[Zope] [Security advisory] Zope 2.7 + 2.8

Bill Campbell bill at celestial.net
Thu Dec 9 13:20:49 EST 2004


There's a typo in the configuration below.  It should be:

security-policy-implementation python

Not:
security-policy-implemenation python

On Thu, Dec 09, 2004, Andreas Jung wrote:
>
>Synopsis:
>
>   Due to an error in the cAccessControl module of Zope it is possible to
>   bring down a complete Zope site as documented in
>
>    http://mail.zope.org/pipermail/zope-dev/2004-December/024087.html
>
>   This exploit causes a segmentation fault of the Python interpreter.
>   Vulnerable for this exploit are at least all Zope installations
>   that allow untrusted users to edit ZPTs (possibly DTML as well) either
>   through the ZMI or through the file system.
>
>
>Affected versions:
>
>    Zope 2.7.X, Zope 2.8.X
>
>
>Recommended solution:
>
>   Turn off cAccessControl and enable the Python AccessControl 
>implementation
>   in etc/zope.conf (this line is commented in the default configuration):
>
>     security-policy-implemenation python
>
>
>A fixed implementation of cAccessControl will be included in the upcoming
>Zope 2.7.4 beta 2 release.
>
>
>----
>Andreas Jung
>Zope 2 Release Manager
>
>_______________________________________________
>Zope maillist  -  Zope at zope.org
>http://mail.zope.org/mailman/listinfo/zope
>**   No cross posts or HTML encoding!  **
>(Related lists - 
>http://mail.zope.org/mailman/listinfo/zope-announce
>http://mail.zope.org/mailman/listinfo/zope-dev )
>

-- 
Bill
--
INTERNET:   bill at Celestial.COM  Bill Campbell; Celestial Software LLC
UUCP:               camco!bill  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/

Many companies that have made themselves dependent on [the equipment of a
certain major manufacturer] (and in doing so have sold their soul to the
devil) will collapse under the sheer weight of the unmastered complexity of
their data processing systems.
		-- Edsger W. Dijkstra, SIGPLAN Notices, Volume 17, Number 5


More information about the Zope mailing list