Ok, the final analysis is as follows:

We had an incorrect version regex that matched 2.10 the same as 2.1.  This 
issue seems to only affect zope version 2.0 through 2.5.01.  This lead to the 
vulnerability showing up with recent versions of zope being scanned.

We are fixing both the regex and the suggested fix.  The new suggested fix will 
be to update to the appropriate version of zope (in this case, post 2.5.01), 
not to replace it with something else.  This fix should be updated within the 
next week or so.

If you have any further questions pertaining to McAfee (or Foundstone) security 
reports, please feel free to contact me directly, or via secur...@mcafee.com.  
I am not a full time member of this list, so I may not see any replies or 
questions made only to the list.

-----Original Message-----
From: Permeh, Ryan 
Sent: Friday, July 24, 2009 9:53 AM
To: li...@zopyx.com
Cc: zope@zope.org
Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability

It is not related the specified hotfix.  I'm getting details now, but this is 
how it seems:
1. this is from the Foundstone product, not a public advisory.  The Foundstone 
product is a vulnerability scanner, and it seems that it feels that the 
original poster's site is vulnerable to the stated issue.
2. The vulnerability check was written and published in 2002.  
3. I am looking into details regarding both what the details of this issue 
originally were, and what we look for to trigger it's existence.

This leads to a couple observations.

1.  This is likely a false positive, unless the original poster was running 
ridiculously old software.  
2. We will fix the check logic or remove the check entirely.  Checks this old 
rarely add much value to the product
3. In any case, if the check stays, we will update the text.  I'm not sure who 
wrote the original text in 2002, but it obviously doesn't apply now.  

-----Original Message-----
From: Andreas Jung [mailto:li...@zopyx.com] 
Sent: Friday, July 24, 2009 9:43 AM
To: Permeh, Ryan
Cc: zope@zope.org
Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability


On 24.07.09 18:24, ryan_per...@mcafee.com wrote:
> I manage product security at McAfee, of which Foundstone is a part.  I am not 
> aware of releasing such an advisory, and am looking into this.  Could we get 
> details regarding where this was found?  Was this posted to a web site?  A 
> security mailing list?  And when was it posted?  This may have a very 
> different meaning if it was published in 2001 or something like that.  
> Alternately, Foundstone produces a vulnerability management software, was 
> this in a report generated by that product?  
I have no idea what you are talking about.

We had this strange mail thread this week:


related to this hotfix


Now how is this related to " HTTP Request Denial of Service Vulnerability" ???

I can not find anything related to the subject within the list of our hotfixes 
(which is pretty small since 2000):

Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to