Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix
Julien Cristau
jcristau at debian.org
Sun Jan 27 13:49:51 UTC 2013
On Mon, Nov 26, 2012 at 18:53:58 +0900, Arnaud Fontaine wrote:
> Tres Seaver <tseaver at palladion.com> writes:
>
> >> * CVE-2012-5505 (zope.traversing: atat.py)
> >> http://plone.org/products/plone/security/advisories/20121106/21
> >
> > That "fix" is also disputed: hiding the "default" view from the '@@'
> > name does not actually improve security at all. There is a Launchpad
> > bug where it is being debated (#1079225), but that bug is still in
> > "Private Security" mode. The correct fix is to change the code of the
> > multi-adapter to barf if published via a URL.
>
> Any idea when this patch will be released? Thanks.
>
Is there any news on that issue?
Cheers,
Julien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-zope-developers/attachments/20130127/0cee79e3/attachment.pgp>
More information about the pkg-zope-developers
mailing list