Hello, Tres Seaver <tsea...@palladion.com> writes:
>> version 2.12.21: * LP #1079238 fixes CVE 2012-5489. >> >> According to the upstream changelog, LP #1047318 seems to fix a >> security bug, but I could not find it in zope2 launchpad nor anywhere >> else. > > That bug was still in "Private Security" state: I have updated it to > "Public Security", so you whould be able to view it: > > https://bugs.launchpad.net/zope2/+bug/1047318 Thank you very much. >> Not fixed in latest release of Zope AFAIK: >> >> * CVE-2012-5487 (allow_module.py) >> http://plone.org/products/plone/security/advisories/20121106/03 > > I don't believe that this can be a bug in Zope itself: adding > '__roles__' to a module-scope function is pointless unless the module > itself is importable by untrusted (TTW) code. The > 'AccessControl.SecurityInfo' module should *certainly* not be exposed > to untrusted code. If some other out-of-Zope-core module which is > supposed to be importable by TTW code imports that function at module > scope, then fix *that* module instead. Indeed, thanks for your explanation. >> * CVE-2012-5505 (zope.traversing: atat.py) >> http://plone.org/products/plone/security/advisories/20121106/21 > > That "fix" is also disputed: hiding the "default" view from the '@@' > name does not actually improve security at all. There is a Launchpad > bug where it is being debated (#1079225), but that bug is still in > "Private Security" mode. The correct fix is to change the code of the > multi-adapter to barf if published via a URL. Any idea when this patch will be released? Thanks. Cheers, Arnaud Fontaine
pgpTgs9cPJITT.pgp
Description: PGP signature
