RE: [Zope-dev] Problem with Hotfix 2000-10-11 on 2.1.6
If installed on 2.1.6, the product shows up as broken, since it tries to run "from OFS.ObjectManager import aq_base", which fails, since aq_base wasn't available in ObjectManager before 2.2.1 (!). Therefore I guess the Hotfix won't work for any versions prior to 2.2.1. According to the README, those versions are still vulnerable. Could somebody give me a hint if and how it's possible to backport the Hotfix to Zope 2.1.6 ? You could add this to the hotfix module: def aq_base(object): return getattr(object, 'aq_base', object) ...and use that instead of importing it. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Problem with Hotfix 2000-10-11 on 2.1.6
I'm having trouble installing Hotfix_2000-10-11 on Zope 2.1.6, although the README says: "The hotfix will work for all versions of Zope 2.2.0 and higher." If installed on 2.1.6, the product shows up as broken, since it tries to run "from OFS.ObjectManager import aq_base", which fails, since aq_base wasn't available in ObjectManager before 2.2.1 (!). Therefore I guess the Hotfix won't work for any versions prior to 2.2.1. According to the README, those versions are still vulnerable. Could somebody give me a hint if and how it's possible to backport the Hotfix to Zope 2.1.6 ? Gregor ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Problem with Hotfix 2000-10-11 on 2.1.6
Gregor Hoffleit wrote: Could somebody give me a hint if and how it's possible to backport the Hotfix to Zope 2.1.6 ? Surely it'd be better to move you servers forward to 2.2.5 or maybe 2.3.1 when it's out?! cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Problem with Hotfix 2000-10-11 on 2.1.6
On Thu, Mar 29, 2001 at 12:34:16PM +0100, Chris Withers wrote: Gregor Hoffleit wrote: Could somebody give me a hint if and how it's possible to backport the Hotfix to Zope 2.1.6 ? Surely it'd be better to move you servers forward to 2.2.5 or maybe 2.3.1 when it's out?! It's about backwards compatibility. Debian's last release had a 2.1.6 package in it, and our release managers simply won't accept a new upstream version (i.e. 2.2.5 or 2.3) as security fix. Therefore, I have to try to backport security fixes to 2.1.6, silly as it might be, for those of our users that prefer stability over featurism ;-) Rest assured, though, that the next Debian *release* will feature 2.3.x. At this point, it simply stroke me as odd that the README is quite inaccurate, and it sounds as if there should be a simple for for this hole in 2.1.6, too. Gregor ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Problem with Hotfix 2000-10-11 on 2.1.6
On Thu, Mar 29, 2001 at 10:10:50PM +1000, Zac Stevens wrote:
Howdy,
On Thu, Mar 29, 2001 at 01:28:13PM +0200, Gregor Hoffleit wrote:
| I'm having trouble installing Hotfix_2000-10-11 on Zope 2.1.6, although the
| README says: "The hotfix will work for all versions of Zope 2.2.0 and
| higher."
I think you're just making a minor braino here - 2.1.6 isn't higher than
2.2.0
The Readme is somewhat ambiguous though - it starts off stating that "all
versions up to and including 2.2.2" are affected, but then recommends "Zope
2.2.x" sites upgrade. Perhaps it isn't even a genuine issue for 2.1.6?
(I don't know)
Ooops, sorry, sorry, sorry.
I had read the start of the README (like you wrote: 'Zope versions up to and
including Zope 2.2.2.'), but I had quoted and paragraph that indeed implied
an answer to my question ('will work for all versions of Zope 2.2.0 and
higher.').
So 2.1.6 ought to be vulnerable as well, but that Hotfix won't work for it.
Gregor
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
'All Hotfixes' page (was Re: [Zope-dev] Problem with Hotfix 2000-10-11 on 2.1.6)
On Thu, Mar 29, 2001 at 02:34:47PM +0200, Gregor Hoffleit wrote:
I had read the start of the README (like you wrote: 'Zope versions up to and
including Zope 2.2.2.'), but I had quoted and paragraph that indeed implied
an answer to my question ('will work for all versions of Zope 2.2.0 and
higher.').
A last word on this: http://www.zope.org/Products/Zope/hotfixes is really a
mess and very hard to read. Would it be possible to redesign that page so
that it's more obvious which Hotfixes apply to which version. Currently the
page is so flat that it's even hard to tell which paragraph applies to which
Hotfix.
Gregor
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
Re: [ZWeb] 'All Hotfixes' page (was Re: [Zope-dev] Problem with Hotfix 2000-10-11 on 2.1.6)
On Thu, Mar 29, 2001 at 03:15:26PM +0200, Gregor Hoffleit wrote:
On Thu, Mar 29, 2001 at 02:34:47PM +0200, Gregor Hoffleit wrote:
I had read the start of the README (like you wrote: 'Zope versions up to and
including Zope 2.2.2.'), but I had quoted and paragraph that indeed implied
an answer to my question ('will work for all versions of Zope 2.2.0 and
higher.').
A last word on this: http://www.zope.org/Products/Zope/hotfixes is really a
mess and very hard to read. Would it be possible to redesign that page so
that it's more obvious which Hotfixes apply to which version. Currently the
page is so flat that it's even hard to tell which paragraph applies to which
Hotfix.
Have a look at http://www.zope.org/Products/Zope/hotfixes, I think it is
exactly what you need.
--
Martijn Pieters
| Software Engineer mailto:[EMAIL PROTECTED]
| Digital Creations http://www.digicool.com/
| Creators of Zope http://www.zope.org/
-
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
Re: [ZWeb] 'All Hotfixes' page (was Re: [Zope-dev] Problem with Hotfix 2000-10-11 on 2.1.6)
On Thu, Mar 29, 2001 at 01:27:08PM -0500, Shane Hathaway wrote: Have a look at http://www.zope.org/Products/Zope/hotfixes, I think it is exactly what you need. Huh? You repeated the URL he supplied... and I'd like to know if there is indeed a better URL. Duh. Copy, paste, send. Who cares about editing the URL. :0 The correct URL is: http://www.zope.org/Products/Zope -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [ZWeb] 'All Hotfixes' page (was Re: [Zope-dev] Problem with Hotfix 2000-10-11 on 2.1.6)
On Thu, Mar 29, 2001 at 08:33:50PM +0200, Martijn Pieters wrote: ... Duh. Copy, paste, send. Who cares about editing the URL. :0 The correct URL is: http://www.zope.org/Products/Zope alertZope Newbie Here/alert After looking at the page referenced above, one question remains unclear to me. There are for example two Hotfixes listed as applying to "= 2.3.1b1" It is not clear to me if the more recent fix _includes_ the earlier fix or whether _both_ fixes need to be applied. Something in the text one way or another explaining Hotfix application policy might help clear this up for those of us new to the "Zope Way." (-: tia, -- charlie blanchard http://baldguru.com/ "What is freedom of expression? Without the freedom to offend, it ceases to exist." -Salman Rushdie ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
