Mailing List Archive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You can just apply the Plone hotfix for Zope only installations. The
Plone patches are not applied then.

Johannes

On 11/11/2012 06:32 PM, Marcus Schopen wrote:
> Hi,
>
> is a standard Zope affected by this security vulnerability or only
> if Plone is installed:
>
> http://plone.org/products/plone/security/advisories/20121106-announcement
>
> The patch is replacing some basic classes therefore it looks to me
> that Zope itself without any Plone is vulnerable too. If so is
> there a Hotfix for Zope or new Zope version which fixes these
> bugs?
>
> Ciao Marcus
>
>
> _______________________________________________ Zope maillist -
> Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No
> cross posts or HTML encoding! ** (Related lists -
> https://mail.zope.org/mailman/listinfo/zope-announce
> https://mail.zope.org/mailman/listinfo/zope-dev )
>


- --
programmatic web development
di(fh) johannes raggam / thet
python plone zope development
mail: office@programmatic.pro
web: http://programmatic.pro
http://bluedynamics.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCf+YkACgkQW4mNMQxDgAfzewCg5VPyH+ADX/75eSBDxxy1BEWK
RaQAoIXSX+Mj8J+yrWd4KD6HKglDQHtu
=cxZJ
-----END PGP SIGNATURE-----
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The affected versions go back a long time. I don't know it exactly,
but people have used it successfully with Plone 2.1 (from ancient
times) and I have patched Zope 2.8 instances too.


On 11/11/2012 09:43 PM, Allen Schmidt wrote:
> For which zope versions?
>
> On Nov 11, 2012 2:16 PM, "johannes raggam" <raggam-nl@adm.at
> <mailto:raggam-nl@adm.at>> wrote:
>
> You can just apply the Plone hotfix for Zope only installations.
> The Plone patches are not applied then.
>
> Johannes
>
> On 11/11/2012 06:32 PM, Marcus Schopen wrote:
>> Hi,
>
>> is a standard Zope affected by this security vulnerability or
>> only if Plone is installed:
>
>
> http://plone.org/products/plone/security/advisories/20121106-announcement
>
>
>> The patch is replacing some basic classes therefore it looks to
>> me that Zope itself without any Plone is vulnerable too. If so
>> is there a Hotfix for Zope or new Zope version which fixes these
>> bugs?
>
>> Ciao Marcus
>
>
>> _______________________________________________ Zope maillist -
>> Zope@zope.org <mailto:Zope@zope.org>
> https://mail.zope.org/mailman/listinfo/zope ** No
>> cross posts or HTML encoding! ** (Related lists -
>> https://mail.zope.org/mailman/listinfo/zope-announce
>> https://mail.zope.org/mailman/listinfo/zope-dev )
>
>
>
> _______________________________________________ Zope maillist -
> Zope@zope.org <mailto:Zope@zope.org>
> https://mail.zope.org/mailman/listinfo/zope ** No cross posts or
> HTML encoding! ** (Related lists -
> https://mail.zope.org/mailman/listinfo/zope-announce
> https://mail.zope.org/mailman/listinfo/zope-dev )
>

- --
programmatic web development
di(fh) johannes raggam / thet
python plone zope development
mail: office@programmatic.pro
web: http://programmatic.pro
http://bluedynamics.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCg5WkACgkQW4mNMQxDgAfsyACgvbuoNO8ocpordzJmbH3X0OA2
gCsAnAkFNozMy1TRGWTKQjaYQgzLIisM
=DpGn
-----END PGP SIGNATURE-----
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

So, to clarify, does this affect plain Zope 2.10, no Plone?

