[Zope-dev] Resolved security-related collector issues for the public?
Clemens Robbenhaar
robbenhaar at espresto.com
Thu Jan 22 06:45:49 EST 2004
[...]
> there were several security-related fixes in the collector (and the
> collector-mailing-list) in the last days. Normaly security-related stuff is
> not visible for the public... and this seems to be good to avoid exploits
> etc.
At least for the resolved issues the fixed are public available from
the CVS (maybe even together with log messages).
Sufficiently skilled people thus can reconstruct the security issues
from the changes; I feel there is no point for hiding them any longer.
On the other hand admins may be less pressed to upgrade if they look at
the current available list of fixes and find none which hurts them in
their setup ... for example I do not have untrusted users able to write
malicious Python Scripts on my site (I guess ;-), and I do not use DTML
or some Tree-stuff -- thus I did not upgrade yet, and You may feel free
to blow my site with one of the not yet published issues.
my 2 cents,
Clemens
btw: it does not look like either zope.org nor zope.com has been
upgraded yet? The find-support still looks quite public ...
More information about the Zope-Dev
mailing list