[Zope-Annce] Silva Security Alert 2005-02-05
faassen at infrae.com
Wed Feb 2 06:26:05 EST 2005
Silva Security Alert 2005-02-02
2 february 2005 -- Infrae has discovered a severe security bug in
Silva, which potentially allows untrusted users to alter live images and
files (all listed versions), as well as alter the draft state of Silva
Documents (in versions 0.9.3 and above). If your organisation is running
Silva we strongly recommend an upgrade as soon as possible.
The problem has been found in all Silva versions currently in use. We've
fixed it in our version control repository for the following major versions:
Silva 1.2 (under development)
The recommended way to fix this problem is to upgrade to a new bugfix
releases for the major version of Silva that you are running. We have
made bugfix releases of the affected Zope products available.
For versions of Silva 0.9.1 and 0.9.2, only an upgrade of the Silva
product itself is necessary. For versions of Silva 0.9.3 and up, an
upgrade of both the Silva and SilvaDocument products is needed. Only
these products need upgrading.
If you have any questions or special requirements concerning your
upgrade, please contact Infrae.
We apologise in advance for the inconvience.
Bugfix versions of Silva and SilvaDocument can be downloaded in the
Silva and SilvaDocument download areas on www.infrae.com:
Bugfixed versions are:
The beta version of Silva 1.2, already released, also contains the fixes.
Quick installation instructions
To install this bugfix release, first remove the old Silva Product,
unpack the .tgz file for your current Silva version in the Zope Products
directory and restart Zope. If you're running 0.9.3, 1.0 or 1.1, you
should also replace the SilvaDocument product with the updated version.
More information about the Zope-Announce