Rich
On 12/11/12 12:02, johannes raggam wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> The affected versions go back a long time. I don't know it exactly,
> but people have used it successfully with Plone 2.1 (from ancient
> times) and I have patched Zope 2.8 instances too.
>
>
> On 11/11/2012 09:43 PM, Allen Schmidt wrote:
>> For which zope versions?
>>
>> On Nov 11, 2012 2:16 PM, "johannes raggam"<raggam-nl@adm.at
>> <mailto:raggam-nl@adm.at>> wrote:
>>
>> You can just apply the Plone hotfix for Zope only installations.
>> The Plone patches are not applied then.
>>
>> Johannes
>>
>> On 11/11/2012 06:32 PM, Marcus Schopen wrote:
>>> Hi,
>>> is a standard Zope affected by this security vulnerability or
>>> only if Plone is installed:
>>
>> http://plone.org/products/plone/security/advisories/20121106-announcement
>>
>>
>>> The patch is replacing some basic classes therefore it looks to
>>> me that Zope itself without any Plone is vulnerable too. If so
>>> is there a Hotfix for Zope or new Zope version which fixes these
>>> bugs?
>>> Ciao Marcus
>>
>>> _______________________________________________ Zope maillist -
>>> Zope@zope.org<mailto:Zope@zope.org>
>> https://mail.zope.org/mailman/listinfo/zope ** No
>>> cross posts or HTML encoding! ** (Related lists -
>>> https://mail.zope.org/mailman/listinfo/zope-announce
>>> https://mail.zope.org/mailman/listinfo/zope-dev )
>>
>>
>> _______________________________________________ Zope maillist -
>> Zope@zope.org<mailto:Zope@zope.org>
>> https://mail.zope.org/mailman/listinfo/zope ** No cross posts or
>> HTML encoding! ** (Related lists -
>> https://mail.zope.org/mailman/listinfo/zope-announce
>> https://mail.zope.org/mailman/listinfo/zope-dev )
>>
> - --
> programmatic web development
> di(fh) johannes raggam / thet
> python plone zope development
> mail: office@programmatic.pro
> web: http://programmatic.pro
> http://bluedynamics.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlCg5WkACgkQW4mNMQxDgAfsyACgvbuoNO8ocpordzJmbH3X0OA2
> gCsAnAkFNozMy1TRGWTKQjaYQgzLIisM
> =DpGn
> -----END PGP SIGNATURE-----
> _______________________________________________
> Zope maillist - Zope@zope.org
> https://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> https://mail.zope.org/mailman/listinfo/zope-announce
> https://mail.zope.org/mailman/listinfo/zope-dev )

Am Montag, den 12.11.2012, 12:07 +0000 schrieb Richard Harley:
> So, to clarify, does this affect plain Zope 2.10, no Plone?

That's still the question to me ;)

Ciao!


_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

On Mon, Nov 12, 2012 at 5:31 AM, Marcus Schopen <lists@localguru.de> wrote:

> Am Montag, den 12.11.2012, 12:07 +0000 schrieb Richard Harley:
> > So, to clarify, does this affect plain Zope 2.10, no Plone?
>
> That's still the question to me ;)


Why not try product installation and running your instance in the
foreground. If anything breaks, comment out any specific inapplicable
hotfix in __init__.py. A brief look at the source will tell you that it is
unlikely you should need to do this, as conditional imports check what to
apply.

Sean

Am Montag, den 12.11.2012, 11:13 -0700 schrieb Sean Upton:
>
>
>
> On Mon, Nov 12, 2012 at 5:31 AM, Marcus Schopen <lists@localguru.de>
> wrote:
> Am Montag, den 12.11.2012, 12:07 +0000 schrieb Richard Harley:
> > So, to clarify, does this affect plain Zope 2.10, no Plone?
>
>
> That's still the question to me ;)
>
> Why not try product installation and running your instance in the
> foreground. If anything breaks, comment out any specific inapplicable
> hotfix in __init__.py. A brief look at the source will tell you that
> it is unlikely you should need to do this, as conditional imports
> check what to apply.

Yes, we all can go the long way of try and error and code inspection ...
without knowing anything for sure in the end.

Ciao!



_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

from the security announcement page:
https://plone.org/products/plone/security/advisories/20121106-announcement

"This patch is compatible with all supported Plone versions (i.e.
Plone 3 and Plone 4), it may work on earlier versions of Plone, but as
these are unsupported they have had less testing done."

so probably zope versions from 2.10.11 onwards are supported. see:
http://dist.plone.org/release/3-latest/versions.cfg

other versions UNSUPPORTED. if you really need to know which versions
exactly are affected, you HAVE to find out yourself. either by trying
it out in a test environment or by analyzing the whole commit history
of affected modules in zope.

people reported successful patching of Plone2.1 and i patched a Zope
2.8 instance too. but this is informal, not an official statement.



