Comment 9 for bug 848807
Revision history for this message
| Tres Seaver (tseaver) wrote Re: [Bug 848807] Re: Anonymous arbitrary shell execution possible via URL | #9 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/22/2011 04:24 AM, Hanno Schlichting wrote:
> Tres, thanks a lot for the work!
>
> Since this is such a serious vulnerability, the Plone security team
> would like to hold of the hotfix release a bit and do a pre-
> announcement. So all vendors get a chance to plan and prepare for
> deploying the hotfix.
That is exactly the reason *not* to hold off -- we should be putting out
the hotfix and new releases ASAP, because of it seriousness.
> We'll do a pre-announcement of the upcoming patch, to be released on
> Tuesday October 4. And then we can handle the actual release of the
> code on that day. I can take care of the Zope-side of the hotfix
> release and also release proper new versions of Zope 2.12 and 2.13 at
> the same time.
You want to leave this unpatched for *two weeks*? That seem grossly
irresponsible to me: the Zope community *is* bigger than a set of
nervous Plone integrators, and deserves to get fixes for "zero day"
exploits out as soon as they are availble.
Tres.
- --
=======
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://
iEYEARECAAYFAk5
bwMAoLPsPjyfORy
=k919
-----END PGP SIGNATURE-----