[Zope-Annce] Silva Security Alert 2005-02-05

Martijn Faassen faassen at infrae.com
Wed Feb 2 06:26:05 EST 2005 

Silva Security Alert 2005-02-02
===============================

2 february 2005 -- Infrae has discovered a severe security bug in
Silva, which potentially allows untrusted users to alter live images and 
files (all listed versions), as well as alter the draft state of Silva 
Documents (in versions 0.9.3 and above). If your organisation is running 
Silva we strongly recommend an upgrade as soon as possible.

The problem has been found in all Silva versions currently in use. We've 
fixed it in our version control repository for the following major versions:

Silva 1.2 (under development)
Silva 1.1
Silva 1.0
Silva 0.9.3
Silva 0.9.2
Silva 0.9.1

The recommended way to fix this problem is to upgrade to a new bugfix
releases for the major version of Silva that you are running. We have
made bugfix releases of the affected Zope products available.

For versions of Silva 0.9.1 and 0.9.2, only an upgrade of the Silva
product itself is necessary. For versions of Silva 0.9.3 and up, an
upgrade of both the Silva and SilvaDocument products is needed. Only 
these products need upgrading.

If you have any questions or special requirements concerning your
upgrade, please contact Infrae.

We apologise in advance for the inconvience.

Bugfix versions of Silva and SilvaDocument can be downloaded in the 
Silva and SilvaDocument download areas on www.infrae.com:

http://www.infrae.com/download/Silva
http://www.infrae.com/download/SilvaDocument

Bugfixed versions are:

0.9.1
-----

Silva-0.9.1.13.tgz

0.9.2
-----

Silva-0.9.2.8.tgz

0.9.3
-----

Silva-0.9.3.7.tgz
SilvaDocument-0.9.3.8.tgz

1.0
---

Silva-1.0.3.tgz
SilvaDocument-1.0.3.tgz

1.1
---

Silva-1.1.2.tgz
SilvaDocument-1.1.2.tgz

The beta version of Silva 1.2, already released, also contains the fixes.

Quick installation instructions
-------------------------------

To install this bugfix release, first remove the old Silva Product,
unpack the .tgz file for your current Silva version in the Zope Products
directory and restart Zope. If you're running 0.9.3, 1.0 or 1.1, you
should also replace the SilvaDocument product with the updated version.

More information about the Zope-Announce mailing list