On 11/13/2012 12:49 AM, Marcus Schopen wrote:
> Am Montag, den 12.11.2012, 11:13 -0700 schrieb Sean Upton:
>>
>>
>>
>> On Mon, Nov 12, 2012 at 5:31 AM, Marcus Schopen
>> <lists@localguru.de> wrote: Am Montag, den 12.11.2012, 12:07
>> +0000 schrieb Richard Harley:
>>> So, to clarify, does this affect plain Zope 2.10, no Plone?
>>
>>
>> That's still the question to me ;)
>>
>> Why not try product installation and running your instance in
>> the foreground. If anything breaks, comment out any specific
>> inapplicable hotfix in __init__.py. A brief look at the source
>> will tell you that it is unlikely you should need to do this, as
>> conditional imports check what to apply.
>
> Yes, we all can go the long way of try and error and code
> inspection ... without knowing anything for sure in the end.
>
> Ciao!
>
>
>
> _______________________________________________ Zope maillist -
> Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No
> cross posts or HTML encoding! ** (Related lists -
> https://mail.zope.org/mailman/listinfo/zope-announce
> https://mail.zope.org/mailman/listinfo/zope-dev )
>


- --
programmatic web development
di(fh) johannes raggam / thet
python plone zope development
mail: office@programmatic.pro
web: http://programmatic.pro
http://bluedynamics.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCiDWIACgkQW4mNMQxDgAc/sQCfShPVev83pbsd4KVk/RrVGsxJ
GAQAoN5wbj//fgCUXPR8lsI0cBBj06SR
=Tk6+
-----END PGP SIGNATURE-----
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

Am 13.11.2012 10:05, schrieb johannes raggam:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> from the security announcement page:
>
> https://plone.org/products/plone/security/advisories/20121106-announcement
>
> "This patch is compatible with all supported Plone versions (i.e.
> Plone 3 and Plone 4), it may work on earlier versions of Plone, but
> as
> these are unsupported they have had less testing done."
>
> so probably zope versions from 2.10.11 onwards are supported. see:
> http://dist.plone.org/release/3-latest/versions.cfg
>
> other versions UNSUPPORTED. if you really need to know which versions
> exactly are affected, you HAVE to find out yourself. either by trying
> it out in a test environment or by analyzing the whole commit history
> of affected modules in zope.
>
> people reported successful patching of Plone2.1 and i patched a Zope
> 2.8 instance too. but this is informal, not an official statement.

Hi!

I successfully applied these hotfixes to Zope 2.13 versions
without any problems. What puzzles me though is why was there
no announcement for theses fixes here on zope ml? Or are these
fixes not critical for pure Zope2 users? Or are these all fixed
in the latest version of Zope2?

kind regards,
Jürgen

>
>
>
> On 11/13/2012 12:49 AM, Marcus Schopen wrote:
>> Am Montag, den 12.11.2012, 11:13 -0700 schrieb Sean Upton:
>>>
>>>
>>>
>>> On Mon, Nov 12, 2012 at 5:31 AM, Marcus Schopen
>>> <lists@localguru.de> wrote: Am Montag, den 12.11.2012, 12:07
>>> +0000 schrieb Richard Harley:
>>>> So, to clarify, does this affect plain Zope 2.10, no Plone?
>>>
>>>
>>> That's still the question to me ;)
>>>
>>> Why not try product installation and running your instance in
>>> the foreground. If anything breaks, comment out any specific
>>> inapplicable hotfix in __init__.py. A brief look at the source
>>> will tell you that it is unlikely you should need to do this, as
>>> conditional imports check what to apply.
>>
>> Yes, we all can go the long way of try and error and code
>> inspection ... without knowing anything for sure in the end.
>>
>> Ciao!
>>
>>
>>
>> _______________________________________________ Zope maillist -
>> Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No
>> cross posts or HTML encoding! ** (Related lists -
>> https://mail.zope.org/mailman/listinfo/zope-announce
>> https://mail.zope.org/mailman/listinfo/zope-dev )
>>
>
>
> - --
> programmatic web development
> di(fh) johannes raggam / thet
> python plone zope development
> mail: office@programmatic.pro
> web: http://programmatic.pro
> http://bluedynamics.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlCiDWIACgkQW4mNMQxDgAc/sQCfShPVev83pbsd4KVk/RrVGsxJ
> GAQAoN5wbj//fgCUXPR8lsI0cBBj06SR
> =Tk6+
> -----END PGP SIGNATURE-----
> _______________________________________________
> Zope maillist - Zope@zope.org
> https://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> https://mail.zope.org/mailman/listinfo/zope-announce
> https://mail.zope.org/mailman/listinfo/zope-dev )

--
>> XLhost.de ® - Webhosting von supersmall bis eXtra Large <<

XLhost.de GmbH
Jürgen Herrmann, Geschäftsführer
Boelckestrasse 21, 93051 Regensburg, Germany

