That's why I usually override the Server: HTTP header from within my Zope apps for public sites running on Zope :-)
Andreas On 24.07.09 19:15, ryan_per...@mcafee.com wrote: > Ok, the final analysis is as follows: > > We had an incorrect version regex that matched 2.10 the same as 2.1. This > issue seems to only affect zope version 2.0 through 2.5.01. This lead to the > vulnerability showing up with recent versions of zope being scanned. > > We are fixing both the regex and the suggested fix. The new suggested fix > will be to update to the appropriate version of zope (in this case, post > 2.5.01), not to replace it with something else. This fix should be updated > within the next week or so. > > If you have any further questions pertaining to McAfee (or Foundstone) > security reports, please feel free to contact me directly, or via > secur...@mcafee.com. I am not a full time member of this list, so I may not > see any replies or questions made only to the list. > > > -----Original Message----- > From: Permeh, Ryan > Sent: Friday, July 24, 2009 9:53 AM > To: li...@zopyx.com > Cc: zope@zope.org > Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability > > It is not related the specified hotfix. I'm getting details now, but this is > how it seems: > 1. this is from the Foundstone product, not a public advisory. The > Foundstone product is a vulnerability scanner, and it seems that it feels > that the original poster's site is vulnerable to the stated issue. > 2. The vulnerability check was written and published in 2002. > 3. I am looking into details regarding both what the details of this issue > originally were, and what we look for to trigger it's existence. > > This leads to a couple observations. > > 1. This is likely a false positive, unless the original poster was running > ridiculously old software. > 2. We will fix the check logic or remove the check entirely. Checks this old > rarely add much value to the product > 3. In any case, if the check stays, we will update the text. I'm not sure > who wrote the original text in 2002, but it obviously doesn't apply now. > > > -----Original Message----- > From: Andreas Jung [mailto:li...@zopyx.com] > Sent: Friday, July 24, 2009 9:43 AM > To: Permeh, Ryan > Cc: zope@zope.org > Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability > > Hi, > > > > > On 24.07.09 18:24, ryan_per...@mcafee.com wrote: > >> I manage product security at McAfee, of which Foundstone is a part. I am >> not aware of releasing such an advisory, and am looking into this. Could we >> get details regarding where this was found? Was this posted to a web site? >> A security mailing list? And when was it posted? This may have a very >> different meaning if it was published in 2001 or something like that. >> Alternately, Foundstone produces a vulnerability management software, was >> this in a report generated by that product? >> >> >> > I have no idea what you are talking about. > > We had this strange mail thread this week: > > http://mail.zope.org/pipermail/zope/2009-July/175308.html > > related to this hotfix > > http://www.zope.org/Products/Zope/Hotfix-2008-08-12 > > Now how is this related to " HTTP Request Denial of Service Vulnerability" ??? > > I can not find anything related to the subject within the list of our > hotfixes (which is pretty small since 2000): > > _______________________________________________ > Zope maillist - Zope@zope.org > http://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://mail.zope.org/mailman/listinfo/zope-announce > http://mail.zope.org/mailman/listinfo/zope-dev ) > -- ZOPYX Ltd. & Co KG \ ZOPYX & Friends Charlottenstr. 37/1 \ The experts for your Python, Zope and D-72070 Tübingen \ Plone projects www.zopyx.com, i...@zopyx.com \ www.zopyx.de/friends, frie...@zopyx.de ------------------------------------------------------------------------ E-Publishing, Python, Zope & Plone development, Consulting
begin:vcard fn:Andreas Jung n:Jung;Andreas org:ZOPYX Ltd. & Co. KG adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany email;internet:i...@zopyx.com title:CEO tel;work:+49-7071-793376 tel;fax:+49-7071-7936840 tel;home:+49-7071-793257 x-mozilla-html:FALSE url:www.zopyx.com version:2.1 end:vcard
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )