[Zope] HTTP Request Denial of Service Vulnerability

TsungWei Hu marr.tw at gmail.com
Mon Jul 20 02:04:45 EDT 2009


The observation and recommendation is specifically generated by Foundstone
Labs' software.
It's my fault to suggest that might be related to Hotfix-2008-08-12.
>From my side, I will try to stop improper information from Foundstone lab.

Thanks, marr

On Mon, Jul 20, 2009 at 12:20 PM, Andreas Jung <lists at zopyx.com> wrote:

> On 20.07.09 04:06, TsungWei Hu wrote:
> > I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a
> > security notice as follows. Is it sufficient to fix this just
> > installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ?
> > Thanks, /marr/
> >
> >
> > Although the Zope development environment is one of the largest and
> > most widely supported open source web content management solutions, it
> > has been plagued with exploitable vulnerabilities. Due to the nature
> > of the software and shear number of vulnerabilities, Foundstone Labs
> > recommends you consider utilizing a different content management
> > solution and at a minimum upgrade your software. Zope updates can be
> > freely downloaded from www.zope.org <http://www.zope.org>
>
> TsungWei, with respect but you are telling barely nonsense. The
> mentioned issue only affected
> sites where managers gave ZMI access to untrusted users. So this issue
> is of limited importance.
> In addition it has been fixed within less than one day (compare this to
> other systems).
> In addition: Zope is an application server, not a CMS. Also: compare the
> number of critical
> bugs within Zope to other systems.
>
> ZOPE IS VERY SECURE.
>
> So please stop with such postings spreading FUD and containing improper
> information.
>
> Andreas Jung
> Zope 2 Release Manager
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20090720/a0016efe/attachment.html 


More information about the Zope mailing list