Skip to first unread message
Ronald Jeninga
Apr 16, 2019, 7:17:39 AM4/16/19
to schedulix
Dear community,
the GitHub platform notified me about a vulnerability in one of the Python packages required by Zope.
The package Jinja2 allows to escape from the sandbox it provides. This can lead to a situation that an attacker can execute Python scripts with the privileges of the schedulix user.
For more information, see also
Vulnerable versions: < 2.10.1
Patched version: 2.10.1
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
Anyway, although we regard the risk from within the Zope application as less severe, we tested the Zope server in combination with Jinja2 2.10.1 and everything seemed to work flawlessly.
This is why we updated the requirements files, such that new installations will use the fixed version of Jinja2 instead.
If problems are found because of this change, we'll certainly try to fix them.
Those who already work with the system and have a Zope 2.13.26 or 2.13.29 (or any in between release) installed can fix the problem themselves without doing a new Zope installation.
1. Log in as root
2. service schedulix-zope stop
3. Log in as schedulix
4. cd $HOME/software/Zope/bin
5. ./pip install --upgrade jinja2
6. Log in as root
7. service schedulix-zope start
For people who didn't install using the rpms, the procedure is basically the same, but the directories might be called differently.
Best regards,
Ronald
Reply all
Reply to author
Forward
0 new messages