Geschäftsführer: Jürgen Herrmann
Registriert unter: HRB9918
Umsatzsteuer-Identifikationsnummer: DE245931218

Fon: +49 (0)800 XLHOSTDE [0800 95467833]
Fax: +49 (0)800 95467830
Web: http://www.XLhost.de
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

On Nov 13, 2012, at 10:16 , Jürgen Herrmann <Juergen.Herrmann@XLhost.de> wrote:
> I successfully applied these hotfixes to Zope 2.13 versions
> without any problems. What puzzles me though is why was there
> no announcement for theses fixes here on zope ml? Or are these
> fixes not critical for pure Zope2 users? Or are these all fixed
> in the latest version of Zope2?

There was no announcement here because those patches were prepared by Plone developers without our knowledge and announced without our knowledge. The Zope developers know as much about these patches (meaning little to nothing) as any other Zope user.

jens

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

it was overseen.

quoting David Glick on [Zope-CMF] from 9-11-2012:

"""
We should have informed you earlier. There are a lot of tasks
associated with preparing a hotfix (and this one in particular covered
many vulnerabilities), and it got missed. I apologize.

In the future, what's the best place to report possible CMF security
issues? zope-cmf Launchpad?
"""

On 11/13/2012 10:30 AM, Jens Vagelpohl wrote:
>
> On Nov 13, 2012, at 10:16 , Jürgen Herrmann
> <Juergen.Herrmann@XLhost.de> wrote:
>> I successfully applied these hotfixes to Zope 2.13 versions
>> without any problems. What puzzles me though is why was there no
>> announcement for theses fixes here on zope ml? Or are these fixes
>> not critical for pure Zope2 users? Or are these all fixed in the
>> latest version of Zope2?
>
> There was no announcement here because those patches were prepared
> by Plone developers without our knowledge and announced without our
> knowledge. The Zope developers know as much about these patches
> (meaning little to nothing) as any other Zope user.
>
> jens
>
>
>
>
> _______________________________________________ Zope maillist -
> Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No
> cross posts or HTML encoding! ** (Related lists -
> https://mail.zope.org/mailman/listinfo/zope-announce
> https://mail.zope.org/mailman/listinfo/zope-dev )
>


- --
programmatic web development
di(fh) johannes raggam / thet
python plone zope development
mail: office@programmatic.pro
web: http://programmatic.pro
http://bluedynamics.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCiITIACgkQW4mNMQxDgAcF9wCfcPZIoMnXwVR62lEjZhoqOi6W
1ugAnRSO9u05s/s3jTz/hiwbUflgVT2L
=q6NB
-----END PGP SIGNATURE-----
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

We are running Zope 2.13.10. (So this may not be too helpful.) We are testing the hotfix. This is the output in our event log.

2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied setHeader patch
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied allow_module patch
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied get_request_var_or_attr patch
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply gtbn
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply membership_tool
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply queryCatalog
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply uid_catalog
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply renameObjectsByPaths
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply at_download
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply safe_html
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied python_scripts patch
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied ftp patch
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied atat patch
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply random_string
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Hotfix installed

Without knowing how to specifically break things I can't say if it is good to be running this or not. I'm sure a new Zope2 release will include these updates?

-Chris

--------------------------------------------------------------------
Christopher N. Deckard | Lead Web Systems Developer
cnd@ecn.purdue.edu | Engineering Computer Network
http://eng.purdue.edu/ECN/ | Purdue University
---- zlib.decompress('x\234K\316Kq((-J)M\325KM)\005\000)"\005w') ---



On Nov 13, 2012, at 4:30 AM, Jens Vagelpohl <jens@dataflake.org> wrote:

>
> On Nov 13, 2012, at 10:16 , Jürgen Herrmann <Juergen.Herrmann@XLhost.de> wrote:
>> I successfully applied these hotfixes to Zope 2.13 versions
>> without any problems. What puzzles me though is why was there
>> no announcement for theses fixes here on zope ml? Or are these
>> fixes not critical for pure Zope2 users? Or are these all fixed
>> in the latest version of Zope2?
>
> There was no announcement here because those patches were prepared by Plone developers without our knowledge and announced without our knowledge. The Zope developers know as much about these patches (meaning little to nothing) as any other Zope user.
>
> jens
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> https://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> https://mail.zope.org/mailman/listinfo/zope-announce
> https://mail.zope.org/mailman/listinfo/zope-dev )

_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )