Maik Jablonski wrote at 2004-1-21 21:20 +0100:
...
My proposal: Can we have a delay for making security-related fixes public?
Just a month or two or so...
-1
Most of the potential exploits have rather strict requirements
(such as creation of executable content by untrusted users).
Thus, few
[...]
there were several security-related fixes in the collector (and the
collector-mailing-list) in the last days. Normaly security-related stuff is
not visible for the public... and this seems to be good to avoid exploits
etc.
At least for the resolved issues the fixed are public
Clemens Robbenhaar wrote:
malicious Python Scripts on my site (I guess ;-), and I do not use DTML
or some Tree-stuff -- thus I did not upgrade yet, and You may feel free
Actually... unless you've altered the ZMI and HelpSys, you do use
dtml-tree ...and HelpSys is publically traversable by
Jamie Heilman writes:
Clemens Robbenhaar wrote:
malicious Python Scripts on my site (I guess ;-), and I do not use DTML
or some Tree-stuff -- thus I did not upgrade yet, and You may feel free
Actually... unless you've altered the ZMI and HelpSys, you do use
dtml-tree ...and HelpSys
Hi,
there were several security-related fixes in the collector (and the
collector-mailing-list) in the last days. Normaly security-related stuff is
not visible for the public... and this seems to be good to avoid exploits
etc.
Lots of security-stuff is fixed now, but I don't think that all
Maik Jablonski wrote:
Normaly security-related stuff is not visible for the public... and
this seems to be good to avoid exploits etc.
Hiding the bugs doesn't avoid anything, it just leaves zope
administrators helpless in the dark. I'm not going to rehash the
arguments for and against full
On Wednesday 21 January 2004 03:21 pm, Jamie Heilman wrote:
Hiding the bugs doesn't avoid anything, it just leaves zope
administrators helpless in the dark. I'm not going to rehash the
arguments for and against full dislosure, but seriously--don't delude
yourself into thinking that a problem