[Framework-Team] security hole in zope 2.10.4
Andreas Zeidler
az at zitc.de
Wed Jul 11 23:03:30 UTC 2007
hi guys,
i think i just found a pretty nasty security issue in zope 2.10.4,
see http://mail.zope.org/pipermail/zope-dev/2007-July/029590.html for
a more detailed explaination. the bug gives you completely
unrestricted access in all view templates, which is probably not what
we want, even though they cannot be changed ttw. well, actually i
haven't tried customerizing them, but this actually should work...
anyway, if this turns out to hold true, i think we should either go
back to 2.10.3 for our rc1 or wait until this issue is fixed -- in
any case we shouldn't use 2.10.4 as is, imho. what do you think?
cheers,
andi
--
zeidler it consulting - http://zitc.de/ - info at zitc.de
friedelstraße 31 - 12047 berlin - telefon +49 30 25563779
pgp key at http://zitc.de/pgp - http://wwwkeys.de.pgp.net/
sprint with us! - http://plone.org/events/sprints/potsdam-sprint-2007
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://lists.plone.org/pipermail/plone-framework-team/attachments/20070712/cfe69732/attachment.sig>
More information about the Framework-Team
mailing list