Discussion:
[Zope-dev] Annoucment: CVE-2010-1104, hotfix, Zope 2.12.22 and 2.13.12 releases
(too old to reply)
Georges Racinet
2012-01-18 22:46:32 UTC
Permalink
Bonsoir à tous, (english version below)

Zope a annoncé un correctif à chaud pour une vulnérabilité de type
cross-site-scripting.
Après vérification sur
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1104
et http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1104,
il semblerait que Zope 2.9.12 et 2.10.12, les versions les plus
courantes sur lesquelles tourne CPS 3.5 ne soit pas affectées.
Ce sont notamment les versions qu'on retrouve dans les paquets Debian de
apt.cps-cms.org.

----

A hotfix has been announced for a cross-site-scripting vulnerability on
the zope mailing-list.
After checking on
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1104
and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1104,
it seems that Zope 2.9.12 and 2.10.12, which are the most common
versions on which CPS-3.5 are not vulnerable to this issue.
These versions are precisely those that have are available as Debian
packages on apt.cps-cms.org.


-------- Message original --------
Sujet: [Zope-dev] Annoucment: CVE-2010-1104, hotfix, Zope 2.12.22
and 2.13.12 releases
Date : Wed, 18 Jan 2012 17:30:30 -0500
De : Tres Seaver <tseaver-npLdOuuzvjyaMJb+***@public.gmane.org>
Pour : zope-announce-***@public.gmane.org, zope-***@public.gmane.org, Zope Developers
<zope-dev-***@public.gmane.org>, security-response-***@public.gmane.org



Overview
========

In response to the cross-site scripting vulnerability in Zope2 reported as
'CVE 2010-1104'[1], the Zope security response team announces the
availablility of a hotfix product (for Zope < 2.12), and new releases for
the Zope 2.12 and 2.13 lines:

Hotfix: http://pypi.python.org/pypi/Products.Zope_Hotfix_CVE_2010_1104

Zope 2.12.22: http://pypi.python.org/pypi/Zope2/2.12.22

Zope 2.13.12: http://pypi.python.org/pypi/Zope2/2.13.12


WARNING: Zope < 2.12 is no longer officially supported, and may have
other unpatched vulnerabilities. You are encouraged to
upgrade to a supported Zope 2.


Installing the Hotfix
=====================

The hotfix has been tested with Zope instances using Zope 2.8.x - 2.11.x.
Users of Zope 2.12.x and 2.13.x should instead update to the latest
corresponding minor revision, which already includes this fix.

Download the tarball from the PyPI page:

http://pypi.python.org/pypi/Products.Zope_Hotfix_CVE_2010_1104

Unpack the tarball and add a 'products' key to the 'etc/zope.conf' of
your instance. E.g.::

products /path/to/Products.Zope_Hotfix_CVE_2010_1104/Products

and restart. Alternatively, you may copy or symlink the 'Products'
directory into the 'Products' subdirectory of your Zope instance. E.g.::

$ cp -r /path/to/Products.Zope_Hotfix_CVE_2010_1104/Products \
/path/to/instance/Products/


Verifying the Installation
--------------------------

After restarting the Zope instance, check the
'Control_Panel/Products' folder in the Zope Management Interface,
e.g.:

http://localhost:8080/Control_Panel/Products/manage_main

You should see the 'Zope_Hotfix_CVE_2010_1104' product folder there.




[1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1104



Tres.
_______________________________________________
Zope-Dev maillist - Zope-Dev-***@public.gmane.org
https://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope )

Loading...