Silva Security Alert 2005.02.02

2 february 2005 – Infrae has discovered a severe security bug in Silva, which potentially allows untrusted users to alter live images and files (all listed versions), as well as alter the draft state of Silva Documents (in versions 0.9.3 and above). If your organisation is running Silva we strongly recommend an upgrade as soon as possible.

The problem has been found in all Silva versions currently in use. We’ve fixed it in our version control repository for the following major versions:

• Silva 1.2 (under development)
• Silva 1.1
• Silva 1.0
• Silva 0.9.3
• Silva 0.9.2
• Silva 0.9.1

The recommended way to fix this problem is to upgrade to a new bugfix releases for the major version of Silva that you are running. We have made bugfix releases of the affected Zope products available.

For versions of Silva 0.9.1 and 0.9.2, only an upgrade of the Silva product itself is necessary. For versions of Silva 0.9.3 and up, an upgrade of both the Silva and SilvaDocument products is needed. Only these products need upgrading.

If you have any questions or special requirements concerning your upgrade, please contact Infrae.

We apologize in advance for any inconvience.

Bugfix versions of Silva and SilvaDocument can be downloaded in the Silva and SilvaDocument download areas on infrae.com.

Bugfixed versions are:

0.9.1

Silva-0.9.1.13.tgz

0.9.2

Silva-0.9.2.8.tgz

0.9.3

Silva-0.9.3.7.tgz

SilvaDocument-0.9.3.8.tgz

1.0

Silva-1.0.3.tgz

SilvaDocument-1.0.3.tgz

1.1

Silva-1.1.2.tgz

SilvaDocument-1.1.2.tgz

The beta version of Silva 1.2, already released, also contains the fixes.

Quick installation instructions

To install this bugfix release, first remove the old Silva Product, unpack the .tgz file for your current Silva version in the Zope Products directory and restart Zope. If you're running 0.9.3, 1.0 or 1.1, you should also replace the SilvaDocument product with the updated version.