The observation and recommendation is specifically generated by Foundstone Labs' software.<br>It's my fault to suggest that might be related to Hotfix-2008-08-12.<br>From my side, I will try to stop improper information from Foundstone lab.<br>
<br>Thanks, marr<br><br><div class="gmail_quote">On Mon, Jul 20, 2009 at 12:20 PM, Andreas Jung <span dir="ltr"><<a href="mailto:lists@zopyx.com" target="_blank">lists@zopyx.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>On 20.07.09 04:06, TsungWei Hu wrote:<br>
> I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a<br>
> security notice as follows. Is it sufficient to fix this just<br>
> installing <a href="http://www.zope.org/Products/Zope/Hotfix-2008-08-12" target="_blank">http://www.zope.org/Products/Zope/Hotfix-2008-08-12</a> ?<br>
> Thanks, /marr/<br>
><br>
><br>
</div><div>> Although the Zope development environment is one of the largest and<br>
> most widely supported open source web content management solutions, it<br>
> has been plagued with exploitable vulnerabilities. Due to the nature<br>
> of the software and shear number of vulnerabilities, Foundstone Labs<br>
> recommends you consider utilizing a different content management<br>
> solution and at a minimum upgrade your software. Zope updates can be<br>
</div>> freely downloaded from <a href="http://www.zope.org" target="_blank">www.zope.org</a> <<a href="http://www.zope.org" target="_blank">http://www.zope.org</a>><br>
<br>
TsungWei, with respect but you are telling barely nonsense. The<br>
mentioned issue only affected<br>
sites where managers gave ZMI access to untrusted users. So this issue<br>
is of limited importance.<br>
In addition it has been fixed within less than one day (compare this to<br>
other systems).<br>
In addition: Zope is an application server, not a CMS. Also: compare the<br>
number of critical<br>
bugs within Zope to other systems.<br>
<br>
ZOPE IS VERY SECURE.<br>
<br>
So please stop with such postings spreading FUD and containing improper<br>
information.<br>
<font color="#888888"><br>
Andreas Jung<br>
Zope 2 Release Manager<br>
<br>
<br>
<br>
<br>
<br>
</font></blockquote></div><br>