Mailing List Archive: Security announcement update

Security announcement update

Jun 28, 2011, 4:57 AM

Post #1 of 6 (1350 views)

This is an update on today's security hotfix release.

The fix will be released at 15:00 UTC today, Tuesday 28th June, 2011
(11:00am US EDT.) Updated versions of Zope 2 containing the security
fix will be released at the same time.

For details on which versions of Zope and Plone are affected, please
see: http://plone.org/products/plone/security/advisories/20110622

For installation instructions, please see:
http://plone.org/products/plone-hotfix/releases/20110622

On behalf of the Zope and Plone security teams,

Laurence
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope-dev] Security announcement update [ In reply to ]

zopelist at betabug

Jun 28, 2011, 6:30 AM

Post #2 of 6 (1323 views)

Permalink

(Tue, Jun 28, 2011 at 12:57:02PM +0100) Laurence Rowe wrote/schrieb/egrapse:
> This is an update on today's security hotfix release.

Thank you for the update, most helpful!

> The fix will be released at 15:00 UTC today, Tuesday 28th June, 2011
> (11:00am US EDT.) Updated versions of Zope 2 containing the security
> fix will be released at the same time.
>
> For details on which versions of Zope and Plone are affected, please
> see: http://plone.org/products/plone/security/advisories/20110622

It says "Zope 2.10 and 2.11 users who have not installed
PloneHotfix20110720 are not affected" - can I conclude from that,
that Zope 2.9 would not be affected either?

Regards,

Sascha

_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope-dev] Security announcement update [ In reply to ]

mj at zopatista

Jun 28, 2011, 6:35 AM

Post #3 of 6 (1329 views)

Permalink

On Tue, Jun 28, 2011 at 15:30, Sascha Welter <zopelist@betabug.ch> wrote:
> It says "Zope 2.10 and 2.11 users who have not installed
> PloneHotfix20110720 are not affected" - can I conclude from that,
> that Zope 2.9 would not be affected either?

Indeed, Zope 2.9 is not affected, with or without the previous hotfix.

--
Martijn Pieters
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope-dev] Security announcement update [ In reply to ]

norbertmarrale at yahoo

Jun 28, 2011, 6:40 AM

Post #4 of 6 (1317 views)

Permalink

This should be clarified too: "You should, however, make sure that you
are running either Zope 2.10.13 or Zope 2.11.8 and PluggableAuthService
1.5.5, 1.6.5 or 1.7.5 "

Why must PluggableAuthService (+ its dependencies) even be installed?

-N

On 6/28/2011 3:30 PM, Sascha Welter wrote:
> (Tue, Jun 28, 2011 at 12:57:02PM +0100) Laurence Rowe wrote/schrieb/egrapse:
>> This is an update on today's security hotfix release.
>
> Thank you for the update, most helpful!
>
>> The fix will be released at 15:00 UTC today, Tuesday 28th June, 2011
>> (11:00am US EDT.) Updated versions of Zope 2 containing the security
>> fix will be released at the same time.
>>
>> For details on which versions of Zope and Plone are affected, please
>> see: http://plone.org/products/plone/security/advisories/20110622
>
> It says "Zope 2.10 and 2.11 users who have not installed
> PloneHotfix20110720 are not affected" - can I conclude from that,
> that Zope 2.9 would not be affected either?
>
> Regards,
>
> Sascha
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> https://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> https://mail.zope.org/mailman/listinfo/zope-announce
> https://mail.zope.org/mailman/listinfo/zope-dev )
>
>

_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope-dev] Security announcement update [ In reply to ]

mj at zopatista

Jun 28, 2011, 6:41 AM

Post #5 of 6 (1320 views)

Permalink

On Tue, Jun 28, 2011 at 15:40, Norbert Marrale <norbertmarrale@yahoo.com> wrote:
> Why must PluggableAuthService (+ its dependencies) even be installed?

It is a dependency of Plone itself.

--
Martijn Pieters
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope-dev] Security announcement update [ In reply to ]

l at lrowe

Jun 28, 2011, 6:46 AM

Post #6 of 6 (1336 views)

Permalink

On 28 June 2011 14:40, Norbert Marrale <norbertmarrale@yahoo.com> wrote:
> This should be clarified too: "You should, however, make sure that you
> are running either Zope 2.10.13 or Zope 2.11.8 and PluggableAuthService
> 1.5.5, 1.6.5 or 1.7.5 "
>
> Why must PluggableAuthService (+ its dependencies) even be installed?

The Plone Hotfix for CVE-2011-0720 included patches to
PluggableAuthService. If you use PluggableAuthService outside of Plone
then you need to update to a release that includes that fix. If you
don't run PluggableAuthService it is not required to install it.

Laurence
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )