On 11/9/12 11:23 AM, Charlie Clark wrote:
Am 09.11.2012, 17:02 Uhr, schrieb Jens Vagelpohl <j...@dataflake.org>:

Hi all,

I don't recall any information being provided to the CMF developers about CMF fixes in the most recent Plone Hotfix:


For example, there's a monkey patch to make sure getToolByName only returns valid tool objects and nothing else, see the attached file.

I'm not sure if there's an oversight of not forwarding this information to us or if it was determined this fix is not relevant for the CMF. Would any list member who also works on Plone have an insight?



I got this back from David Glick after asking secur...@plone.org:

Thanks. We haven't had a chance to start applying the patches in the hotfix back to where they really belong, but we'll do so soon. Note that for the time being it should be possible to apply the Plone hotfix to pure CMF sites as well to patch this issue.

Still no wiser as to why we weren't informed.

We should have informed you earlier. There are a lot of tasks associated with preparing a hotfix (and this one in particular covered many vulnerabilities), and it got missed. I apologize.

In the future, what's the best place to report possible CMF security issues? zope-cmf Launchpad?

Zope-CMF maillist  -  Zope-CMF@zope.org

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests

Reply via email to