommendation is specifically generated by Foundstone Labs' software. It's my fault to suggest that might be related to Hotfix-2008-08-12. From my side, I will try to stop improper information from Foundstone lab. Thanks, marr On Mon, Jul 20, 2009 at 12:20 PM, Andreas Jung

[Zope] HTTP Request Denial of Service Vulnerability

2009-07-19 Thread TsungWei Hu
I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a security notice as follows. Is it sufficient to fix this just installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/ = Name = Zope HTTP Request Denial of Service Vulnerability = Description

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-19 Thread Chris McDonough
, /marr/ = Name = Zope HTTP Request Denial of Service Vulnerability = Description = A vulnerability in Zope may allow a remote attacker to manually shutdown the system. = Observation = The Zope Web Content Management system has been identified with a critical denial of service

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-19 Thread Chris McDonough
I just sent the below via http://www.foundstone.com/us/contact-form.aspx . I'd suggest that others do the same; this company is totally wrong about this conclusion... You recently issued a security warning to the effect: = Name = Zope HTTP Request Denial of Service Vulnerability

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-19 Thread Ricardo Newbery
notice as follows. Is it sufficient to fix this just installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/ = Name = Zope HTTP Request Denial of Service Vulnerability = Description = A vulnerability in Zope may allow a remote attacker to manually shutdown

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-19 Thread Chris McDonough
://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/ = Name = Zope HTTP Request Denial of Service Vulnerability = Description = A vulnerability in Zope may allow a remote attacker to manually shutdown the system. = Observation = The Zope Web Content Management system has been

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-19 Thread Andreas Jung
On 20.07.09 04:06, TsungWei Hu wrote: I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a security notice as follows. Is it sufficient to fix this just installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/ Although the Zope development environment is

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-19 Thread Andrew Milton
+---[ Chris McDonough ]-- | This may be true. However, I notice that whomever makes the Foundstone website | can't spell either (Costumer for Customer in the How you found out about | us dropdown). ;-) So... guilty till proven innocent as far as I'm concerned. Don't