Thanks. The vulnerability report was originally generated by 'Foundstone Enterprise' product on July 2. I was told the license for this product expired that now I can not know the exact product version. Anyway, glad to see this fixed.
/marr/ On Sat, Jul 25, 2009 at 3:35 AM, <ryan_per...@mcafee.com> wrote: > Yes. We are going through our check database and changing the text of any > "Do not use zope because of X" statements we find to "update zope to version > X which fixes this issue", which is what it should have been originally. > The Foundstone vulnerability management product is intended to help > customers fix existing issues in their infrastructure, not to make judgment > calls on their choice of deployed software. > > -----Original Message----- > From: Chris McDonough [mailto:chr...@plope.com] > Sent: Friday, July 24, 2009 12:05 PM > To: Permeh, Ryan > Cc: firstname.lastname@example.org > Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability > > Thanks Ryan! > > Were you also able (willing?) to take out the advice to not use Zope in the > text? I assume that text shows up whenever a Zope-related vulnerability is > encountered by the scanner. > > - C > > On 7/24/09 1:15 PM, ryan_per...@mcafee.com wrote: > > Ok, the final analysis is as follows: > > > > We had an incorrect version regex that matched 2.10 the same as 2.1. > This issue seems to only affect zope version 2.0 through 2.5.01. This lead > to the vulnerability showing up with recent versions of zope being scanned. > > > > We are fixing both the regex and the suggested fix. The new suggested > fix will be to update to the appropriate version of zope (in this case, post > 2.5.01), not to replace it with something else. This fix should be updated > within the next week or so. > > > > If you have any further questions pertaining to McAfee (or Foundstone) > security reports, please feel free to contact me directly, or via > secur...@mcafee.com. I am not a full time member of this list, so I may > not see any replies or questions made only to the list. > > > > > > -----Original Message----- > > From: Permeh, Ryan > > Sent: Friday, July 24, 2009 9:53 AM > > To: li...@zopyx.com > > Cc: email@example.com > > Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability > > > > It is not related the specified hotfix. I'm getting details now, but > this is how it seems: > > 1. this is from the Foundstone product, not a public advisory. The > Foundstone product is a vulnerability scanner, and it seems that it feels > that the original poster's site is vulnerable to the stated issue. > > 2. The vulnerability check was written and published in 2002. > > 3. I am looking into details regarding both what the details of this > issue originally were, and what we look for to trigger it's existence. > > > > This leads to a couple observations. > > > > 1. This is likely a false positive, unless the original poster was > running ridiculously old software. > > 2. We will fix the check logic or remove the check entirely. Checks this > old rarely add much value to the product > > 3. In any case, if the check stays, we will update the text. I'm not > sure who wrote the original text in 2002, but it obviously doesn't apply > now. > > > > > > -----Original Message----- > > From: Andreas Jung [mailto:li...@zopyx.com] > > Sent: Friday, July 24, 2009 9:43 AM > > To: Permeh, Ryan > > Cc: firstname.lastname@example.org > > Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability > > > > Hi, > > > > > > > > > > On 24.07.09 18:24, ryan_per...@mcafee.com wrote: > >> I manage product security at McAfee, of which Foundstone is a part. I > am not aware of releasing such an advisory, and am looking into this. Could > we get details regarding where this was found? Was this posted to a web > site? A security mailing list? And when was it posted? This may have a > very different meaning if it was published in 2001 or something like that. > Alternately, Foundstone produces a vulnerability management software, was > this in a report generated by that product? > >> > >> > > I have no idea what you are talking about. > > > > We had this strange mail thread this week: > > > > http://mail.zope.org/pipermail/zope/2009-July/175308.html > > > > related to this hotfix > > > > http://www.zope.org/Products/Zope/Hotfix-2008-08-12 > > > > Now how is this related to " HTTP Request Denial of Service > Vulnerability" ??? > > > > I can not find anything related to the subject within the list of our > hotfixes (which is pretty small since 2000): > > > > _______________________________________________ > > Zope maillist - Zope@zope.org > > http://mail.zope.org/mailman/listinfo/zope > > ** No cross posts or HTML encoding! ** > > (Related lists - > > http://mail.zope.org/mailman/listinfo/zope-announce > > http://mail.zope.org/mailman/listinfo/zope-dev ) > > > > _______________________________________________ > Zope maillist - Zope@zope.org > http://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://mail.zope.org/mailman/listinfo/zope-announce > http://mail.zope.org/mailman/listinfo/zope-dev ) >
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )