The observation and recommendation is specifically generated by Foundstone
It's my fault to suggest that might be related to Hotfix-2008-08-12.
>From my side, I will try to stop improper information from Foundstone lab.
On Mon, Jul 20, 2009 at 12:20 PM, Andreas Jung <li...@zopyx.com> wrote:
> On 20.07.09 04:06, TsungWei Hu wrote:
> > I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a
> > security notice as follows. Is it sufficient to fix this just
> > installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ?
> > Thanks, /marr/
> > Although the Zope development environment is one of the largest and
> > most widely supported open source web content management solutions, it
> > has been plagued with exploitable vulnerabilities. Due to the nature
> > of the software and shear number of vulnerabilities, Foundstone Labs
> > recommends you consider utilizing a different content management
> > solution and at a minimum upgrade your software. Zope updates can be
> > freely downloaded from www.zope.org <http://www.zope.org>
> TsungWei, with respect but you are telling barely nonsense. The
> mentioned issue only affected
> sites where managers gave ZMI access to untrusted users. So this issue
> is of limited importance.
> In addition it has been fixed within less than one day (compare this to
> other systems).
> In addition: Zope is an application server, not a CMS. Also: compare the
> number of critical
> bugs within Zope to other systems.
> ZOPE IS VERY SECURE.
> So please stop with such postings spreading FUD and containing improper
> Andreas Jung
> Zope 2 Release Manager
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists -