Silva – Security vulnerabiity 20110928: Arbitrary Code Execution

Today there was a new release of Zope 2.12 and 2.13, fixing a security issue that could let people execute arbitrary code on the filesystem from any Zope 2 application without authentication. The security issue does not affect Zope 2.11 and so does not affect Silva 2.2 or before. Only Silva 2.3 and the 3.0 alphas are affected.

A new tag of Silva have been made today, 2.3.4, which uses this new Zope 2 version. We recommend that all Silva 2.3 users make this update. See:
https://svn.infrae.com/buildout/silva/tag/Silva-2.3.4

Other changes

This new version of Silva also includes a new sidebar, based on the catalog, that is much faster on large sites with long sidebars. After running your buildout, you will need to either go to the ZMI and click on update content in service_extensions, or use the silvaupdate script on the filesystem. This upgrade only takes a couple of minutes, even on large sites.

More information

Pre-announcement: http://zope2.zope.org/news/security-vulnerability-announcement-cve-2011-3587

FMI contact Sylvain Viollon sylvain at infrae com, +31 10 243 7051.