Thanks Ryan! Were you also able (willing?) to take out the advice to not use Zope in the text? I assume that text shows up whenever a Zope-related vulnerability is encountered by the scanner.
- C On 7/24/09 1:15 PM, ryan_per...@mcafee.com wrote: > Ok, the final analysis is as follows: > > We had an incorrect version regex that matched 2.10 the same as 2.1. This > issue seems to only affect zope version 2.0 through 2.5.01. This lead to the > vulnerability showing up with recent versions of zope being scanned. > > We are fixing both the regex and the suggested fix. The new suggested fix > will be to update to the appropriate version of zope (in this case, post > 2.5.01), not to replace it with something else. This fix should be updated > within the next week or so. > > If you have any further questions pertaining to McAfee (or Foundstone) > security reports, please feel free to contact me directly, or via > secur...@mcafee.com. I am not a full time member of this list, so I may not > see any replies or questions made only to the list. > > > -----Original Message----- > From: Permeh, Ryan > Sent: Friday, July 24, 2009 9:53 AM > To: li...@zopyx.com > Cc: zope@zope.org > Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability > > It is not related the specified hotfix. I'm getting details now, but this is > how it seems: > 1. this is from the Foundstone product, not a public advisory. The > Foundstone product is a vulnerability scanner, and it seems that it feels > that the original poster's site is vulnerable to the stated issue. > 2. The vulnerability check was written and published in 2002. > 3. I am looking into details regarding both what the details of this issue > originally were, and what we look for to trigger it's existence. > > This leads to a couple observations. > > 1. This is likely a false positive, unless the original poster was running > ridiculously old software. > 2. We will fix the check logic or remove the check entirely. Checks this old > rarely add much value to the product > 3. In any case, if the check stays, we will update the text. I'm not sure > who wrote the original text in 2002, but it obviously doesn't apply now. > > > -----Original Message----- > From: Andreas Jung [mailto:li...@zopyx.com] > Sent: Friday, July 24, 2009 9:43 AM > To: Permeh, Ryan > Cc: zope@zope.org > Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability > > Hi, > > > > > On 24.07.09 18:24, ryan_per...@mcafee.com wrote: >> I manage product security at McAfee, of which Foundstone is a part. I am >> not aware of releasing such an advisory, and am looking into this. Could we >> get details regarding where this was found? Was this posted to a web site? >> A security mailing list? And when was it posted? This may have a very >> different meaning if it was published in 2001 or something like that. >> Alternately, Foundstone produces a vulnerability management software, was >> this in a report generated by that product? >> >> > I have no idea what you are talking about. > > We had this strange mail thread this week: > > http://mail.zope.org/pipermail/zope/2009-July/175308.html > > related to this hotfix > > http://www.zope.org/Products/Zope/Hotfix-2008-08-12 > > Now how is this related to " HTTP Request Denial of Service Vulnerability" ??? > > I can not find anything related to the subject within the list of our > hotfixes (which is pretty small since 2000): > > _______________________________________________ > Zope maillist - Zope@zope.org > http://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://mail.zope.org/mailman/listinfo/zope-announce > http://mail.zope.org/mailman/listinfo/zope-dev ) > _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )