Security issue in Grok: please upgrade! =======================================
December 12, 2008. The Grok team encountered a serious security issue that exposes Grok installations to attacks that erase data as well as remote denial of service attacks. We *strongly* urge people to upgrade to newer versions of Grok immediately. We have supplied new bug fix releases of Grok for Grok 0.11 up to the recent release, Grok 0.14. Only projects that use Grok directly are affected by this security issue. If your Zope 3 project uses the ``grokcore.*`` libraries or if you use ``five.grok`` on Zope 2, there is no security problem. How to upgrade Grok? We give instructions that you can apply in your Grok projects. Please run ``buildout`` after making the changes - this will download the fixed version of Grok. After this restart your server! The upgrade instructions assume two possible installation methods: * Old versions of ``grokproject`` generated projects that only include the ``extends=`` line in ``buildout.cfg``, and updating that line to point to a newer version of Grok is sufficient. * Newer versions of ``grokproject`` create projects that require you to modify ``versions.cfg``. There is also a line pointing to a Grok version in the ``eggbasket`` section in ``buildout.cfg``. While this a download optimization only, we still recommend you update that line as well. Grok 0.14: upgrade to Grok 0.14.1 --------------------------------- In the file ``versions.cfg`` change the line:: grok = 0.14 to this:: grok = 0.14.1 If you have no ``versions.cfg``, go to your projects ``buildout.cfg`` and adjust this line:: extends = http://grok.zope.org/releaseinfo/grok-0.14.cfg to this:: extends = http://grok.zope.org/releaseinfo/grok-0.14.1.cfg While not strictly required, we also recommend you modify the following line in the ``[eggbasket]`` section (if present):: url = http://grok.zope.org/releaseinfo/grok-eggs-0.14.tgz to:: url = http://grok.zope.org/releaseinfo/grok-eggs-0.14.1.tgz After this change, run ``buildout`` and restart the server. This version should work properly with Python 2.4 and Python 2.5. Grok 0.13: upgrade to Grok 0.13.1 --------------------------------- In the file ``versions.cfg`` change the line:: grok = 0.13 to this:: grok = 0.13.1 If you have no ``versions.cfg``, go to your projects ``buildout.cfg`` and adjust this line:: extends = http://grok.zope.org/releaseinfo/grok-0.13.cfg to this:: extends = http://grok.zope.org/releaseinfo/grok-0.13.1.cfg While not strictly required, we also recommend you modify the following line in the ``[eggbasket]`` section (if present):: url = http://grok.zope.org/releaseinfo/grok-eggs-0.13.tgz to:: url = http://grok.zope.org/releaseinfo/grok-eggs-0.13.1.tgz After this change, run ``buildout`` and restart the server. This version should work properly with Python 2.4 and Python 2.5. Grok 0.12 and Grok 0.12.1: upgrade to Grok 0.12.2 ------------------------------------------------- In the file ``versions.cfg`` change the line:: grok = 0.12 (or 0.12.1) to this:: grok = 0.12.2 If you have no ``versions.cfg``, go to your projects ``buildout.cfg`` and adjust this line:: extends = http://grok.zope.org/releaseinfo/grok-0.12.cfg (or grok-0.12.1.cfg) to this:: extends = http://grok.zope.org/releaseinfo/grok-0.12.2.cfg While not strictly required, we also recommend you modify the following line in the ``[eggbasket]`` section (if present):: url = http://grok.zope.org/releaseinfo/grok-eggs-0.12.tgz (or grok-0.12.1.cfg) to:: url = http://grok.zope.org/releaseinfo/grok-eggs-0.12.2.tgz After this change, run ``buildout`` and restart the server. Note: the integrated REST support does not function properly on Python 2.5 in this version. It does work with the recommended version Python 2.4. Grok 0.11 and Grok 0.11.1: upgrade to Grok 0.11.2 ------------------------------------------------- In the file ``versions.cfg`` change the line:: grok = 0.11 (or 0.11.1) to this:: grok = 0.11.2 If you have no ``versions.cfg``, go to your projects ``buildout.cfg`` and adjust this line:: extends = http://grok.zope.org/releaseinfo/grok-0.11.cfg (or grok-0.11.1.cfg) to this:: extends = http://grok.zope.org/releaseinfo/grok-0.11.2.cfg We have not released a grok-eggs-0.11.2.tgz as we never maintained such tarball releases for Grok 0.11. After this change, run ``buildout`` and restart the server. Note: the integrated REST support will not function properly on Python 2.5 in this version. It does work with the recommended version Python 2.4. _______________________________________________ Zope-Announce maillist - Zope-Announce@zope.org http://mail.zope.org/mailman/listinfo/zope-announce Zope-Announce for Announcements only - no discussions (Related lists - Users: http://mail.zope.org/mailman/listinfo/zope Developers: http://mail.zope.org/mailman/listinfo/zope-dev )