[Zope] Hotfix for security vulnerability

Encolpe Degoute encolpe.degoute at quadra-informatique.fr
Tue Oct 25 10:52:33 UTC 2011


Hello,

Both of these url are not available:
- http://download.zope.org/Zope2/index/2.12.21/versions.cfg
- http://download.zope.org/Zope2/index/2.13.11/versions.cfg

Regards,
Encolpe DEGOUTE

Le 24/10/2011 23:54, Tres Seaver a écrit :
> On behalf of the Zope security response team, I would like to announce
> the availability of a hotfix for a vulnerability inadvertently
> published earlier today.
> 
> 'Products.Zope_Hotfix_20111024' README
> ======================================
> 
> Overview
> --------
> 
> This hotfix addresses a serious vulnerability in the Zope2
> application server.  Affected versions of Zope2 include:
> 
> - 2.12.x <= 2.12.20
> 
> - 2.13.x <= 2.13.6
> 
> Older releases (2.11.x, 2.10.x, etc.) are not vulnerable.
> 
> The Zope2 security response team recommends that all users of
> these releases upgrade to an unaffected release (2.12.21 or
> 2.13.11) as soon as they become available.
> 
> Until that upgrade is feasible, deploying this hotfix also
> mitigates the vulnerability.
> 
> 
> Installing the Hotfix:  Via 'easy_install'
> -------------------------------------------
> 
> If the Python which runs your Zope instance has 'setuptools'
> installed (or is a 'virtualenv'), you can install the hotfix
> directly from PyPI::
> 
>   $ /prefix/bin/easy_install Products.Zope_Hotfix_20111024
> 
> and then restart the Zope instance, e.g.:
> 
>   $ /path/to/instance/bin/zopectl restart
> 
> 
> Installing the Hotfix:  Via 'zc.buildout'
> -----------------------------------------
> 
> If your Zope instance is managed via 'zc.buildout', you can
> install the hotfix directly from PyPI.  Edit the 'buildout.cfg'
> file, adding "Products.Zope_Hotfix_20111024" to the "eggs"
> section of the instance.  E.g.::
> 
>   [instance] recipe = plone.recipe.zope2instance #...  eggs =
>   ${buildout:eggs} Products.Zope_Hotfix_20111024
> 
> Next, re-run the buildout::
> 
>   $ /path/to/buildout/bin/buildout
> 
> and then restart the Zope instance, e.g.:
> 
>   $ /path/to/buildout/bin/instance restart
> 
> 
> Installing the Hotfix:  Manual Installation
> -------------------------------------------
> 
> You may also install this hotfix manually.  Download the tarball from
> the PyPI page:
> 
>  http://pypi.python.org/pypi/Products.Zope_Hotfix_20111024
> 
> Unpack the tarball and add a 'products' key to the 'etc/zope.conf' of
> your instance.  E.g.::
> 
>   products /path/to/Products.Zope_Hotfix_20111024/Products
> 
> and restart.
> 
> 
> Verifying the Installation
> --------------------------
> 
> After restarting the Zope instance, check the
> 'Control_Panel/Products' folder in the Zope Management Interface,
> e.g.:
> 
>   http://localhost:8080/Control_Panel/Products/manage_main
> 
> You should see the 'Zope_Hotfix_20111024' product folder there.
> 
> 
> 
> Tres.
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> https://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  https://mail.zope.org/mailman/listinfo/zope-announce
>  https://mail.zope.org/mailman/listinfo/zope-dev )
> 




More information about the Zope mailing list