Ryan, Thanks for the quick work on resolving this. :-)
Ric On Jul 24, 2009, at 10:15 AM, <ryan_per...@mcafee.com> wrote: > Ok, the final analysis is as follows: > > We had an incorrect version regex that matched 2.10 the same as > 2.1. This issue seems to only affect zope version 2.0 through > 2.5.01. This lead to the vulnerability showing up with recent > versions of zope being scanned. > > We are fixing both the regex and the suggested fix. The new > suggested fix will be to update to the appropriate version of zope > (in this case, post 2.5.01), not to replace it with something else. > This fix should be updated within the next week or so. > > If you have any further questions pertaining to McAfee (or > Foundstone) security reports, please feel free to contact me > directly, or via secur...@mcafee.com. I am not a full time member > of this list, so I may not see any replies or questions made only to > the list. > > > -----Original Message----- > From: Permeh, Ryan > Sent: Friday, July 24, 2009 9:53 AM > To: li...@zopyx.com > Cc: zope@zope.org > Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability > > It is not related the specified hotfix. I'm getting details now, > but this is how it seems: > 1. this is from the Foundstone product, not a public advisory. The > Foundstone product is a vulnerability scanner, and it seems that it > feels that the original poster's site is vulnerable to the stated > issue. > 2. The vulnerability check was written and published in 2002. > 3. I am looking into details regarding both what the details of this > issue originally were, and what we look for to trigger it's existence. > > This leads to a couple observations. > > 1. This is likely a false positive, unless the original poster was > running ridiculously old software. > 2. We will fix the check logic or remove the check entirely. Checks > this old rarely add much value to the product > 3. In any case, if the check stays, we will update the text. I'm > not sure who wrote the original text in 2002, but it obviously > doesn't apply now. > > > -----Original Message----- > From: Andreas Jung [mailto:li...@zopyx.com] > Sent: Friday, July 24, 2009 9:43 AM > To: Permeh, Ryan > Cc: zope@zope.org > Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability > > Hi, > > > > > On 24.07.09 18:24, ryan_per...@mcafee.com wrote: >> I manage product security at McAfee, of which Foundstone is a >> part. I am not aware of releasing such an advisory, and am looking >> into this. Could we get details regarding where this was found? >> Was this posted to a web site? A security mailing list? And when >> was it posted? This may have a very different meaning if it was >> published in 2001 or something like that. Alternately, Foundstone >> produces a vulnerability management software, was this in a report >> generated by that product? >> >> > I have no idea what you are talking about. > > We had this strange mail thread this week: > > http://mail.zope.org/pipermail/zope/2009-July/175308.html > > related to this hotfix > > http://www.zope.org/Products/Zope/Hotfix-2008-08-12 > > Now how is this related to " HTTP Request Denial of Service > Vulnerability" ??? > > I can not find anything related to the subject within the list of > our hotfixes (which is pretty small since 2000): > > _______________________________________________ > Zope maillist - Zope@zope.org > http://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://mail.zope.org/mailman/listinfo/zope-announce > http://mail.zope.org/mailman/listinfo/zope-dev ) _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
