Hotfix 2005-10-09 Alert
This hotfix resolves a security issue with docutils.
Affected are possibly all Zope instances that expose RestructuredText functionalies to untrusted users through the web.
The upcoming Zope 2.7.8 and 2.8.2 releases will fix this issue as well.
Download the hotfix from Hotfix_2005-10-09.tar.gz
- download the archive and extract it inside the lib/python folder of your Zope installation
- it will replace
- restart Zope (no need to rebuild anything)
The hotfix is supposed to work with Zope 2.7.4 or higher and Zope 2.8.X. Since Zope 2.6 is no longer maintainted we can not guarantee that the fix will work for Zope 2.6 and Python 2.1.X.
Plone sites running Plone 2.1 do not seem to be affected (there seems to be extra code in ATContentTypes preventing the exploit). Older Plone 2.0 sites running older versions of ATContentTypes might be affected.
Zope2.7.0(+?) issuesPosted by: d2m at 2005-10-10
there are some minor issues with at least Zope2.7.0 (please add your findings with higher versions of zope2.7.x too):
- ensure you create a copy of the lib/python/docutils|reStructuredText|Products/ZRest folders before you install the update - docutils now expects 2 config directives that are not available through zope.conf (initial-header-level and default-language-code) - you eventually need to edit lib/python/reStructuredText/__init__.py changing: - initial_header_level = getConfiguration().rest_header_level or default_level - default_language_code = getConfiguration().rest_language_code or default_language **to** - initial_header_level = default_level - default_language_code = default_lang - some file-permissions need to be changed (lib/python/Products/ZRest/zrest.gif) - owner and users settings of the 3 packages might be adjusted (depending on your permissions)
I found no problems with hotfixing Zope2.8.1