On Mon, Nov 26, 2012 at 18:53:58 +0900, Arnaud Fontaine wrote: > Tres Seaver <tsea...@palladion.com> writes: > > >> * CVE-2012-5505 (zope.traversing: atat.py) > >> http://plone.org/products/plone/security/advisories/20121106/21 > > > > That "fix" is also disputed: hiding the "default" view from the '@@' > > name does not actually improve security at all. There is a Launchpad > > bug where it is being debated (#1079225), but that bug is still in > > "Private Security" mode. The correct fix is to change the code of the > > multi-adapter to barf if published via a URL. > > Any idea when this patch will be released? Thanks. > Is there any news on that issue?
Cheers, Julien
signature.asc
Description: Digital signature
