You are not logged in Log in Join
You are here: Home » Download Zope Products » Zope » Hotfix 2005-10-09 » Hotfix 2005-10-09 Alert » View Document

Log in
Name

Password

 

Hotfix 2005-10-09 Alert

This hotfix addresses an important security issue that affects users of Zope versions 2.6 or higher.

This hotfix resolves a security issue with docutils.

Affected are possibly all Zope instances that expose RestructuredText functionalies to untrusted users through the web.

The upcoming Zope 2.7.8 and 2.8.2 releases will fix this issue as well.

Download the hotfix from Hotfix_2005-10-09.tar.gz

Installation:

  • download the archive and extract it inside the lib/python folder of your Zope installation
  • it will replace lib/python/reStructuredText, lib/python/docutils and lib/python/Products/ZReST
  • restart Zope (no need to rebuild anything)

The hotfix is supposed to work with Zope 2.7.4 or higher and Zope 2.8.X. Since Zope 2.6 is no longer maintainted we can not guarantee that the fix will work for Zope 2.6 and Python 2.1.X.

Plone sites running Plone 2.1 do not seem to be affected (there seems to be extra code in ATContentTypes preventing the exploit). Older Plone 2.0 sites running older versions of ATContentTypes might be affected.

Comment

Discussion icon Zope2.7.0(+?) issues

Posted by: d2m at 2005-10-10

there are some minor issues with at least Zope2.7.0 (please add your findings with higher versions of zope2.7.x too):

  - ensure you create a copy of the  
    lib/python/docutils|reStructuredText|Products/ZRest folders 
    before you install the update
  - docutils now expects 2 config directives that are not available 
    through zope.conf (initial-header-level and default-language-code)
    - you eventually need to edit lib/python/reStructuredText/__init__.py changing:
      - initial_header_level = getConfiguration().rest_header_level or default_level
      - default_language_code = getConfiguration().rest_language_code or default_language
    **to** 
      - initial_header_level = default_level
      - default_language_code = default_lang
  - some file-permissions need to be changed (lib/python/Products/ZRest/zrest.gif)
  - owner and users settings of the 3 packages might be adjusted 
    (depending on your permissions)

I found no problems with hotfixing Zope2.8.1