[Zope-dev] Packaging Zope for Fedora

Andreas Jung lists at zopyx.com
Thu Mar 27 15:12:38 EDT 2008



--On 27. März 2008 20:42:50 +0200 Marius Gedminas <mgedmin at b4net.lt> wrote:

> On Wed, Mar 26, 2008 at 09:20:27PM +0100, Dieter Maurer wrote:
>> Timothy Selivanow wrote at 2008-3-25 17:12 -0700:
>> > ...
>> > Now when I say "rip out", I don't mean repackage (make a sub RPM), I
>> > mean remove from the RPM that I am making.  I don't want to provide a
>> > "new" Docutils.
>>
>> That Zope ships with its own "Docutils" comes from the fact
>> that the standard one has a big security hole.
>
> Which one?  The one that lets you embed any file on the filesystem into
> a web page?
>
>   http://docutils.sourceforge.net/docs/howto/security.html
>
> I didn't know Zope's bundled version of docutils fixed that.  In any
> case, the src/docutils in the Zope 3.2 tree either doesn't have the fix,
> or it doesn't work.  I tested it and ended up closing that hole in an
> application myself.

At least Zope 2 uses Docutils with the related options disabled. No
idea about Zope 3.2.

-aj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20080327/3dc1b899/attachment.bin


More information about the Zope-Dev mailing list