Zope.org announced cross-site scripting vulnerability in Zope 2.7.x. But there is no Hotfix supported offcially. See: http://www.zope.org/Products/Zope/Hotfix-2007-03-20/Hotfix-20070320/README.txt The time has come that Zope 2.7.x should be FORBIDDEN. Next, I MUST change Mk/bsd.python.mk to remove Zope 2.7.x. But I don't have certain idea for it. Fix: Patch attached with submission follows:
State Changed From-To: open->feedback Awaiting maintainers feedback
On Mon, Apr 02, 2007 at 01:20:12AM +0000, Edwin Groothuis wrote: > Maintainer of www/zope, > > Please note that PR ports/111119 has just been submitted. > > If it contains a patch for an upgrade, an enhancement or a bug fix > you agree on, reply to this email stating that you approve the patch > and a committer will take care of it. > > The full text of the PR can be found at: > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/111119 I have a problem with removing Zope2.7 from the Portstree (what this port effectively does). As The Hotfix isn't part of the distribution and a stated several times that it shouldn't be part of the port. It's still in use an upgradeing isn't straight forward. Bye Estartu -- ---------------------------------------------------------------------------- Gerhard Schmidt | Nick : estartu IRC : Estartu | Fischbachweg 3 | | PGP Public Key 86856 Hiltenfingen | Privat: estartu@augusta.de | auf Anfrage/ Tel: 08232 77 36 4 | Dienst: schmidt@ze.tu-muenchen.de | on request Fax: 08232 77 36 3 | |
Responsible Changed From-To: freebsd-ports-bugs->stefan Take.
Hi Gerhard, marking the port FORBIDDEN does not remove it from the ports tree. It mainly tells the user that a port should not be installed. The port can still be installed by commenting out FORBIDDEN in the Makefile. If a fix for this security vulnerability is not available, the port should clearly be marked FORBIDDEN. Please see the section in the Porter's Handbook about this, too [1]. Regards, Stefan [1]: http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/dads-noinstall.html
stefan 2007-04-08 11:24:18 UTC FreeBSD ports repository Modified files: www/zope Makefile Log: Mark FORBIDDEN due to cross-site scripting vulnerability. PR: 111119 Submitted by: Yasushi Hayashi<yasi@yasi.to> Revision Changes Path 1.75 +2 -0 ports/www/zope/Makefile _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Please note that I have marked www/zope FORBIDDEN now. Users may still decide to install the port, but it prevents installation without knowing about the vulnerability. The FORBIDDEN mark can be removed as soon as the software isn't vulnerable after installation via the port. Regards, Stefan
State Changed From-To: feedback->closed The port www/zope has been marked FORBIDDEN.