Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2006-07-24 06:28:35 UTC

net-zope please advise and patch as necessary.

Comment 2 Radoslaw Stachowiak (RETIRED) 2006-07-24 16:10:51 UTC

Unfortunately I'll be able to provide patch/ebuild no sooner than Jul 31 (vacations). We ll need to patch it.

Comment 3 Thierry Carrez (RETIRED) 2006-08-12 05:26:27 UTC

Radoslaw : back from your vacations ?

Comment 4 Radoslaw Stachowiak (RETIRED) 2006-08-20 12:37:48 UTC

Released 2.8.8 and 2.9.4 which contain fix for the bug.
I think we should stable 2.8.8 and pmask 2.7

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) 2006-08-20 13:14:47 UTC

Thx Radoslaw.

Arches please test and mark stable 2.8.8 as per comment #4.

Comment 6 Radoslaw Stachowiak (RETIRED) 2006-08-21 13:20:46 UTC

due to today discovered http://www.zope.org/Products/Zope/Hotfix-2006-08-21/
we should probably stop before ill be able to fix this altogether (max till saturday).

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) 2006-08-22 22:13:07 UTC

Back to ebuild status.

Comment 8 Radoslaw Stachowiak (RETIRED) 2006-08-27 10:01:09 UTC

Fixed 2.7.9 and 2.8.8.

There is no need to mask 2.7.8 now as I previously stated (because i fixed it this time), but there is need to make 2.7.9 stable.

In summary, what is needed:
1) mark as stable zope-2.7.9 (new ebuild)
2) mark as stable zope-2.8.8 (changed ebuild, I decided against version bump because 2.8.8 was not marked as stable in portage yet)
3) issue glsa, versions NOT affected are:
zope-2.7.9 (the only stable version before the situation)
zope-2.8.8 (only after re-emerge!!!)
zope-2.9.4

Do not hesitate to ask me if sth is not clear.

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) 2006-08-29 11:44:48 UTC

Thx Radoslaw.

Arches please test and mark stable.

Comment 10 Joshua Jackson (RETIRED) 2006-08-29 21:20:50 UTC

I hate zope and plone but they are done on x86 :(

Comment 11 Gustavo Zacarias (RETIRED) 2006-08-30 10:20:41 UTC

sparc stable.

Comment 12 Tobias Scherbaum (RETIRED) 2006-09-01 10:20:50 UTC

ppc stable

Comment 13 Simon Stelling (RETIRED) 2006-09-02 05:18:34 UTC

amd64 stable

Comment 14 Thomas Cort (RETIRED) 2006-09-03 08:43:03 UTC

alpha stable.

Also marked 2.8.8 stable on amd64.

Comment 15 Sune Kloppenborg Jeppesen (RETIRED) 2006-09-03 09:48:21 UTC

This one is ready for GLSA decision. I tend to vote NO.

Comment 16 Radoslaw Stachowiak (RETIRED) 2006-09-03 11:05:00 UTC

If I should vote (not sure?) i think we should release GLSA. this is pretty serious bug (remote one) - in fact two advisories were issued, and it's happend after long time zope being considered secure app server. 

Comment 17 Wolf Giesen (RETIRED) 2006-09-05 06:17:28 UTC

I vote yes.

Comment 18 Raphael Marichez (Falco) (RETIRED) 2006-09-05 11:24:38 UTC

i vote no. This is not a critical issue. It can not corrupt a server nor execute any kind of script.

Comment 19 Thierry Carrez (RETIRED) 2006-09-05 12:51:42 UTC

I tend to vote no. It's not that often that you provide restructured text functions to untrusted users ?

Comment 20 Sune Kloppenborg Jeppesen (RETIRED) 2006-09-05 21:09:51 UTC

Current voting status:

2 NO (

Comment 21 Sune Kloppenborg Jeppesen (RETIRED) 2006-09-05 21:09:51 UTC

Current voting status:

2 NO (½+½+1)
1 YES (+1 from net-zope)

So unless I get some YES votes today I'll close this bug with NO GLSA.

Comment 22 Raphael Marichez (Falco) (RETIRED) 2006-09-07 07:05:55 UTC

closing with noglsa, feel free to reopen if blabla (i should bind a shortcut-key for this)