Zope.org announced cross-site scripting vulnerability in Zope 2.7.x.
But there is no Hotfix supported offcially.
The time has come that Zope 2.7.x should be FORBIDDEN.
Next, I MUST change Mk/bsd.python.mk to remove Zope 2.7.x.
But I don't have certain idea for it.
Fix: Patch attached with submission follows:
Awaiting maintainers feedback
On Mon, Apr 02, 2007 at 01:20:12AM +0000, Edwin Groothuis wrote:
> Maintainer of www/zope,
> Please note that PR ports/111119 has just been submitted.
> If it contains a patch for an upgrade, an enhancement or a bug fix
> you agree on, reply to this email stating that you approve the patch
> and a committer will take care of it.
> The full text of the PR can be found at:
I have a problem with removing Zope2.7 from the Portstree (what this port
effectively does). As The Hotfix isn't part of the distribution and a stated
several times that it shouldn't be part of the port. It's still in use
an upgradeing isn't straight forward.
Gerhard Schmidt | Nick : estartu IRC : Estartu |
Fischbachweg 3 | | PGP Public Key
86856 Hiltenfingen | Privat: firstname.lastname@example.org | auf Anfrage/
Tel: 08232 77 36 4 | Dienst: email@example.com | on request
Fax: 08232 77 36 3 | |
marking the port FORBIDDEN does not remove it from the ports tree. It
mainly tells the user that a port should not be installed. The port can
still be installed by commenting out FORBIDDEN in the Makefile.
If a fix for this security vulnerability is not available, the port should
clearly be marked FORBIDDEN. Please see the section in the Porter's
Handbook about this, too .
stefan 2007-04-08 11:24:18 UTC
FreeBSD ports repository
Mark FORBIDDEN due to cross-site scripting vulnerability.
Submitted by: Yasushi Hayashi<firstname.lastname@example.org>
Revision Changes Path
1.75 +2 -0 ports/www/zope/Makefile
email@example.com mailing list
To unsubscribe, send any mail to "firstname.lastname@example.org"
Please note that I have marked www/zope FORBIDDEN now. Users may still
decide to install the port, but it prevents installation without knowing
about the vulnerability. The FORBIDDEN mark can be removed as soon as the
software isn't vulnerable after installation via the port.
The port www/zope has been marked FORBIDDEN.