[Zope-CMF] CMF security patches in Products.PloneHotfix20121106

David Glick (Plone) david.glick at plone.org
Fri Nov 9 19:29:07 UTC 2012


On 11/9/12 11:23 AM, Charlie Clark wrote:
> Am 09.11.2012, 17:02 Uhr, schrieb Jens Vagelpohl <jens at dataflake.org>:
>
>> Hi all,
>>
>> I don't recall any information being provided to the CMF developers 
>> about CMF fixes in the most recent Plone Hotfix:
>>
>> http://plone.org/products/plone-hotfix/releases/20121106
>>
>> For example, there's a monkey patch to make sure getToolByName only 
>> returns valid tool objects and nothing else, see the attached file.
>>
>> I'm not sure if there's an oversight of not forwarding this 
>> information to us or if it was determined this fix is not relevant 
>> for the CMF. Would any list member who also works on Plone have an 
>> insight?
>>
>> Thanks!
>>
>> jens
>
> I got this back from David Glick after asking security at plone.org:
>
> """
> Thanks. We haven't had a chance to start applying the patches in the 
> hotfix back to where they really belong, but we'll do so soon.  Note 
> that for the time being it should be possible to apply the Plone 
> hotfix to pure CMF sites as well to patch this issue.
> """
>
> Still no wiser as to why we weren't informed.

We should have informed you earlier. There are a lot of tasks associated 
with preparing a hotfix (and this one in particular covered many 
vulnerabilities), and it got missed. I apologize.

In the future, what's the best place to report possible CMF security 
issues? zope-cmf Launchpad?
David



More information about the Zope-CMF mailing list