Tres Seaver <tsea...@palladion.com> writes:

>> version 2.12.21: * LP #1079238 fixes CVE 2012-5489.
>> According  to the  upstream changelog,  LP  #1047318 seems  to fix  a
>> security bug, but I could not find it in zope2 launchpad nor anywhere
>> else.
> That bug was  still in "Private Security" state: I  have updated it to
> "Public Security", so you whould be able to view it:
>  https://bugs.launchpad.net/zope2/+bug/1047318

Thank you very much.

>> Not fixed in latest release of Zope AFAIK:
>> * CVE-2012-5487 (allow_module.py)
>> http://plone.org/products/plone/security/advisories/20121106/03
> I  don't  believe that  this  can  be a  bug  in  Zope itself:  adding
> '__roles__' to a module-scope function  is pointless unless the module
> itself    is    importable    by   untrusted    (TTW)    code.     The
> 'AccessControl.SecurityInfo' module should  *certainly* not be exposed
> to untrusted  code.  If  some other  out-of-Zope-core module  which is
> supposed to be importable by TTW  code imports that function at module
> scope, then fix *that* module instead.

Indeed, thanks for your explanation.

>> * CVE-2012-5505 (zope.traversing: atat.py)
>> http://plone.org/products/plone/security/advisories/20121106/21
> That "fix" is  also disputed: hiding the "default" view  from the '@@'
> name does not actually improve security  at all.  There is a Launchpad
> bug where  it is being  debated (#1079225), but  that bug is  still in
> "Private Security" mode.  The correct fix is to change the code of the
> multi-adapter to barf if published via a URL.

Any idea when this patch will be released? Thanks.

Arnaud Fontaine

Attachment: pgpvo23YpEpK9.pgp
Description: PGP signature

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to