The observation and recommendation is specifically generated by Foundstone Labs' software. It's my fault to suggest that might be related to Hotfix-2008-08-12. >From my side, I will try to stop improper information from Foundstone lab.
Thanks, marr On Mon, Jul 20, 2009 at 12:20 PM, Andreas Jung <li...@zopyx.com> wrote: > On 20.07.09 04:06, TsungWei Hu wrote: > > I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a > > security notice as follows. Is it sufficient to fix this just > > installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? > > Thanks, /marr/ > > > > > > Although the Zope development environment is one of the largest and > > most widely supported open source web content management solutions, it > > has been plagued with exploitable vulnerabilities. Due to the nature > > of the software and shear number of vulnerabilities, Foundstone Labs > > recommends you consider utilizing a different content management > > solution and at a minimum upgrade your software. Zope updates can be > > freely downloaded from www.zope.org <http://www.zope.org> > > TsungWei, with respect but you are telling barely nonsense. The > mentioned issue only affected > sites where managers gave ZMI access to untrusted users. So this issue > is of limited importance. > In addition it has been fixed within less than one day (compare this to > other systems). > In addition: Zope is an application server, not a CMS. Also: compare the > number of critical > bugs within Zope to other systems. > > ZOPE IS VERY SECURE. > > So please stop with such postings spreading FUD and containing improper > information. > > Andreas Jung > Zope 2 Release Manager > > > > > >
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )