Hotfix 2005-10-09 Alert
This hotfix addresses an important security issue that affects users of Zope
versions 2.6 or higher.
This hotfix resolves a security issue with docutils.
Affected are possibly all Zope instances that expose RestructuredText
functionalies to untrusted users through the web.
net-zope herd, please apply hotfix
Also in :
zope team, please bump. If you find what is the impact of the flaw please comment.
will do today.
fixed in portage with two new versions 2.7.8 and 2.8.2 which contains fixes for
2.6.x is not supported, we have no information if this can be even patched.
Arches please test and mark stable.
Hmm which version? 2.7.8 or 2.8.2?
Latest stable was 2.7.7, so 2.7.8 should probably be the stable target.
Not sure what this is about. Can't find anything clear in the Changelog... Maybe
<<disabled ".. include" directive for all the ZReST product and the
Looks like a file inclusion issue... maybe local file disclosure ?
Radoslaw, any info ?
i think we can provide general information, about file inclusion, but give a
clear info that this allows to break security of the zope to untrusted users
through the web.
I also need to release 2.8.3 tonight, because there were some problems on
zope2.8.2 release (http://www.zope.org/Products/Zope/2.8.3/CHANGES.txt)
i suggest that advisory mention also that for 2.8.x branch upgrade to the 2.8.3
should be done.
stable on x86
Radoslaw: removing/masking the 2.8.2 version is the best way to achieve the
result from comment #14.
Technically >=2.8.2 is fixed (security-wise) so that's probably what we'll put
in the GLSA. They will pick up 2.8.3 naturally if 2.8.2 is missing...
amd64 still missing, should mark 2.7.8 stable
amd64 stable, sorry for the delay