Comment 12 for bug 848807
Revision history for this message
| Matthew Wilkes (matthew-matthewwilkes) wrote Re: [Bug 848807] Anonymous arbitrary shell execution possible via URL | #12 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
On 2011-09-22, at 1746, Tres Seaver wrote:
>
> You want to leave this unpatched for *two weeks*? That seem grossly
> irresponsible to me: the Zope community *is* bigger than a set of
> nervous Plone integrators, and deserves to get fixes for "zero day"
> exploits out as soon as they are availble.
Of course, and when they're available doesn't mean when they've just been implemented.
Leaving it un-patched for two weeks has three possible outcomes:
1) Someone else finds and starts exploiting this problem.
2) Someone else finds and reports this problem.
3) Nobody finds it.
If we release now the chances of #1 rocket to certain, whereas at the moment they're very low indeed. That's the point of doing these things in secret: so we have so breathing room!
I cannot believe that there are no important Zope sites that won't have someone looking for hot fixes 24 hours a day, 365 days a year. That's utter madness. Hell, even personal sites, this is an important fix, it compromises servers, it is grossly irresponsible to release without any warning.
Matthew