[Zope-dev] Annoucment: CVE-2010-1104, hotfix, Zope 2.12.22 and 2.13.12 releases
Georges Racinet
2012-01-18 22:46:32 UTC
Bonsoir à tous, (english version below)

Zope a annoncé un correctif à chaud pour une vulnérabilité de type
Après vérification sur
et http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1104,
il semblerait que Zope 2.9.12 et 2.10.12, les versions les plus
courantes sur lesquelles tourne CPS 3.5 ne soit pas affectées.
Ce sont notamment les versions qu'on retrouve dans les paquets Debian de


A hotfix has been announced for a cross-site-scripting vulnerability on
the zope mailing-list.
After checking on
and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1104,
it seems that Zope 2.9.12 and 2.10.12, which are the most common
versions on which CPS-3.5 are not vulnerable to this issue.
These versions are precisely those that have are available as Debian
packages on apt.cps-cms.org.

-------- Message original --------
Sujet: [Zope-dev] Annoucment: CVE-2010-1104, hotfix, Zope 2.12.22
and 2.13.12 releases
Date : Wed, 18 Jan 2012 17:30:30 -0500
De : Tres Seaver <tseaver-npLdOuuzvjyaMJb+***@public.gmane.org>
Pour : zope-announce-***@public.gmane.org, zope-***@public.gmane.org, Zope Developers
<zope-dev-***@public.gmane.org>, security-response-***@public.gmane.org


In response to the cross-site scripting vulnerability in Zope2 reported as
'CVE 2010-1104'[1], the Zope security response team announces the
availablility of a hotfix product (for Zope < 2.12), and new releases for
the Zope 2.12 and 2.13 lines:

Hotfix: http://pypi.python.org/pypi/Products.Zope_Hotfix_CVE_2010_1104

Zope 2.12.22: http://pypi.python.org/pypi/Zope2/2.12.22

Zope 2.13.12: http://pypi.python.org/pypi/Zope2/2.13.12

WARNING: Zope < 2.12 is no longer officially supported, and may have
other unpatched vulnerabilities. You are encouraged to
upgrade to a supported Zope 2.

Installing the Hotfix

The hotfix has been tested with Zope instances using Zope 2.8.x - 2.11.x.
Users of Zope 2.12.x and 2.13.x should instead update to the latest
corresponding minor revision, which already includes this fix.

Download the tarball from the PyPI page:


Unpack the tarball and add a 'products' key to the 'etc/zope.conf' of
your instance. E.g.::

products /path/to/Products.Zope_Hotfix_CVE_2010_1104/Products

and restart. Alternatively, you may copy or symlink the 'Products'
directory into the 'Products' subdirectory of your Zope instance. E.g.::

$ cp -r /path/to/Products.Zope_Hotfix_CVE_2010_1104/Products \

Verifying the Installation

After restarting the Zope instance, check the
'Control_Panel/Products' folder in the Zope Management Interface,


You should see the 'Zope_Hotfix_CVE_2010_1104' product folder there.

[1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1104

Zope-Dev maillist - Zope-Dev-***@public.gmane.org
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope )