[Zope-Annce] Annoucment: CVE-2010-1104, hotfix, Zope 2.12.22 and 2.13.12 releases

Tres Seaver tseaver at palladion.com
Wed Jan 18 22:30:30 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Overview
========

In response to the cross-site scripting vulnerability in Zope2 reported as
'CVE 2010-1104'[1], the Zope security response team announces the
availablility of a hotfix product (for Zope < 2.12), and new releases for
the Zope 2.12 and 2.13 lines:

Hotfix:  http://pypi.python.org/pypi/Products.Zope_Hotfix_CVE_2010_1104

Zope 2.12.22:  http://pypi.python.org/pypi/Zope2/2.12.22

Zope 2.13.12:  http://pypi.python.org/pypi/Zope2/2.13.12


WARNING: Zope < 2.12 is no longer officially supported, and may have
         other unpatched vulnerabilities. You are encouraged to
         upgrade to a supported Zope 2.


Installing the Hotfix
=====================

The hotfix has been tested with Zope instances using Zope 2.8.x - 2.11.x.
Users of Zope 2.12.x and 2.13.x should instead update to the latest
corresponding minor revision, which already includes this fix.

Download the tarball from the PyPI page:

 http://pypi.python.org/pypi/Products.Zope_Hotfix_CVE_2010_1104

Unpack the tarball and add a 'products' key to the 'etc/zope.conf' of
your instance.  E.g.::

  products /path/to/Products.Zope_Hotfix_CVE_2010_1104/Products

and restart.  Alternatively, you may copy or symlink the 'Products'
directory into the 'Products' subdirectory of your Zope instance.  E.g.::

  $ cp -r /path/to/Products.Zope_Hotfix_CVE_2010_1104/Products \
    /path/to/instance/Products/


Verifying the Installation
- --------------------------

After restarting the Zope instance, check the
'Control_Panel/Products' folder in the Zope Management Interface,
e.g.:

  http://localhost:8080/Control_Panel/Products/manage_main

You should see the 'Zope_Hotfix_CVE_2010_1104' product folder there.




[1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1104



Tres.
- -- 
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8XSAYACgkQ+gerLs4ltQ4hNgCeIuBeZz2deF95lglP+kiGg66I
YCAAnjiaDBpuB5XD0wAK7WHicxPp1abS
=MsHo
-----END PGP SIGNATURE-----


More information about the Zope-Announce mailing list