Repassando, caso alguem nao esteja cadastrado na lista zope-announce.
Para os usuarios Windows que estao utilizando o instalador do Plone,
ja tem um instalador do hotfix disponivel (instala *apenas* o hotfix,
vc precisa ter o Plone ja instalado):
http://awkly.org/files/plone/setup-community-2006.07.05-hotfix-5695.exe
----- Forwarded message from Jim Fulton <[EMAIL PROTECTED]> -----
From: Jim Fulton <[EMAIL PROTECTED]>
To: zope-announce@zope.org
Date: Sat, 8 Jul 2006 08:43:23 -0400
Subject: [Zope-Annce] Security alert: use of Through-the-Web reStructuredText
X-Spam-Status: No, score=-2.6 required=3.5 tests=BAYES_00 autolearn=ham
version=3.1.0
X-Spambayes-Classification: ham; 0.00
X-Mailer: Apple Mail (2.752.2)
Recently, a serious security flaw was found in Zope 2 due to it's
improper support for allowing reStructuredText to be edited through-
the-web. reStructuredText has directives that allow inclusion of any
file a Zope process could read and inclusion of data obtained from
fetching arbitrary URLs. In a trusted environment, these directives
have legitimate uses. The feature of including files and URL results
should not be enabled for text entered from untrusted sources, which
applies to most through-the-web interactions.
The recent hotfix:
http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-2006-07-05
addresses the problem for Zope 2.
It is safe to allow reStructuredText through the web with care. The
inclusion of files or URL results can be disabled, but the programmer
must explicitly disable the feature. It is not disabled by default.
It is also critical that a developer who exposes through-the-web
reStructuredText have tests to verify that the file/url inclusion
feature has been disabled.
Zope 3 itself, as released, doesn't have this problem because it
doesn't allow reST entry through the web. There are third-party
applications, however, including 2 packages in the Zope 3 subversion
tree that do have this problem. I strongly urge you to avoid using
any Zope package that allows through-the-web input of
reStructuredText unless you can verify that file/url has been
properly disabled.
The zwiki and bugtracker packages do not currently disable file/url
inclusion and should not be used in situations in which users who are
not highly trusted have access to these applications. If you are
using a Zope 3 checkout, these packages are currently included and
enabled. I plan to remove these packages from the Zope 3 repository
tree within the next few hours. If you are using a checkout-based
Zope 3 installation that exposes these packages to untrusted users,
you are strongly urged to disable these packages by removing the
following files from your package-includes directory:
zwiki-configure.zcml
bugtracker-configure.zcml
Removing these files will also avoid problems when you update your
checkout later, as these will refer to non-existent packages.
Jim
--
Jim Fulton mailto:[EMAIL PROTECTED] Python
Powered!
CTO (540) 361-1714
http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
_______________________________________________
Zope-Announce maillist - Zope-Announce@zope.org
http://mail.zope.org/mailman/listinfo/zope-announce
Zope-Announce for Announcements only - no discussions
(Related lists -
Users: http://mail.zope.org/mailman/listinfo/zope
Developers: http://mail.zope.org/mailman/listinfo/zope-dev )
----- End forwarded message -----
----- Forwarded message from Jim Fulton <[EMAIL PROTECTED]> -----
From: Jim Fulton <[EMAIL PROTECTED]>
To: zope-announce@zope.org
Date: Wed, 5 Jul 2006 17:53:05 -0400
Subject: [Zope-Annce] Serious security problem with Zope 2
X-Spam-Status: No, score=-2.6 required=3.5 tests=BAYES_00
autolearn=unavailable version=3.1.0
X-Spambayes-Classification: ham; 0.00
X-Mailer: Apple Mail (2.752.2)
We have recently discovered that there are (still) very serious security
problems with the integration of reStructured Text (docutils) into
Zope 2.
We have prepared a hot fix for this problem:
http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-20060705/
See:
http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-20060705/
README.txt
for installation instructions.
It is important to install this hotfix as soon as possible.
This fix will disable the reStructuredText 'raw' directive.
Much thanks goes to Tres Seaver for analyzing the problem and
developing the hotfix!
Jim
--
Jim Fulton mailto:[EMAIL PROTECTED] Python
Powered!
CTO (540) 361-1714
http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
_______________________________________________
Zope-Announce maillist - Zope-Announce@zope.org
http://mail.zope.org/mailman/listinfo/zope-announce
Zope-Announce for Announcements only - no discussions
(Related lists -
Users: http://mail.zope.org/mailman/listinfo/zope
Developers: http://mail.zope.org/mailman/listinfo/zope-dev )
----- End forwarded message -----
--
Sidnei da Silva
Enfold Systems http://enfoldsystems.com
Fax +1 832 201 8856 Office +1 713 942 2377 Ext 214
Para enviar uma mensagem: zope-pt@yahoogrupos.com.br
Para desistir envie uma mensagem em branco para: [EMAIL PROTECTED]
Links do Yahoo! Grupos
<*> Para visitar o site do seu grupo na web, acesse:
http://br.groups.yahoo.com/group/zope-pt/
<*> Para sair deste grupo, envie um e-mail para:
[EMAIL PROTECTED]
<*> O uso que você faz do Yahoo! Grupos está sujeito aos:
http://br.yahoo.com/info/utos.html
