The Zope security response team is announcing a fix for a vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of arbitrary code by anonymous users. The hotfix for this vulnerability was pre-announced last week.
This is a severe vulnerability that allows an unauthenticated attacker to employ a carefully crafted web request to execute arbitrary commands with the privileges of the Zope service. Versions Affected: Zope 2.12.x and Zope 2.13.x. Versions Not Affected: Zope 2.11.x, Zope 2.10.x or prior You can either install the Hotfix as an egg release from http://pypi.python.org/pypi/Products.Zope_Hotfix_CVE_2011_3587 or as an old-style product release available from http://download.zope.org/Zope2/hotfixes/Zope_Hotfix_CVE_2011_3587-v10.tar.gz. Alternatively you can upgrade to the latest bugfix release of Zope. Versions 2.12.20 and 2.13.10 will be released today and include the fix for this vulnerability. Please refer to http://zope2.zope.org/news/security-vulnerability-announcement-cve-2011-3587 for more details. The Plone community has also released a security hotfix today covering an additional security issue. If you are using Plone, please refer to http://plone.org/products/plone/security/advisories/20110928. On behalf of the Zope security response team, Hanno Schlichting _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )